Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Windows Analysis Report gimmer_bot_.exe

Overview

General Information

Sample Name:gimmer_bot_.exe
Analysis ID:478837
MD5:e41a75968f8870dafde82be208250165
SHA1:90ad160d773b3a27e96e741f4b32514f9ce5f0b3
SHA256:dfe58673321d387512d2604be0b7219ee758f2e717c13b64f6cfd7f7a846339f
Tags:bitbucketorgexe
Infos:

Most interesting Screenshot:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Disable Task List ballon tips (likely to surpress security warnings)
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Changes the view of files in windows explorer (hidden files and folders)
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Checks if the current process is being debugged
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • gimmer_bot_.exe (PID: 3764 cmdline: 'C:\Users\user\Desktop\gimmer_bot_.exe' MD5: E41A75968F8870DAFDE82BE208250165)
    • gimmer_bot_.exe (PID: 1384 cmdline: {path} MD5: E41A75968F8870DAFDE82BE208250165)
    • gimmer_bot_.exe (PID: 496 cmdline: {path} MD5: E41A75968F8870DAFDE82BE208250165)
      • WerFault.exe (PID: 6628 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 1944 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • efsui.exe (PID: 6424 cmdline: efsui.exe /efs /keybackup MD5: DC2961C58C8E0395105285C342C65BE8)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

  • AV Detection
  • Compliance
  • Spreading
  • Software Vulnerabilities
  • Networking
  • Key, Mouse, Clipboard, Microphone and Screen Capturing
  • System Summary
  • Data Obfuscation
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • HIPS / PFW / Operating System Protection Evasion
  • Language, Device and Operating System Detection
  • Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: gimmer_bot_.exeVirustotal: Detection: 55%Perma Link
Source: gimmer_bot_.exeReversingLabs: Detection: 60%
Antivirus / Scanner detection for submitted sample
Source: gimmer_bot_.exeAvira: detected
Machine Learning detection for sample
Source: gimmer_bot_.exeJoe Sandbox ML: detected
Source: gimmer_bot_.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: unknownHTTPS traffic detected: 172.217.168.68:443 -> 192.168.2.7:49710 version: TLS 1.0
Source: gimmer_bot_.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.326622260.0000000004DA2000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.pdb_ source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.pdb` source: WER9FD8.tmp.dmp.22.dr
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.338976439.0000000005400000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000016.00000003.338976439.0000000005400000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000016.00000003.336268350.00000000056E0000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.338976439.0000000005400000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp, WER9FD8.tmp.dmp.22.dr
Source: Binary string: dhcpcsvc.pdb4 source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000016.00000003.336268350.00000000056E0000.00000004.00000001.sdmp
Source: Binary string: indows.Forms.pdb source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp
Source: Binary string: mscoree.pdb source: WerFault.exe, 00000016.00000003.338976439.0000000005400000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: nsi.pdb! source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: version.pdb= source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: cryptsp.pdb7 source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WER9FD8.tmp.dmp.22.dr
Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp, WER9FD8.tmp.dmp.22.dr
Source: Binary string: ole32.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: indows.Forms.pdb" source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000016.00000003.336268350.00000000056E0000.00000004.00000001.sdmp
Source: Binary string: System.pdb""T source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: k,C:\Windows\System.pdb source: gimmer_bot_.exe, 0000000B.00000002.359052439.0000000000B98000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdbr source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp, WER9FD8.tmp.dmp.22.dr
Source: Binary string: System.pdb@@ source: WER9FD8.tmp.dmp.22.dr
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\gimmer_bot_.PDBv}M9 source: gimmer_bot_.exe, 0000000B.00000002.364453527.00000000061D0000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER9FD8.tmp.dmp.22.dr
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: gimmer_bot_.exe, 0000000B.00000000.316232072.00000000061FE000.00000004.00000001.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: secur32.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb1 source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WER9FD8.tmp.dmp.22.dr
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: System.Core.ni.pdbRSDSD source: WER9FD8.tmp.dmp.22.dr
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb! source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000016.00000003.336268350.00000000056E0000.00000004.00000001.sdmp
Source: Binary string: winhttp.pdbD source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb$ source: WerFault.exe, 00000016.00000003.338350652.00000000052EA000.00000004.00000001.sdmp
Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: rasadhlp.pdb" source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp, WER9FD8.tmp.dmp.22.dr
Source: Binary string: shell32.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdb+ source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000016.00000003.336268350.00000000056E0000.00000004.00000001.sdmp
Source: Binary string: gimmer_bot_.PDB61002-w source: gimmer_bot_.exe, 0000000B.00000000.309253273.0000000000B98000.00000004.00000001.sdmp
Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: System.Xml.pdbx] source: WER9FD8.tmp.dmp.22.dr
Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: gimmer_bot_.exe, 0000000B.00000002.364453527.00000000061D0000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000016.00000003.336268350.00000000056E0000.00000004.00000001.sdmp
Source: Binary string: System.pdbx source: WerFault.exe, 00000016.00000003.336268350.00000000056E0000.00000004.00000001.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp, WER9FD8.tmp.dmp.22.dr
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: gimmer_bot_.exe, 0000000B.00000000.316232072.00000000061FE000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: mscorlib.ni.pdb" source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER9FD8.tmp.dmp.22.dr
Source: Binary string: ws2_32.pdbV source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: clrjit.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: rasman.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp, WER9FD8.tmp.dmp.22.dr
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: C:\Users\user\Desktop\gimmer_bot_.PDB source: gimmer_bot_.exe, 0000000B.00000000.309253273.0000000000B98000.00000004.00000001.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp, WER9FD8.tmp.dmp.22.dr
Source: Binary string: System.pdb source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp, WER9FD8.tmp.dmp.22.dr
Source: Binary string: ore.ni.pdb source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp
Source: Binary string: System.Xml.pdb" source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb` source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: ore.pdb source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp
Source: Binary string: secur32.pdbx source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000016.00000003.336268350.00000000056E0000.00000004.00000001.sdmp, WER9FD8.tmp.dmp.22.dr
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: gimmer_bot_.exe, 0000000B.00000000.312019728.000000000620A000.00000004.00000001.sdmp
Source: Binary string: wmswsock.pdb~ source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000016.00000003.336268350.00000000056E0000.00000004.00000001.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb" source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: System.Core.pdb source: WerFault.exe, 00000016.00000003.336268350.00000000056E0000.00000004.00000001.sdmp, WER9FD8.tmp.dmp.22.dr
Source: Binary string: iphlpapi.pdb( source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000016.00000003.336268350.00000000056E0000.00000004.00000001.sdmp
Source: Binary string: ntasn1.pdb: source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdb source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp, WER9FD8.tmp.dmp.22.dr
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 11_2_052F9778 FindFirstFileW,11_2_052F9778
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 11_2_052F9CCD FindFirstFileW,11_2_052F9CCD
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_02DDDB18

Networking:

barindex
May check the online IP address of the machine
Source: C:\Users\user\Desktop\gimmer_bot_.exeDNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\gimmer_bot_.exeDNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\gimmer_bot_.exeDNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\gimmer_bot_.exeDNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\gimmer_bot_.exeDNS query: name: ip-api.com
Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
Source: unknownHTTPS traffic detected: 172.217.168.68:443 -> 192.168.2.7:49710 version: TLS 1.0
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: gimmer_bot_.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: gimmer_bot_.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: gimmer_bot_.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: gimmer_bot_.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: gimmer_bot_.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: gimmer_bot_.exe, 0000000B.00000000.310713319.0000000002F7A000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.com
Source: gimmer_bot_.exe, 0000000B.00000000.310713319.0000000002F7A000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org
Source: gimmer_bot_.exe, 0000000B.00000000.314483475.0000000002EC1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org(NjQuMjMzLjE3Mi4xMDc=
Source: gimmer_bot_.exe, 0000000B.00000000.310665140.0000000002F68000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/
Source: gimmer_bot_.exe, 0000000B.00000000.310682952.0000000002F72000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org4
Source: gimmer_bot_.exe, 0000000B.00000002.364453527.00000000061D0000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: gimmer_bot_.exe, 0000000B.00000002.364453527.00000000061D0000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: gimmer_bot_.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: gimmer_bot_.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: gimmer_bot_.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: gimmer_bot_.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: gimmer_bot_.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: gimmer_bot_.exeString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: gimmer_bot_.exeString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: gimmer_bot_.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: gimmer_bot_.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: gimmer_bot_.exeString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: gimmer_bot_.exeString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: gimmer_bot_.exeString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: gimmer_bot_.exe, 0000000B.00000002.364453527.00000000061D0000.00000004.00000001.sdmpString found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crl0
Source: gimmer_bot_.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: gimmer_bot_.exe, 00000000.00000003.255422309.000000000602B000.00000004.00000001.sdmp, gimmer_bot_.exe, 00000000.00000003.255707762.000000000602B000.00000004.00000001.sdmp, gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: gimmer_bot_.exe, 0000000B.00000000.310713319.0000000002F7A000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com
Source: gimmer_bot_.exe, 0000000B.00000000.314483475.0000000002EC1000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com/json/
Source: gimmer_bot_.exe, 0000000B.00000000.310713319.0000000002F7A000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com/json/H
Source: gimmer_bot_.exe, 0000000B.00000000.310713319.0000000002F7A000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com4
Source: gimmer_bot_.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: gimmer_bot_.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: gimmer_bot_.exeString found in binary or memory: http://ocsp.digicert.com0H
Source: gimmer_bot_.exeString found in binary or memory: http://ocsp.digicert.com0I
Source: gimmer_bot_.exeString found in binary or memory: http://ocsp.digicert.com0L
Source: gimmer_bot_.exe, 0000000B.00000002.364453527.00000000061D0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: gimmer_bot_.exe, 0000000B.00000002.364453527.00000000061D0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1c301
Source: gimmer_bot_.exe, 0000000B.00000002.364453527.00000000061D0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: gimmer_bot_.exeString found in binary or memory: http://ocsp.sectigo.com0
Source: gimmer_bot_.exeString found in binary or memory: http://ocsp.thawte.com0
Source: gimmer_bot_.exe, 0000000B.00000002.364453527.00000000061D0000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: gimmer_bot_.exe, 0000000B.00000002.364453527.00000000061D0000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
Source: gimmer_bot_.exe, 0000000B.00000002.364453527.00000000061D0000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: gimmer_bot_.exe, 0000000B.00000000.310713319.0000000002F7A000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
Source: WerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: gimmer_bot_.exe, 0000000B.00000000.310665140.0000000002F68000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: gimmer_bot_.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: gimmer_bot_.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: gimmer_bot_.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: gimmer_bot_.exe, 00000000.00000003.262704562.0000000006033000.00000004.00000001.sdmp, gimmer_bot_.exe, 00000000.00000003.262435316.0000000006033000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: gimmer_bot_.exe, 00000000.00000003.262704562.0000000006033000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlJC
Source: gimmer_bot_.exe, 00000000.00000003.260240498.000000000602B000.00000004.00000001.sdmp, gimmer_bot_.exe, 00000000.00000003.260406300.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
Source: gimmer_bot_.exe, 00000000.00000003.260406300.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.
Source: gimmer_bot_.exe, 00000000.00000003.260406300.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.122U
Source: gimmer_bot_.exe, 00000000.00000003.260655277.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comCt
Source: gimmer_bot_.exe, 00000000.00000003.260324978.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCBT9
Source: gimmer_bot_.exe, 00000000.00000003.260110421.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comams
Source: gimmer_bot_.exe, 00000000.00000003.260154446.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comct
Source: gimmer_bot_.exe, 00000000.00000003.260154446.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcyBO
Source: gimmer_bot_.exe, 00000000.00000003.259926935.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.come
Source: gimmer_bot_.exe, 00000000.00000003.260068105.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comhly
Source: gimmer_bot_.exe, 00000000.00000003.260195377.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comigfO9
Source: gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: gimmer_bot_.exe, 00000000.00000003.260240498.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
Source: gimmer_bot_.exe, 00000000.00000003.259926935.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.AP
Source: gimmer_bot_.exe, 00000000.00000003.260240498.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comt
Source: gimmer_bot_.exe, 00000000.00000003.260512625.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtigdA9
Source: gimmer_bot_.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
Source: gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: gimmer_bot_.exe, 00000000.00000003.273622264.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers#Ov
Source: gimmer_bot_.exe, 00000000.00000003.265642267.0000000006032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers&
Source: gimmer_bot_.exe, 00000000.00000003.265642267.0000000006032000.00000004.00000001.sdmp, gimmer_bot_.exe, 00000000.00000003.265559990.0000000006032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
Source: gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: gimmer_bot_.exe, 00000000.00000003.268066198.000000000604E000.00000004.00000001.sdmp, gimmer_bot_.exe, 00000000.00000003.267991573.000000000604E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: gimmer_bot_.exe, 00000000.00000003.267586672.000000000602B000.00000004.00000001.sdmp, gimmer_bot_.exe, 00000000.00000003.266901169.000000000604E000.00000004.00000001.sdmp, gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: gimmer_bot_.exe, 00000000.00000003.268096372.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersOW
Source: gimmer_bot_.exe, 00000000.00000003.266412916.0000000006032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
Source: gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: gimmer_bot_.exe, 00000000.00000003.260240498.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: gimmer_bot_.exe, 00000000.00000003.259279425.0000000006031000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
Source: gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: gimmer_bot_.exe, 00000000.00000003.259279425.0000000006031000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/m
Source: gimmer_bot_.exe, 00000000.00000003.259279425.0000000006031000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna
Source: gimmer_bot_.exe, 00000000.00000003.259095579.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnicr
Source: gimmer_bot_.exe, 00000000.00000003.260240498.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl
Source: gimmer_bot_.exe, 00000000.00000003.259095579.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnof
Source: gimmer_bot_.exe, 00000000.00000003.259555519.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnoup?Qq
Source: gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmp, gimmer_bot_.exe, 00000000.00000003.270153618.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: gimmer_bot_.exe, 00000000.00000003.270395063.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm_VT
Source: gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: gimmer_bot_.exe, 0000000B.00000002.363799086.0000000002FBD000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com
Source: gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: gimmer_bot_.exe, 00000000.00000003.265293859.0000000006032000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
Source: gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: gimmer_bot_.exe, 00000000.00000003.253846926.0000000006012000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com2
Source: gimmer_bot_.exe, 00000000.00000003.253846926.0000000006012000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comaf
Source: gimmer_bot_.exe, 00000000.00000003.253846926.0000000006012000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comx
Source: gimmer_bot_.exe, 00000000.00000003.262511140.0000000006033000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: gimmer_bot_.exe, 00000000.00000003.258229506.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kro.kr
Source: gimmer_bot_.exe, 00000000.00000003.258076192.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krom/
Source: gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: gimmer_bot_.exe, 00000000.00000003.260655277.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com8V
Source: gimmer_bot_.exe, 00000000.00000003.260655277.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlic
Source: gimmer_bot_.exe, 00000000.00000003.260655277.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
Source: gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: gimmer_bot_.exe, 00000000.00000003.265293859.0000000006032000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
Source: gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: gimmer_bot_.exe, 00000000.00000003.265293859.0000000006032000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dewUM
Source: gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmp, gimmer_bot_.exe, 00000000.00000003.259885317.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: gimmer_bot_.exe, 00000000.00000003.259885317.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cne
Source: gimmer_bot_.exe, 00000000.00000003.260240498.000000000602B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnkr
Source: gimmer_bot_.exe, 0000000B.00000000.314808350.0000000002FF8000.00000004.00000001.sdmpString found in binary or memory: https://26DOeHrpZrmbM8gQd.org
Source: WerFault.exe, 00000016.00000002.356384847.0000000000A3C000.00000004.00000001.sdmpString found in binary or memory: https://26DOeHrpZrmbM8gQd.orgB1AE5198B7
Source: gimmer_bot_.exe, 0000000B.00000000.314808350.0000000002FF8000.00000004.00000001.sdmpString found in binary or memory: https://2fxv5e.makeiralone.ru
Source: gimmer_bot_.exe, 0000000B.00000000.314483475.0000000002EC1000.00000004.00000001.sdmpString found in binary or memory: https://2fxv5e.makeiralone.ru/1238615281.exe
Source: gimmer_bot_.exe, 0000000B.00000000.314808350.0000000002FF8000.00000004.00000001.sdmpString found in binary or memory: https://2fxv5e.makeiralone.ru4
Source: gimmer_bot_.exe, 0000000B.00000000.314483475.0000000002EC1000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1QhGu7
Source: gimmer_bot_.exe, 0000000B.00000002.364453527.00000000061D0000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
Source: gimmer_bot_.exeString found in binary or memory: https://sectigo.com/CPS0D
Source: gimmer_bot_.exeString found in binary or memory: https://www.digicert.com/CPS0
Source: gimmer_bot_.exe, 0000000B.00000000.310713319.0000000002F7A000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
Source: gimmer_bot_.exe, 0000000B.00000000.310713319.0000000002F7A000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/H
Source: gimmer_bot_.exe, 0000000B.00000000.314483475.0000000002EC1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/Xhttps://2fxv5e.makeiralone.ru/1238615281.exe
Source: gimmer_bot_.exe, 0000000B.00000000.310713319.0000000002F7A000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com4
Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: gimmer_bot_.exe, 00000000.00000002.290053870.00000000012E9000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: gimmer_bot_.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 1944
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 0_2_00BCA74C0_2_00BCA74C
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 0_2_02DD08780_2_02DD0878
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 0_2_02DD08690_2_02DD0869
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 0_2_02DD3DD10_2_02DD3DD1
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 0_2_02DD0D080_2_02DD0D08
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 9_2_0033A74C9_2_0033A74C
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 11_2_0090A74C11_2_0090A74C
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 11_2_02DBF45811_2_02DBF458
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 11_2_02DB087011_2_02DB0870
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 11_2_02DB086011_2_02DB0860
Source: gimmer_bot_.exe, 00000000.00000002.290588184.0000000002FE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs gimmer_bot_.exe
Source: gimmer_bot_.exe, 00000000.00000002.290588184.0000000002FE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAmun.dll, vs gimmer_bot_.exe
Source: gimmer_bot_.exe, 0000000B.00000000.310243845.0000000002E56000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameclrjit.dllT vs gimmer_bot_.exe
Source: gimmer_bot_.exe, 0000000B.00000000.310243845.0000000002E56000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs gimmer_bot_.exe
Source: gimmer_bot_.exe, 0000000B.00000000.310243845.0000000002E56000.00000004.00000001.sdmpBinary or memory string: l,\\StringFileInfo\\040904B0\\OriginalFilename vs gimmer_bot_.exe
Source: gimmer_bot_.exeBinary or memory string: OriginalFilenameGUy.exe< vs gimmer_bot_.exe
Source: gimmer_bot_.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gimmer_bot_.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gimmer_bot_.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\gimmer_bot_.exeSection loaded: mscorjit.dllJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeSection loaded: mscorjit.dllJump to behavior
Source: gimmer_bot_.exeStatic PE information: invalid certificate
Source: gimmer_bot_.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: gimmer_bot_.exeVirustotal: Detection: 55%
Source: gimmer_bot_.exeReversingLabs: Detection: 60%
Source: C:\Users\user\Desktop\gimmer_bot_.exeFile read: C:\Users\user\Desktop\gimmer_bot_.exeJump to behavior
Source: gimmer_bot_.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\gimmer_bot_.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\gimmer_bot_.exe 'C:\Users\user\Desktop\gimmer_bot_.exe'
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess created: C:\Users\user\Desktop\gimmer_bot_.exe {path}
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess created: C:\Users\user\Desktop\gimmer_bot_.exe {path}
Source: unknownProcess created: C:\Windows\System32\efsui.exe efsui.exe /efs /keybackup
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 1944
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess created: C:\Users\user\Desktop\gimmer_bot_.exe {path}Jump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess created: C:\Users\user\Desktop\gimmer_bot_.exe {path}Jump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gimmer_bot_.exe.logJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FD8.tmpJump to behavior
Source: classification engineClassification label: mal88.troj.evad.winEXE@7/7@5/3
Source: C:\Users\user\Desktop\gimmer_bot_.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess496
Source: C:\Windows\System32\efsui.exeMutant created: \Sessions\1\BaseNamedObjects\Local\{A55C3BEE-5BFF-4c61-8833-39CD46D49BC7}-1-S-1-5-21-3853321935-2125563209-4053062332-1002
Source: gimmer_bot_.exe, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csCryptographic APIs: 'CreateDecryptor'
Source: gimmer_bot_.exe, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csCryptographic APIs: 'CreateDecryptor'
Source: gimmer_bot_.exe, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csCryptographic APIs: 'CreateDecryptor'
Source: gimmer_bot_.exe, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csCryptographic APIs: 'CreateDecryptor'
Source: 0.2.gimmer_bot_.exe.bc0000.0.unpack, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csCryptographic APIs: 'CreateDecryptor'
Source: 0.2.gimmer_bot_.exe.bc0000.0.unpack, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csCryptographic APIs: 'CreateDecryptor'
Source: 0.2.gimmer_bot_.exe.bc0000.0.unpack, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csCryptographic APIs: 'CreateDecryptor'
Source: 0.2.gimmer_bot_.exe.bc0000.0.unpack, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csCryptographic APIs: 'CreateDecryptor'
Source: 0.0.gimmer_bot_.exe.bc0000.0.unpack, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csCryptographic APIs: 'CreateDecryptor'
Source: 0.0.gimmer_bot_.exe.bc0000.0.unpack, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csCryptographic APIs: 'CreateDecryptor'
Source: 0.0.gimmer_bot_.exe.bc0000.0.unpack, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csCryptographic APIs: 'CreateDecryptor'
Source: 0.0.gimmer_bot_.exe.bc0000.0.unpack, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csCryptographic APIs: 'CreateDecryptor'
Source: C:\Users\user\Desktop\gimmer_bot_.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: gimmer_bot_.exeStatic file information: File size 1088232 > 1048576
Source: gimmer_bot_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: gimmer_bot_.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.326622260.0000000004DA2000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.pdb_ source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.pdb` source: WER9FD8.tmp.dmp.22.dr
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.338976439.0000000005400000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000016.00000003.338976439.0000000005400000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000016.00000003.336268350.00000000056E0000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.338976439.0000000005400000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp, WER9FD8.tmp.dmp.22.dr
Source: Binary string: dhcpcsvc.pdb4 source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000016.00000003.336268350.00000000056E0000.00000004.00000001.sdmp
Source: Binary string: indows.Forms.pdb source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp
Source: Binary string: mscoree.pdb source: WerFault.exe, 00000016.00000003.338976439.0000000005400000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: nsi.pdb! source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: version.pdb= source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: cryptsp.pdb7 source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WER9FD8.tmp.dmp.22.dr
Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp, WER9FD8.tmp.dmp.22.dr
Source: Binary string: ole32.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: indows.Forms.pdb" source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000016.00000003.336268350.00000000056E0000.00000004.00000001.sdmp
Source: Binary string: System.pdb""T source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: k,C:\Windows\System.pdb source: gimmer_bot_.exe, 0000000B.00000002.359052439.0000000000B98000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdbr source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp, WER9FD8.tmp.dmp.22.dr
Source: Binary string: System.pdb@@ source: WER9FD8.tmp.dmp.22.dr
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\gimmer_bot_.PDBv}M9 source: gimmer_bot_.exe, 0000000B.00000002.364453527.00000000061D0000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER9FD8.tmp.dmp.22.dr
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: gimmer_bot_.exe, 0000000B.00000000.316232072.00000000061FE000.00000004.00000001.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: secur32.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb1 source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WER9FD8.tmp.dmp.22.dr
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: System.Core.ni.pdbRSDSD source: WER9FD8.tmp.dmp.22.dr
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb! source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000016.00000003.336268350.00000000056E0000.00000004.00000001.sdmp
Source: Binary string: winhttp.pdbD source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb$ source: WerFault.exe, 00000016.00000003.338350652.00000000052EA000.00000004.00000001.sdmp
Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: rasadhlp.pdb" source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp, WER9FD8.tmp.dmp.22.dr
Source: Binary string: shell32.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdb+ source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000016.00000003.336268350.00000000056E0000.00000004.00000001.sdmp
Source: Binary string: gimmer_bot_.PDB61002-w source: gimmer_bot_.exe, 0000000B.00000000.309253273.0000000000B98000.00000004.00000001.sdmp
Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: System.Xml.pdbx] source: WER9FD8.tmp.dmp.22.dr
Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: gimmer_bot_.exe, 0000000B.00000002.364453527.00000000061D0000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000016.00000003.336268350.00000000056E0000.00000004.00000001.sdmp
Source: Binary string: System.pdbx source: WerFault.exe, 00000016.00000003.336268350.00000000056E0000.00000004.00000001.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp, WER9FD8.tmp.dmp.22.dr
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: gimmer_bot_.exe, 0000000B.00000000.316232072.00000000061FE000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: mscorlib.ni.pdb" source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER9FD8.tmp.dmp.22.dr
Source: Binary string: ws2_32.pdbV source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: clrjit.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: rasman.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp, WER9FD8.tmp.dmp.22.dr
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: C:\Users\user\Desktop\gimmer_bot_.PDB source: gimmer_bot_.exe, 0000000B.00000000.309253273.0000000000B98000.00000004.00000001.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp, WER9FD8.tmp.dmp.22.dr
Source: Binary string: System.pdb source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp, WER9FD8.tmp.dmp.22.dr
Source: Binary string: ore.ni.pdb source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp
Source: Binary string: System.Xml.pdb" source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb` source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: ore.pdb source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp
Source: Binary string: secur32.pdbx source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000016.00000003.336268350.00000000056E0000.00000004.00000001.sdmp, WER9FD8.tmp.dmp.22.dr
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: gimmer_bot_.exe, 0000000B.00000000.312019728.000000000620A000.00000004.00000001.sdmp
Source: Binary string: wmswsock.pdb~ source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000016.00000003.336268350.00000000056E0000.00000004.00000001.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb" source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: System.Core.pdb source: WerFault.exe, 00000016.00000003.336268350.00000000056E0000.00000004.00000001.sdmp, WER9FD8.tmp.dmp.22.dr
Source: Binary string: iphlpapi.pdb( source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000016.00000003.336268350.00000000056E0000.00000004.00000001.sdmp
Source: Binary string: ntasn1.pdb: source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.338309140.000000000540B000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 00000016.00000003.338424260.00000000052D1000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdb source: WerFault.exe, 00000016.00000003.338530948.00000000052EA000.00000004.00000001.sdmp, WER9FD8.tmp.dmp.22.dr
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000016.00000003.338274722.0000000005411000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: gimmer_bot_.exe, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.cs.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.gimmer_bot_.exe.bc0000.0.unpack, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.cs.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.gimmer_bot_.exe.bc0000.0.unpack, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.cs.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 9.2.gimmer_bot_.exe.330000.0.unpack, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.cs.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 9.0.gimmer_bot_.exe.330000.0.unpack, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.cs.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 11.0.gimmer_bot_.exe.900000.4.unpack, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.cs.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 11.0.gimmer_bot_.exe.400000.3.unpack, TBtWnMSD5K5fVenm7A/gBDPdBso8mi5xqsj4c.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Source: 11.2.gimmer_bot_.exe.400000.0.unpack, TBtWnMSD5K5fVenm7A/gBDPdBso8mi5xqsj4c.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 0_2_00BCA225 push edx; iretd 0_2_00BCA226
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 9_2_0033A225 push edx; iretd 9_2_0033A226
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 11_2_0090A225 push edx; iretd 11_2_0090A226
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 11_2_02DB3FA6 push ecx; retf 11_2_02DB3FAC
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 11_2_052F6555 push dword ptr [esi+eax*2-75h]; iretd 11_2_052F6560
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 11_2_052F3D8F push dword ptr [esi+eax*2-75h]; iretd 11_2_052F3D9A
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 11_2_052F2C46 push dword ptr [ebp+eax*2-75h]; iretd 11_2_052F2C4A
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 11_2_052F6F03 push dword ptr [esi+eax*2-75h]; iretd 11_2_052F6F0E
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 11_2_052F26F4 push dword ptr [esi+eax*2-75h]; iretd 11_2_052F26FF
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 11_2_052F66C4 push dword ptr [esi+eax*2-75h]; iretd 11_2_052F66CF
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 11_2_052F50F5 push dword ptr [esi+eax*2-75h]; iretd 11_2_052F5100
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 11_2_052F4348 push dword ptr [esi+eax*2-75h]; iretd 11_2_052F4353
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 11_2_052F4233 push dword ptr [esi+eax*2-75h]; iretd 11_2_052F423E
Source: gimmer_bot_.exeStatic PE information: real checksum: 0x10217e should be: 0x10f7bc
Source: gimmer_bot_.exeStatic PE information: 0xECCE6E45 [Thu Nov 24 05:40:21 2095 UTC]
Source: initial sampleStatic PE information: section name: .text entropy: 7.82079440488
Source: gimmer_bot_.exe, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csHigh entropy of concatenated method names: '.cctor', 'iyo1usQacYtrK', 'Wx6TI4T7Cv', 'EqFTsE0qIU', 'CtCTYyAV4q', 'u91To2TQUa', 'VfWTzTPsWs', 'dnlASQ92yD', 'e4CATdh2j5', 'kcNAAmE0Ff'
Source: gimmer_bot_.exe, GxqsyJalPhcSAjXqrI/PAoNSNlCcxAtoMgboV.csHigh entropy of concatenated method names: 'fiL1usQQ2FSww', '.ctor', '.cctor', 'iN9WuYy6ThxLmnBweXm', 'nXFgLWyTlEmQh10KRw8', 'freL95yVZRSaqXT0tAw', 'diyYkby3qa87nRp0lWQ', 'lIELeoyex25CaQQLcOU', 'yNq7iky9NPh9KrRf1pa', 'KpgguOymcM1ZKp3gkyL'
Source: gimmer_bot_.exe, ChatLogCleaner/MainForm.csHigh entropy of concatenated method names: '.ctor', 'GnvYsrxRE', 'tO4of1N7d', 'GN2z3VfOP', 'Ny4TSCqe1d', 'MehTTdhHI0', 'kXGTAISHVL', 'XonT8sAd1x', 'akJTfp4hEv', 'tGHTux8Wkw'
Source: gimmer_bot_.exe, ChatLogCleaner/ChatDisplay.csHigh entropy of concatenated method names: 'get_LogFile', 'set_LogFile', 'get_ChatFont', 'set_ChatFont', 'get_Color', 'set_Color', 'get_BackgroundColor', 'set_BackgroundColor', '.ctor', 'whcZSAjXq'
Source: gimmer_bot_.exe, Rotativa.Mini/WkhtmlDriver.csHigh entropy of concatenated method names: 'Convert', 'WumPu25vI', '.ctor', 'J0CRMlkmaPOXamIPOgt', 'HuRNVDkFR790a33rHVC', 'PEyG5ikwP4n2Ym3Rq6X', 'esU61wkEkpnpuKoaEXB', 'Tmt46rkRK2JuLUSgYjf', 'QCAG9Yku3PHewj16t9y', 'EhTruhkAPyXfuu4DLET'
Source: gimmer_bot_.exe, Hh4q4IMdiEdAxP6cTv/b05QhBeLmE7HgIYDVN.csHigh entropy of concatenated method names: '.ctor', 'iBIf6y3L3', 'DicujJfsN', 'ehsJhZsOO', 'aYgRwwDeO', 'x916Z3LmwtBAYoqIsq', 'bWgMtblDKFVA5TM5j6', 'hSIIlfCay3D1QgJGyv', 'svsMtiYu2qdLgwchss', 'SNQoXLbcGm4tA3D5fr'
Source: gimmer_bot_.exe, UnitTestProject1/LineEater.csHigh entropy of concatenated method names: 'EatFromDirectory', 'EatFromFile', '.ctor', 'VZJAbvqek8ly1qKV1x', 'HlEMGMDDdGr6t5gLl9', 'jQ3cLfUrXdrI1fFEJf', 'WpyONTX6SK63av1yAc', 'B12qpoInDA1lbpwhyQ', 'xaSNKToiaEw3VHY0ak', 'POX2Ls1E3fDAJtyWkj'
Source: 0.2.gimmer_bot_.exe.bc0000.0.unpack, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csHigh entropy of concatenated method names: '.cctor', 'iyo1usQacYtrK', 'Wx6TI4T7Cv', 'EqFTsE0qIU', 'CtCTYyAV4q', 'u91To2TQUa', 'VfWTzTPsWs', 'dnlASQ92yD', 'e4CATdh2j5', 'kcNAAmE0Ff'
Source: 0.2.gimmer_bot_.exe.bc0000.0.unpack, Hh4q4IMdiEdAxP6cTv/b05QhBeLmE7HgIYDVN.csHigh entropy of concatenated method names: '.ctor', 'iBIf6y3L3', 'DicujJfsN', 'ehsJhZsOO', 'aYgRwwDeO', 'x916Z3LmwtBAYoqIsq', 'bWgMtblDKFVA5TM5j6', 'hSIIlfCay3D1QgJGyv', 'svsMtiYu2qdLgwchss', 'SNQoXLbcGm4tA3D5fr'
Source: 0.2.gimmer_bot_.exe.bc0000.0.unpack, GxqsyJalPhcSAjXqrI/PAoNSNlCcxAtoMgboV.csHigh entropy of concatenated method names: 'fiL1usQQ2FSww', '.ctor', '.cctor', 'iN9WuYy6ThxLmnBweXm', 'nXFgLWyTlEmQh10KRw8', 'freL95yVZRSaqXT0tAw', 'diyYkby3qa87nRp0lWQ', 'lIELeoyex25CaQQLcOU', 'yNq7iky9NPh9KrRf1pa', 'KpgguOymcM1ZKp3gkyL'
Source: 0.0.gimmer_bot_.exe.bc0000.0.unpack, ChatLogCleaner/MainForm.csHigh entropy of concatenated method names: '.ctor', 'GnvYsrxRE', 'tO4of1N7d', 'GN2z3VfOP', 'Ny4TSCqe1d', 'MehTTdhHI0', 'kXGTAISHVL', 'XonT8sAd1x', 'akJTfp4hEv', 'tGHTux8Wkw'
Source: 0.0.gimmer_bot_.exe.bc0000.0.unpack, GxqsyJalPhcSAjXqrI/PAoNSNlCcxAtoMgboV.csHigh entropy of concatenated method names: 'fiL1usQQ2FSww', '.ctor', '.cctor', 'iN9WuYy6ThxLmnBweXm', 'nXFgLWyTlEmQh10KRw8', 'freL95yVZRSaqXT0tAw', 'diyYkby3qa87nRp0lWQ', 'lIELeoyex25CaQQLcOU', 'yNq7iky9NPh9KrRf1pa', 'KpgguOymcM1ZKp3gkyL'
Source: 0.0.gimmer_bot_.exe.bc0000.0.unpack, ChatLogCleaner/ChatDisplay.csHigh entropy of concatenated method names: 'get_LogFile', 'set_LogFile', 'get_ChatFont', 'set_ChatFont', 'get_Color', 'set_Color', 'get_BackgroundColor', 'set_BackgroundColor', '.ctor', 'whcZSAjXq'
Source: 0.0.gimmer_bot_.exe.bc0000.0.unpack, Rotativa.Mini/WkhtmlDriver.csHigh entropy of concatenated method names: 'Convert', 'WumPu25vI', '.ctor', 'J0CRMlkmaPOXamIPOgt', 'HuRNVDkFR790a33rHVC', 'PEyG5ikwP4n2Ym3Rq6X', 'esU61wkEkpnpuKoaEXB', 'Tmt46rkRK2JuLUSgYjf', 'QCAG9Yku3PHewj16t9y', 'EhTruhkAPyXfuu4DLET'
Source: 0.0.gimmer_bot_.exe.bc0000.0.unpack, Hh4q4IMdiEdAxP6cTv/b05QhBeLmE7HgIYDVN.csHigh entropy of concatenated method names: '.ctor', 'iBIf6y3L3', 'DicujJfsN', 'ehsJhZsOO', 'aYgRwwDeO', 'x916Z3LmwtBAYoqIsq', 'bWgMtblDKFVA5TM5j6', 'hSIIlfCay3D1QgJGyv', 'svsMtiYu2qdLgwchss', 'SNQoXLbcGm4tA3D5fr'
Source: 0.0.gimmer_bot_.exe.bc0000.0.unpack, UnitTestProject1/LineEater.csHigh entropy of concatenated method names: 'EatFromDirectory', 'EatFromFile', '.ctor', 'VZJAbvqek8ly1qKV1x', 'HlEMGMDDdGr6t5gLl9', 'jQ3cLfUrXdrI1fFEJf', 'WpyONTX6SK63av1yAc', 'B12qpoInDA1lbpwhyQ', 'xaSNKToiaEw3VHY0ak', 'POX2Ls1E3fDAJtyWkj'
Source: 0.0.gimmer_bot_.exe.bc0000.0.unpack, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csHigh entropy of concatenated method names: '.cctor', 'iyo1usQacYtrK', 'Wx6TI4T7Cv', 'EqFTsE0qIU', 'CtCTYyAV4q', 'u91To2TQUa', 'VfWTzTPsWs', 'dnlASQ92yD', 'e4CATdh2j5', 'kcNAAmE0Ff'
Source: 9.2.gimmer_bot_.exe.330000.0.unpack, ChatLogCleaner/MainForm.csHigh entropy of concatenated method names: '.ctor', 'GnvYsrxRE', 'tO4of1N7d', 'GN2z3VfOP', 'Ny4TSCqe1d', 'MehTTdhHI0', 'kXGTAISHVL', 'XonT8sAd1x', 'akJTfp4hEv', 'tGHTux8Wkw'
Source: 9.2.gimmer_bot_.exe.330000.0.unpack, ChatLogCleaner/ChatDisplay.csHigh entropy of concatenated method names: 'get_LogFile', 'set_LogFile', 'get_ChatFont', 'set_ChatFont', 'get_Color', 'set_Color', 'get_BackgroundColor', 'set_BackgroundColor', '.ctor', 'whcZSAjXq'
Source: 9.2.gimmer_bot_.exe.330000.0.unpack, Rotativa.Mini/WkhtmlDriver.csHigh entropy of concatenated method names: 'Convert', 'WumPu25vI', '.ctor', 'J0CRMlkmaPOXamIPOgt', 'HuRNVDkFR790a33rHVC', 'PEyG5ikwP4n2Ym3Rq6X', 'esU61wkEkpnpuKoaEXB', 'Tmt46rkRK2JuLUSgYjf', 'QCAG9Yku3PHewj16t9y', 'EhTruhkAPyXfuu4DLET'
Source: 9.2.gimmer_bot_.exe.330000.0.unpack, Hh4q4IMdiEdAxP6cTv/b05QhBeLmE7HgIYDVN.csHigh entropy of concatenated method names: '.ctor', 'iBIf6y3L3', 'DicujJfsN', 'ehsJhZsOO', 'aYgRwwDeO', 'x916Z3LmwtBAYoqIsq', 'bWgMtblDKFVA5TM5j6', 'hSIIlfCay3D1QgJGyv', 'svsMtiYu2qdLgwchss', 'SNQoXLbcGm4tA3D5fr'
Source: 9.2.gimmer_bot_.exe.330000.0.unpack, UnitTestProject1/LineEater.csHigh entropy of concatenated method names: 'EatFromDirectory', 'EatFromFile', '.ctor', 'VZJAbvqek8ly1qKV1x', 'HlEMGMDDdGr6t5gLl9', 'jQ3cLfUrXdrI1fFEJf', 'WpyONTX6SK63av1yAc', 'B12qpoInDA1lbpwhyQ', 'xaSNKToiaEw3VHY0ak', 'POX2Ls1E3fDAJtyWkj'
Source: 9.2.gimmer_bot_.exe.330000.0.unpack, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csHigh entropy of concatenated method names: '.cctor', 'iyo1usQacYtrK', 'Wx6TI4T7Cv', 'EqFTsE0qIU', 'CtCTYyAV4q', 'u91To2TQUa', 'VfWTzTPsWs', 'dnlASQ92yD', 'e4CATdh2j5', 'kcNAAmE0Ff'
Source: 9.2.gimmer_bot_.exe.330000.0.unpack, GxqsyJalPhcSAjXqrI/PAoNSNlCcxAtoMgboV.csHigh entropy of concatenated method names: 'fiL1usQQ2FSww', '.ctor', '.cctor', 'iN9WuYy6ThxLmnBweXm', 'nXFgLWyTlEmQh10KRw8', 'freL95yVZRSaqXT0tAw', 'diyYkby3qa87nRp0lWQ', 'lIELeoyex25CaQQLcOU', 'yNq7iky9NPh9KrRf1pa', 'KpgguOymcM1ZKp3gkyL'
Source: 9.0.gimmer_bot_.exe.330000.0.unpack, ChatLogCleaner/MainForm.csHigh entropy of concatenated method names: '.ctor', 'GnvYsrxRE', 'tO4of1N7d', 'GN2z3VfOP', 'Ny4TSCqe1d', 'MehTTdhHI0', 'kXGTAISHVL', 'XonT8sAd1x', 'akJTfp4hEv', 'tGHTux8Wkw'
Source: 9.0.gimmer_bot_.exe.330000.0.unpack, ChatLogCleaner/ChatDisplay.csHigh entropy of concatenated method names: 'get_LogFile', 'set_LogFile', 'get_ChatFont', 'set_ChatFont', 'get_Color', 'set_Color', 'get_BackgroundColor', 'set_BackgroundColor', '.ctor', 'whcZSAjXq'
Source: 9.0.gimmer_bot_.exe.330000.0.unpack, Hh4q4IMdiEdAxP6cTv/b05QhBeLmE7HgIYDVN.csHigh entropy of concatenated method names: '.ctor', 'iBIf6y3L3', 'DicujJfsN', 'ehsJhZsOO', 'aYgRwwDeO', 'x916Z3LmwtBAYoqIsq', 'bWgMtblDKFVA5TM5j6', 'hSIIlfCay3D1QgJGyv', 'svsMtiYu2qdLgwchss', 'SNQoXLbcGm4tA3D5fr'
Source: 9.0.gimmer_bot_.exe.330000.0.unpack, UnitTestProject1/LineEater.csHigh entropy of concatenated method names: 'EatFromDirectory', 'EatFromFile', '.ctor', 'VZJAbvqek8ly1qKV1x', 'HlEMGMDDdGr6t5gLl9', 'jQ3cLfUrXdrI1fFEJf', 'WpyONTX6SK63av1yAc', 'B12qpoInDA1lbpwhyQ', 'xaSNKToiaEw3VHY0ak', 'POX2Ls1E3fDAJtyWkj'
Source: 9.0.gimmer_bot_.exe.330000.0.unpack, Rotativa.Mini/WkhtmlDriver.csHigh entropy of concatenated method names: 'Convert', 'WumPu25vI', '.ctor', 'J0CRMlkmaPOXamIPOgt', 'HuRNVDkFR790a33rHVC', 'PEyG5ikwP4n2Ym3Rq6X', 'esU61wkEkpnpuKoaEXB', 'Tmt46rkRK2JuLUSgYjf', 'QCAG9Yku3PHewj16t9y', 'EhTruhkAPyXfuu4DLET'
Source: 9.0.gimmer_bot_.exe.330000.0.unpack, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csHigh entropy of concatenated method names: '.cctor', 'iyo1usQacYtrK', 'Wx6TI4T7Cv', 'EqFTsE0qIU', 'CtCTYyAV4q', 'u91To2TQUa', 'VfWTzTPsWs', 'dnlASQ92yD', 'e4CATdh2j5', 'kcNAAmE0Ff'
Source: 9.0.gimmer_bot_.exe.330000.0.unpack, GxqsyJalPhcSAjXqrI/PAoNSNlCcxAtoMgboV.csHigh entropy of concatenated method names: 'fiL1usQQ2FSww', '.ctor', '.cctor', 'iN9WuYy6ThxLmnBweXm', 'nXFgLWyTlEmQh10KRw8', 'freL95yVZRSaqXT0tAw', 'diyYkby3qa87nRp0lWQ', 'lIELeoyex25CaQQLcOU', 'yNq7iky9NPh9KrRf1pa', 'KpgguOymcM1ZKp3gkyL'
Source: 11.0.gimmer_bot_.exe.900000.4.unpack, ChatLogCleaner/MainForm.csHigh entropy of concatenated method names: '.ctor', 'GnvYsrxRE', 'tO4of1N7d', 'GN2z3VfOP', 'Ny4TSCqe1d', 'MehTTdhHI0', 'kXGTAISHVL', 'XonT8sAd1x', 'akJTfp4hEv', 'tGHTux8Wkw'
Source: 11.0.gimmer_bot_.exe.900000.4.unpack, ChatLogCleaner/ChatDisplay.csHigh entropy of concatenated method names: 'get_LogFile', 'set_LogFile', 'get_ChatFont', 'set_ChatFont', 'get_Color', 'set_Color', 'get_BackgroundColor', 'set_BackgroundColor', '.ctor', 'whcZSAjXq'
Source: 11.0.gimmer_bot_.exe.900000.4.unpack, Rotativa.Mini/WkhtmlDriver.csHigh entropy of concatenated method names: 'Convert', 'WumPu25vI', '.ctor', 'J0CRMlkmaPOXamIPOgt', 'HuRNVDkFR790a33rHVC', 'PEyG5ikwP4n2Ym3Rq6X', 'esU61wkEkpnpuKoaEXB', 'Tmt46rkRK2JuLUSgYjf', 'QCAG9Yku3PHewj16t9y', 'EhTruhkAPyXfuu4DLET'
Source: 11.0.gimmer_bot_.exe.900000.4.unpack, Hh4q4IMdiEdAxP6cTv/b05QhBeLmE7HgIYDVN.csHigh entropy of concatenated method names: '.ctor', 'iBIf6y3L3', 'DicujJfsN', 'ehsJhZsOO', 'aYgRwwDeO', 'x916Z3LmwtBAYoqIsq', 'bWgMtblDKFVA5TM5j6', 'hSIIlfCay3D1QgJGyv', 'svsMtiYu2qdLgwchss', 'SNQoXLbcGm4tA3D5fr'
Source: 11.0.gimmer_bot_.exe.900000.4.unpack, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csHigh entropy of concatenated method names: '.cctor', 'iyo1usQacYtrK', 'Wx6TI4T7Cv', 'EqFTsE0qIU', 'CtCTYyAV4q', 'u91To2TQUa', 'VfWTzTPsWs', 'dnlASQ92yD', 'e4CATdh2j5', 'kcNAAmE0Ff'
Source: 11.0.gimmer_bot_.exe.900000.4.unpack, UnitTestProject1/LineEater.csHigh entropy of concatenated method names: 'EatFromDirectory', 'EatFromFile', '.ctor', 'VZJAbvqek8ly1qKV1x', 'HlEMGMDDdGr6t5gLl9', 'jQ3cLfUrXdrI1fFEJf', 'WpyONTX6SK63av1yAc', 'B12qpoInDA1lbpwhyQ', 'xaSNKToiaEw3VHY0ak', 'POX2Ls1E3fDAJtyWkj'
Source: 11.0.gimmer_bot_.exe.900000.4.unpack, GxqsyJalPhcSAjXqrI/PAoNSNlCcxAtoMgboV.csHigh entropy of concatenated method names: 'fiL1usQQ2FSww', '.ctor', '.cctor', 'iN9WuYy6ThxLmnBweXm', 'nXFgLWyTlEmQh10KRw8', 'freL95yVZRSaqXT0tAw', 'diyYkby3qa87nRp0lWQ', 'lIELeoyex25CaQQLcOU', 'yNq7iky9NPh9KrRf1pa', 'KpgguOymcM1ZKp3gkyL'
Source: 11.0.gimmer_bot_.exe.400000.3.unpack, TBtWnMSD5K5fVenm7A/gBDPdBso8mi5xqsj4c.csHigh entropy of concatenated method names: '.cctor', 'bBhHKSPsJ5Ufv', 'UPbavZoH22', 'VibaF0f3RN', 'b79aChQSEK', 'xaXaMlCWVv', 'X8Kauq5L5w', 'XMMapbyCw3', 'gWWazFSAHm', 'UyoXWoYQ0G'
Source: 11.2.gimmer_bot_.exe.400000.0.unpack, TBtWnMSD5K5fVenm7A/gBDPdBso8mi5xqsj4c.csHigh entropy of concatenated method names: '.cctor', 'bBhHKSPsJ5Ufv', 'UPbavZoH22', 'VibaF0f3RN', 'b79aChQSEK', 'xaXaMlCWVv', 'X8Kauq5L5w', 'XMMapbyCw3', 'gWWazFSAHm', 'UyoXWoYQ0G'

Hooking and other Techniques for Hiding and Protection:

barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\Desktop\gimmer_bot_.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced EnableBalloonTipsJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\efsui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\efsui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\efsui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\efsui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\efsui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: gimmer_bot_.exe, 00000000.00000002.292836268.000000000368D000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
Source: gimmer_bot_.exe, 00000000.00000002.292836268.000000000368D000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
Source: C:\Users\user\Desktop\gimmer_bot_.exe TID: 4092Thread sleep time: -41500s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exe TID: 1168Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exe TID: 6292Thread sleep count: 150 > 30Jump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exe TID: 6284Thread sleep count: 135 > 30Jump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 11_2_052F9778 FindFirstFileW,11_2_052F9778
Source: C:\Users\user\Desktop\gimmer_bot_.exeCode function: 11_2_052F9CCD FindFirstFileW,11_2_052F9CCD
Source: C:\Users\user\Desktop\gimmer_bot_.exeThread delayed: delay time: 41500Jump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: gimmer_bot_.exe, 00000000.00000002.292836268.000000000368D000.00000004.00000001.sdmpBinary or memory string: vmware
Source: gimmer_bot_.exe, 00000000.00000002.292836268.000000000368D000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: gimmer_bot_.exe, 00000000.00000002.292836268.000000000368D000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: WerFault.exe, 00000016.00000002.357098104.0000000004D99000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: gimmer_bot_.exe, 00000000.00000002.292836268.000000000368D000.00000004.00000001.sdmpBinary or memory string: VMWARE
Source: gimmer_bot_.exe, 00000000.00000002.292836268.000000000368D000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: gimmer_bot_.exe, 00000000.00000002.292836268.000000000368D000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: gimmer_bot_.exe, 00000000.00000002.292836268.000000000368D000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
Source: gimmer_bot_.exe, 00000000.00000002.292836268.000000000368D000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: gimmer_bot_.exe, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csReference to suspicious API methods: ('hrXApkrswO', 'ReadProcessMemory@kernel32.dll'), ('WsRAjq6ZfV', 'VirtualProtect@kernel32.dll'), ('Ii0A3q2i8W', 'LoadLibrary@kernel32'), ('KJxAC7mt3L', 'VirtualAlloc@kernel32.dll'), ('ovQA2Quky8', 'OpenProcess@kernel32.dll'), ('SyYAdJxnRA', 'FindResource@kernel32.dll'), ('eRvANL52bA', 'GetProcAddress@kernel32'), ('WdhAUiGT8y', 'WriteProcessMemory@kernel32.dll'), ('n7lArRIKYm', 'VirtualProtect@kernel32.dll')
Source: 0.2.gimmer_bot_.exe.bc0000.0.unpack, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csReference to suspicious API methods: ('hrXApkrswO', 'ReadProcessMemory@kernel32.dll'), ('WsRAjq6ZfV', 'VirtualProtect@kernel32.dll'), ('Ii0A3q2i8W', 'LoadLibrary@kernel32'), ('KJxAC7mt3L', 'VirtualAlloc@kernel32.dll'), ('ovQA2Quky8', 'OpenProcess@kernel32.dll'), ('SyYAdJxnRA', 'FindResource@kernel32.dll'), ('eRvANL52bA', 'GetProcAddress@kernel32'), ('WdhAUiGT8y', 'WriteProcessMemory@kernel32.dll'), ('n7lArRIKYm', 'VirtualProtect@kernel32.dll')
Source: 0.0.gimmer_bot_.exe.bc0000.0.unpack, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csReference to suspicious API methods: ('hrXApkrswO', 'ReadProcessMemory@kernel32.dll'), ('WsRAjq6ZfV', 'VirtualProtect@kernel32.dll'), ('Ii0A3q2i8W', 'LoadLibrary@kernel32'), ('KJxAC7mt3L', 'VirtualAlloc@kernel32.dll'), ('ovQA2Quky8', 'OpenProcess@kernel32.dll'), ('SyYAdJxnRA', 'FindResource@kernel32.dll'), ('eRvANL52bA', 'GetProcAddress@kernel32'), ('WdhAUiGT8y', 'WriteProcessMemory@kernel32.dll'), ('n7lArRIKYm', 'VirtualProtect@kernel32.dll')
Source: 9.2.gimmer_bot_.exe.330000.0.unpack, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csReference to suspicious API methods: ('hrXApkrswO', 'ReadProcessMemory@kernel32.dll'), ('WsRAjq6ZfV', 'VirtualProtect@kernel32.dll'), ('Ii0A3q2i8W', 'LoadLibrary@kernel32'), ('KJxAC7mt3L', 'VirtualAlloc@kernel32.dll'), ('ovQA2Quky8', 'OpenProcess@kernel32.dll'), ('SyYAdJxnRA', 'FindResource@kernel32.dll'), ('eRvANL52bA', 'GetProcAddress@kernel32'), ('WdhAUiGT8y', 'WriteProcessMemory@kernel32.dll'), ('n7lArRIKYm', 'VirtualProtect@kernel32.dll')
Source: 9.0.gimmer_bot_.exe.330000.0.unpack, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csReference to suspicious API methods: ('hrXApkrswO', 'ReadProcessMemory@kernel32.dll'), ('WsRAjq6ZfV', 'VirtualProtect@kernel32.dll'), ('Ii0A3q2i8W', 'LoadLibrary@kernel32'), ('KJxAC7mt3L', 'VirtualAlloc@kernel32.dll'), ('ovQA2Quky8', 'OpenProcess@kernel32.dll'), ('SyYAdJxnRA', 'FindResource@kernel32.dll'), ('eRvANL52bA', 'GetProcAddress@kernel32'), ('WdhAUiGT8y', 'WriteProcessMemory@kernel32.dll'), ('n7lArRIKYm', 'VirtualProtect@kernel32.dll')
Source: 11.0.gimmer_bot_.exe.900000.4.unpack, L696TnNQt0dk9VtRqP/CgBIGe3qXPgLI98HR1.csReference to suspicious API methods: ('hrXApkrswO', 'ReadProcessMemory@kernel32.dll'), ('WsRAjq6ZfV', 'VirtualProtect@kernel32.dll'), ('Ii0A3q2i8W', 'LoadLibrary@kernel32'), ('KJxAC7mt3L', 'VirtualAlloc@kernel32.dll'), ('ovQA2Quky8', 'OpenProcess@kernel32.dll'), ('SyYAdJxnRA', 'FindResource@kernel32.dll'), ('eRvANL52bA', 'GetProcAddress@kernel32'), ('WdhAUiGT8y', 'WriteProcessMemory@kernel32.dll'), ('n7lArRIKYm', 'VirtualProtect@kernel32.dll')
Source: 11.0.gimmer_bot_.exe.400000.3.unpack, TBtWnMSD5K5fVenm7A/gBDPdBso8mi5xqsj4c.csReference to suspicious API methods: ('z6bXRacrmI', 'LoadLibrary@kernel32'), ('GYpXQYcVCK', 'GetProcAddress@kernel32')
Source: 11.2.gimmer_bot_.exe.400000.0.unpack, TBtWnMSD5K5fVenm7A/gBDPdBso8mi5xqsj4c.csReference to suspicious API methods: ('z6bXRacrmI', 'LoadLibrary@kernel32'), ('GYpXQYcVCK', 'GetProcAddress@kernel32')
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\gimmer_bot_.exeMemory written: C:\Users\user\Desktop\gimmer_bot_.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess created: C:\Users\user\Desktop\gimmer_bot_.exe {path}Jump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeProcess created: C:\Users\user\Desktop\gimmer_bot_.exe {path}Jump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Users\user\Desktop\gimmer_bot_.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Users\user\Desktop\gimmer_bot_.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\gimmer_bot_.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Disable Task List ballon tips (likely to surpress security warnings)
Source: C:\Users\user\Desktop\gimmer_bot_.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced EnableBalloonTips 0Jump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API1DLL Side-Loading1Process Injection111Masquerading1Input Capture1Security Software Discovery111Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools11LSASS MemoryProcess Discovery1Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing12Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Timestomp1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)DLL Side-Loading1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 478837 Sample: gimmer_bot_.exe Startdate: 07/09/2021 Architecture: WINDOWS Score: 88 32 Antivirus / Scanner detection for submitted sample 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 .NET source code contains method to dynamically call methods (often used by packers) 2->36 38 3 other signatures 2->38 7 gimmer_bot_.exe 3 2->7         started        11 efsui.exe 4 2->11         started        process3 file4 24 C:\Users\user\AppData\...\gimmer_bot_.exe.log, ASCII 7->24 dropped 40 May check the online IP address of the machine 7->40 42 Injects a PE file into a foreign processes 7->42 13 gimmer_bot_.exe 18 4 7->13         started        17 gimmer_bot_.exe 7->17         started        signatures5 process6 dnsIp7 26 checkip.dyndns.org 13->26 28 ip-api.com 208.95.112.1, 49709, 80 TUT-ASUS United States 13->28 30 3 other IPs or domains 13->30 44 Disable Task List ballon tips (likely to surpress security warnings) 13->44 46 Changes the view of files in windows explorer (hidden files and folders) 13->46 19 WerFault.exe 23 9 13->19         started        signatures8 process9 file10 22 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->22 dropped

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
gimmer_bot_.exe55%VirustotalBrowse
gimmer_bot_.exe60%ReversingLabsByteCode-MSIL.Trojan.Perseus
gimmer_bot_.exe100%AviraTR/Spy.Stealer.trarr
gimmer_bot_.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
9.2.gimmer_bot_.exe.330000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.2.gimmer_bot_.exe.bc0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
11.0.gimmer_bot_.exe.900000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
11.0.gimmer_bot_.exe.400000.3.unpack100%AviraHEUR/AGEN.1123487Download File
11.2.gimmer_bot_.exe.400000.0.unpack100%AviraHEUR/AGEN.1123487Download File
11.0.gimmer_bot_.exe.900000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
11.0.gimmer_bot_.exe.400000.1.unpack100%AviraHEUR/AGEN.1123487Download File
11.2.gimmer_bot_.exe.900000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
11.0.gimmer_bot_.exe.900000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.0.gimmer_bot_.exe.bc0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
9.0.gimmer_bot_.exe.330000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.carterandcone.com.122U0%Avira URL Cloudsafe
https://2fxv5e.makeiralone.ru0%Avira URL Cloudsafe
http://www.carterandcone.comigfO90%Avira URL Cloudsafe
http://www.sajatypeworks.comaf0%Avira URL Cloudsafe
http://checkip.dyndns.org(NjQuMjMzLjE3Mi4xMDc=0%Avira URL Cloudsafe
http://pki.goog/repo/certs/gtsr1.der040%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://checkip.dyndns.org40%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://checkip.dyndns.org/0%URL Reputationsafe
http://www.carterandcone.comCt0%Avira URL Cloudsafe
https://26DOeHrpZrmbM8gQd.orgB1AE5198B70%Avira URL Cloudsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm_VT0%Avira URL Cloudsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.sandoll.co.krom/0%Avira URL Cloudsafe
http://www.carterandcone.comTCBT90%Avira URL Cloudsafe
http://www.carterandcone.como.0%URL Reputationsafe
http://www.founder.com.cn/cn/m0%Avira URL Cloudsafe
http://www.carterandcone.comcyBO0%Avira URL Cloudsafe
http://www.carterandcone.come0%URL Reputationsafe
https://www.google.com40%Avira URL Cloudsafe
http://crl.pki.goog/gtsr1/gtsr1.crl0W0%URL Reputationsafe
http://checkip.dyndns.org0%URL Reputationsafe
http://www.carterandcone.comt0%URL Reputationsafe
https://pki.goog/repository/00%URL Reputationsafe
http://www.zhongyicts.com.cne0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.founder.com.cn/cn/0%URL Reputationsafe
https://26DOeHrpZrmbM8gQd.org0%Avira URL Cloudsafe
http://www.founder.com.cn/cnicr0%URL Reputationsafe
http://www.carterandcone.como.AP0%Avira URL Cloudsafe
http://www.tiro.com8V0%Avira URL Cloudsafe
http://crl.pki.goog/gsr1/gsr1.crl0;0%URL Reputationsafe
http://www.sajatypeworks.com20%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://www.carterandcone.comams0%URL Reputationsafe
http://crls.pki.goog/gts1c3/moVDfISia2k.crl00%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.carterandcone.com0%URL Reputationsafe
http://www.carterandcone.com.0%URL Reputationsafe
http://ip-api.com40%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://fontfabrik.com0%URL Reputationsafe
https://2fxv5e.makeiralone.ru40%Avira URL Cloudsafe
http://www.founder.com.cn/cnl0%URL Reputationsafe
https://sectigo.com/CPS0D0%URL Reputationsafe
http://www.ascendercorp.com/typedesigners.htmlJC0%Avira URL Cloudsafe
http://www.founder.com.cn/cna0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.carterandcone.comtigdA90%Avira URL Cloudsafe
http://checkip.dyndns.com0%Avira URL Cloudsafe
http://www.urwpp.de0%URL Reputationsafe
http://www.zhongyicts.com.cnkr0%Avira URL Cloudsafe
https://2fxv5e.makeiralone.ru/1238615281.exe0%Avira URL Cloudsafe
http://www.sakkal.com0%URL Reputationsafe
http://www.tiro.comslnt0%URL Reputationsafe
http://www.sajatypeworks.comx0%Avira URL Cloudsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://www.tiro.comlic0%URL Reputationsafe
http://pki.goog/gsr1/gsr1.crt020%URL Reputationsafe

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
ip-api.com
208.95.112.1
truefalse
    		high
    www.google.com
    		172.217.168.68
    		truefalse
      		high
      checkip.dyndns.com
      		216.146.43.70
      		truefalse
        		unknown
        2fxv5e.makeiralone.ru
        		unknown
        		unknownfalse
          		unknown
          checkip.dyndns.org
          		unknown
          		unknowntrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://checkip.dyndns.org/false
            • URL Reputation: safe
            		unknown
            http://ip-api.com/json/false
              		high
              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpfalse
                		high
                http://www.carterandcone.com.122Ugimmer_bot_.exe, 00000000.00000003.260406300.000000000602B000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		low
                https://2fxv5e.makeiralone.rugimmer_bot_.exe, 0000000B.00000000.314808350.0000000002FF8000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpfalse
                  		high
                  http://www.carterandcone.comigfO9gimmer_bot_.exe, 00000000.00000003.260195377.000000000602B000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.sajatypeworks.comafgimmer_bot_.exe, 00000000.00000003.253846926.0000000006012000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersgimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpfalse
                      		high
                      http://checkip.dyndns.org(NjQuMjMzLjE3Mi4xMDc=gimmer_bot_.exe, 0000000B.00000000.314483475.0000000002EC1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationWerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpfalse
                        		high
                        http://pki.goog/repo/certs/gtsr1.der04gimmer_bot_.exe, 0000000B.00000002.364453527.00000000061D0000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.comgimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://checkip.dyndns.org4gimmer_bot_.exe, 0000000B.00000000.310682952.0000000002F72000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.google.comgimmer_bot_.exe, 0000000B.00000000.310713319.0000000002F7A000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers#Ovgimmer_bot_.exe, 00000000.00000003.273622264.000000000602B000.00000004.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/cThegimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidWerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpfalse
                                		high
                                http://www.carterandcone.comCtgimmer_bot_.exe, 00000000.00000003.260655277.000000000602B000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://iplogger.org/1QhGu7gimmer_bot_.exe, 0000000B.00000000.314483475.0000000002EC1000.00000004.00000001.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpfalse
                                    		high
                                    https://26DOeHrpZrmbM8gQd.orgB1AE5198B7WerFault.exe, 00000016.00000002.356384847.0000000000A3C000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://ip-api.comgimmer_bot_.exe, 0000000B.00000000.310713319.0000000002F7A000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.galapagosdesign.com/DPleasegimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.ascendercorp.com/typedesigners.htmlgimmer_bot_.exe, 00000000.00000003.262704562.0000000006033000.00000004.00000001.sdmp, gimmer_bot_.exe, 00000000.00000003.262435316.0000000006033000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htm_VTgimmer_bot_.exe, 00000000.00000003.270395063.000000000602B000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.urwpp.deDPleasegimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cngimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmp, gimmer_bot_.exe, 00000000.00000003.259885317.000000000602B000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sandoll.co.krom/gimmer_bot_.exe, 00000000.00000003.258076192.000000000602B000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namegimmer_bot_.exe, 0000000B.00000000.310665140.0000000002F68000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.carterandcone.comTCBT9gimmer_bot_.exe, 00000000.00000003.260324978.000000000602B000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carterandcone.como.gimmer_bot_.exe, 00000000.00000003.260240498.000000000602B000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cn/mgimmer_bot_.exe, 00000000.00000003.259279425.0000000006031000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carterandcone.comcyBOgimmer_bot_.exe, 00000000.00000003.260154446.000000000602B000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.carterandcone.comegimmer_bot_.exe, 00000000.00000003.259926935.000000000602B000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.google.com4gimmer_bot_.exe, 0000000B.00000000.310713319.0000000002F7A000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://ip-api.com/json/Hgimmer_bot_.exe, 0000000B.00000000.310713319.0000000002F7A000.00000004.00000001.sdmpfalse
                                            		high
                                            http://crl.pki.goog/gtsr1/gtsr1.crl0Wgimmer_bot_.exe, 0000000B.00000002.364453527.00000000061D0000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://checkip.dyndns.orggimmer_bot_.exe, 0000000B.00000000.310713319.0000000002F7A000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comtgimmer_bot_.exe, 00000000.00000003.260240498.000000000602B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://pki.goog/repository/0gimmer_bot_.exe, 0000000B.00000002.364453527.00000000061D0000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.google.com/Hgimmer_bot_.exe, 0000000B.00000000.310713319.0000000002F7A000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.zhongyicts.com.cnegimmer_bot_.exe, 00000000.00000003.259885317.000000000602B000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.carterandcone.comlgimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cn/gimmer_bot_.exe, 00000000.00000003.259279425.0000000006031000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-jones.htmlgimmer_bot_.exe, 00000000.00000003.267586672.000000000602B000.00000004.00000001.sdmp, gimmer_bot_.exe, 00000000.00000003.266901169.000000000604E000.00000004.00000001.sdmp, gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpfalse
                                                		high
                                                https://26DOeHrpZrmbM8gQd.orggimmer_bot_.exe, 0000000B.00000000.314808350.0000000002FF8000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.founder.com.cn/cnicrgimmer_bot_.exe, 00000000.00000003.259095579.000000000602B000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.como.APgimmer_bot_.exe, 00000000.00000003.259926935.000000000602B000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.tiro.com8Vgimmer_bot_.exe, 00000000.00000003.260655277.000000000602B000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.com/designersGgimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://crl.pki.goog/gsr1/gsr1.crl0;gimmer_bot_.exe, 0000000B.00000002.364453527.00000000061D0000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.sajatypeworks.com2gimmer_bot_.exe, 00000000.00000003.253846926.0000000006012000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/?gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.founder.com.cn/cn/bThegimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://ocsp.sectigo.com0gimmer_bot_.exefalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers?gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.carterandcone.comamsgimmer_bot_.exe, 00000000.00000003.260110421.000000000602B000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://crls.pki.goog/gts1c3/moVDfISia2k.crl0gimmer_bot_.exe, 0000000B.00000002.364453527.00000000061D0000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designersOWgimmer_bot_.exe, 00000000.00000003.268096372.000000000602B000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.tiro.comgimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.goodfont.co.krgimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.carterandcone.comgimmer_bot_.exe, 00000000.00000003.260240498.000000000602B000.00000004.00000001.sdmp, gimmer_bot_.exe, 00000000.00000003.260406300.000000000602B000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designersPgimmer_bot_.exe, 00000000.00000003.266412916.0000000006032000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20WerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://schema.org/WebPagegimmer_bot_.exe, 0000000B.00000000.310713319.0000000002F7A000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.carterandcone.com.gimmer_bot_.exe, 00000000.00000003.260406300.000000000602B000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://ip-api.com4gimmer_bot_.exe, 0000000B.00000000.310713319.0000000002F7A000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.typography.netDgimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.galapagosdesign.com/staff/dennis.htmgimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmp, gimmer_bot_.exe, 00000000.00000003.270153618.000000000602B000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://fontfabrik.comgimmer_bot_.exe, 00000000.00000003.255422309.000000000602B000.00000004.00000001.sdmp, gimmer_bot_.exe, 00000000.00000003.255707762.000000000602B000.00000004.00000001.sdmp, gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://2fxv5e.makeiralone.ru4gimmer_bot_.exe, 0000000B.00000000.314808350.0000000002FF8000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://crl.thawte.com/ThawteTimestampingCA.crl0gimmer_bot_.exefalse
                                                                		high
                                                                http://www.founder.com.cn/cnlgimmer_bot_.exe, 00000000.00000003.260240498.000000000602B000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://sectigo.com/CPS0Dgimmer_bot_.exefalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.ascendercorp.com/typedesigners.htmlJCgimmer_bot_.exe, 00000000.00000003.262704562.0000000006033000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.founder.com.cn/cnagimmer_bot_.exe, 00000000.00000003.259279425.0000000006031000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.google.comgimmer_bot_.exe, 0000000B.00000002.363799086.0000000002FBD000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.fonts.comgimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.sandoll.co.krgimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.carterandcone.comtigdA9gimmer_bot_.exe, 00000000.00000003.260512625.000000000602B000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://checkip.dyndns.comgimmer_bot_.exe, 0000000B.00000000.310713319.0000000002F7A000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.urwpp.degimmer_bot_.exe, 00000000.00000003.265293859.0000000006032000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.zhongyicts.com.cnkrgimmer_bot_.exe, 00000000.00000003.260240498.000000000602B000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://2fxv5e.makeiralone.ru/1238615281.exegimmer_bot_.exe, 0000000B.00000000.314483475.0000000002EC1000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.sakkal.comgimmer_bot_.exe, 00000000.00000003.262511140.0000000006033000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.apache.org/licenses/LICENSE-2.0gimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.fontbureau.comgimmer_bot_.exe, 00000000.00000002.298254474.0000000007222000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://www.google.com/Xhttps://2fxv5e.makeiralone.ru/1238615281.exegimmer_bot_.exe, 0000000B.00000000.314483475.0000000002EC1000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.carterandcone.comctgimmer_bot_.exe, 00000000.00000003.260154446.000000000602B000.00000004.00000001.sdmpfalse
                                                                            		unknown
                                                                            http://www.tiro.comslntgimmer_bot_.exe, 00000000.00000003.260655277.000000000602B000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.sajatypeworks.comxgimmer_bot_.exe, 00000000.00000003.253846926.0000000006012000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://ocsp.thawte.com0gimmer_bot_.exefalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphoneWerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephoneWerFault.exe, 00000016.00000003.335632543.0000000005720000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.tiro.comlicgimmer_bot_.exe, 00000000.00000003.260655277.000000000602B000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://pki.goog/gsr1/gsr1.crt02gimmer_bot_.exe, 0000000B.00000002.364453527.00000000061D0000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown

                                                                                Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                172.217.168.68
                                                                                		www.google.comUnited States
                                                                                		15169GOOGLEUSfalse
                                                                                208.95.112.1
                                                                                		ip-api.comUnited States
                                                                                		53334TUT-ASUSfalse
                                                                                216.146.43.70
                                                                                		checkip.dyndns.comUnited States
                                                                                		33517DYNDNSUSfalse

                                                                                General Information

                                                                                Joe Sandbox Version:33.0.0 White Diamond
                                                                                Analysis ID:478837
                                                                                Start date:07.09.2021
                                                                                Start time:10:53:18
                                                                                Joe Sandbox Product:CloudBasic
                                                                                Overall analysis duration:0h 12m 13s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:full
                                                                                Sample file name:gimmer_bot_.exe
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                Number of analysed new started processes analysed:32
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:0
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • HDC enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Detection:MAL
                                                                                Classification:mal88.troj.evad.winEXE@7/7@5/3
                                                                                EGA Information:Failed
                                                                                HDC Information:
                                                                                • Successful, ratio: 9.2% (good quality ratio 6.5%)
                                                                                • Quality average: 40.4%
                                                                                • Quality standard deviation: 35.5%
                                                                                HCA Information:
                                                                                • Successful, ratio: 91%
                                                                                • Number of executed functions: 30
                                                                                • Number of non-executed functions: 6
                                                                                Cookbook Comments:
                                                                                • Adjust boot time
                                                                                • Enable AMSI
                                                                                • Found application associated with file extension: .exe
                                                                                Warnings:
                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                • Excluded IPs from analysis (whitelisted): 51.11.168.232, 20.82.209.104, 131.253.33.200, 13.107.22.200, 51.104.136.2, 23.211.6.115, 23.211.4.86, 173.222.108.210, 173.222.108.226, 20.190.160.6, 20.190.160.71, 20.190.160.67, 20.190.160.136, 20.190.160.134, 20.190.160.75, 20.190.160.8, 20.190.160.132, 52.168.117.173, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211, 20.50.102.62
                                                                                • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, settings-win.data.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, www.tm.a.prd.aadg.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, download.windowsupdate.com.edgesuite.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                Simulations

                                                                                TimeTypeDescription
                                                                                10:54:30API Interceptor1x Sleep call for process: gimmer_bot_.exe modified
                                                                                10:54:45API Interceptor1x Sleep call for process: efsui.exe modified
                                                                                10:55:08API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                208.95.112.1iSkySoftSetup.exeGet hashmaliciousBrowse
                                                                                • ip-api.com/json/
                                                                                Quotation.jarGet hashmaliciousBrowse
                                                                                • ip-api.com/json/
                                                                                hhnkZPwzxi.exeGet hashmaliciousBrowse
                                                                                • ip-api.com/json/
                                                                                lv.exeGet hashmaliciousBrowse
                                                                                • ip-api.com/json
                                                                                lv.exeGet hashmaliciousBrowse
                                                                                • ip-api.com/json
                                                                                6rZvqRxXli.exeGet hashmaliciousBrowse
                                                                                • ip-api.com/json/
                                                                                Bxs1wBHcNS.exeGet hashmaliciousBrowse
                                                                                • ip-api.com/json/
                                                                                10482_Video_Oynat#U0131c#U0131.apkGet hashmaliciousBrowse
                                                                                • ip-api.com/json
                                                                                Order550232.jarGet hashmaliciousBrowse
                                                                                • ip-api.com/json/
                                                                                Quotation.jarGet hashmaliciousBrowse
                                                                                • ip-api.com/json/
                                                                                Sbw1yUdMzi.exeGet hashmaliciousBrowse
                                                                                • ip-api.com/json/
                                                                                hhXB3QLUty.exeGet hashmaliciousBrowse
                                                                                • ip-api.com/json/
                                                                                SFy2f54HQa.exeGet hashmaliciousBrowse
                                                                                • ip-api.com/json/
                                                                                04852_Video_Oynat#U0131c#U0131.apkGet hashmaliciousBrowse
                                                                                • ip-api.com/json
                                                                                02368_Video_Oynat#U0131c#U0131.apkGet hashmaliciousBrowse
                                                                                • ip-api.com/json
                                                                                98173_Video_Oynat#U0131c#U0131.apkGet hashmaliciousBrowse
                                                                                • ip-api.com/json
                                                                                61524_Video_Oynat#U0131c#U0131 (1).apkGet hashmaliciousBrowse
                                                                                • ip-api.com/json
                                                                                98173_Video_Oynat#U0131c#U0131.apkGet hashmaliciousBrowse
                                                                                • ip-api.com/json
                                                                                vIpT2aCuWz.exeGet hashmaliciousBrowse
                                                                                • ip-api.com/json/
                                                                                anelco -DV202109827.jarGet hashmaliciousBrowse
                                                                                • ip-api.com/json/

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                checkip.dyndns.comiSkySoftSetup.exeGet hashmaliciousBrowse
                                                                                • 193.122.130.0
                                                                                q77i7qlQcu.exeGet hashmaliciousBrowse
                                                                                • 216.146.43.71
                                                                                RFQ09062021.docGet hashmaliciousBrowse
                                                                                • 132.226.8.169
                                                                                MSDS.exeGet hashmaliciousBrowse
                                                                                • 158.101.44.242
                                                                                atlgpRm6mrwNEbY.exeGet hashmaliciousBrowse
                                                                                • 132.226.8.169
                                                                                Purchase order.exeGet hashmaliciousBrowse
                                                                                • 193.122.6.168
                                                                                QUOTATION.exeGet hashmaliciousBrowse
                                                                                • 158.101.44.242
                                                                                987654222.exeGet hashmaliciousBrowse
                                                                                • 193.122.6.168
                                                                                Revised unpaid Invoices.exeGet hashmaliciousBrowse
                                                                                • 216.146.43.70
                                                                                rvKcGQuLPh.exeGet hashmaliciousBrowse
                                                                                • 193.122.6.168
                                                                                MATI0900800009.exeGet hashmaliciousBrowse
                                                                                • 193.122.6.168
                                                                                PO-224473 202128 PFR.exeGet hashmaliciousBrowse
                                                                                • 193.122.6.168
                                                                                00032021.docGet hashmaliciousBrowse
                                                                                • 132.226.247.73
                                                                                Swift TT Copy.exeGet hashmaliciousBrowse
                                                                                • 193.122.6.168
                                                                                Sales Quotation 309020032012.exeGet hashmaliciousBrowse
                                                                                • 132.226.247.73
                                                                                Transfer.exeGet hashmaliciousBrowse
                                                                                • 132.226.8.169
                                                                                AVn7n82qq2.exeGet hashmaliciousBrowse
                                                                                • 132.226.8.169
                                                                                Drawing.docGet hashmaliciousBrowse
                                                                                • 193.122.130.0
                                                                                YTHK21082400.exeGet hashmaliciousBrowse
                                                                                • 216.146.43.71
                                                                                August Report.exeGet hashmaliciousBrowse
                                                                                • 193.122.130.0
                                                                                ip-api.comiSkySoftSetup.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                Quotation.jarGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                bk0Yz4tRBL.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                hhnkZPwzxi.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                X117Xdqctj.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                ffe39579163c231521098435348019227cca339b735ef.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                lv.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                lv.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                6rZvqRxXli.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                Bxs1wBHcNS.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                Order550232.jarGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                Quotation.jarGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                Sbw1yUdMzi.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                hhXB3QLUty.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                SFy2f54HQa.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                vIpT2aCuWz.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                anelco -DV202109827.jarGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                Invoice #60122.vbsGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                lkSjT6Eo0h.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                1y18o4LaRQ.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1

                                                                                ASN

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                DYNDNSUSq77i7qlQcu.exeGet hashmaliciousBrowse
                                                                                • 216.146.43.71
                                                                                v12J9Am9Y8.exeGet hashmaliciousBrowse
                                                                                • 216.146.43.70
                                                                                Revised unpaid Invoices.exeGet hashmaliciousBrowse
                                                                                • 216.146.43.70
                                                                                rCCMU7CF4hGet hashmaliciousBrowse
                                                                                • 131.186.190.79
                                                                                YTHK21082400.exeGet hashmaliciousBrowse
                                                                                • 216.146.43.71
                                                                                Quotation.exeGet hashmaliciousBrowse
                                                                                • 216.146.43.71
                                                                                New order.exeGet hashmaliciousBrowse
                                                                                • 216.146.43.70
                                                                                HalkBANKASI 336,pdf..exeGet hashmaliciousBrowse
                                                                                • 216.146.43.70
                                                                                Quotation421-31-08-2021.docGet hashmaliciousBrowse
                                                                                • 216.146.43.70
                                                                                DFAXtiyrAb.exeGet hashmaliciousBrowse
                                                                                • 216.146.43.70
                                                                                Bill payment .exeGet hashmaliciousBrowse
                                                                                • 216.146.43.71
                                                                                Purchase Order No 210598.pdf.exeGet hashmaliciousBrowse
                                                                                • 216.146.43.70
                                                                                RQF #100028153.exeGet hashmaliciousBrowse
                                                                                • 216.146.43.71
                                                                                DOC.exeGet hashmaliciousBrowse
                                                                                • 216.146.43.71
                                                                                rYGN8FRKhb.exeGet hashmaliciousBrowse
                                                                                • 216.146.43.70
                                                                                list.docGet hashmaliciousBrowse
                                                                                • 216.146.43.70
                                                                                swift copy.exeGet hashmaliciousBrowse
                                                                                • 216.146.43.70
                                                                                mM8L9rcIm2.exeGet hashmaliciousBrowse
                                                                                • 216.146.43.70
                                                                                1SHr8uSiZT.exeGet hashmaliciousBrowse
                                                                                • 216.146.43.70
                                                                                O1df1Wv884.exeGet hashmaliciousBrowse
                                                                                • 216.146.43.70
                                                                                TUT-ASUSiSkySoftSetup.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                Quotation.jarGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                WJRyvbvOD7.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                hhnkZPwzxi.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                wpljwjYfor.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                lv.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                lv.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                6rZvqRxXli.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                Bxs1wBHcNS.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                10482_Video_Oynat#U0131c#U0131.apkGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                Order550232.jarGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                Quotation.jarGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                Sbw1yUdMzi.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                hhXB3QLUty.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                SFy2f54HQa.exeGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                04852_Video_Oynat#U0131c#U0131.apkGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                02368_Video_Oynat#U0131c#U0131.apkGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                98173_Video_Oynat#U0131c#U0131.apkGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                61524_Video_Oynat#U0131c#U0131 (1).apkGet hashmaliciousBrowse
                                                                                • 208.95.112.1
                                                                                98173_Video_Oynat#U0131c#U0131.apkGet hashmaliciousBrowse
                                                                                • 208.95.112.1

                                                                                JA3 Fingerprints

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                54328bd36c14bd82ddaa0c04b25ed9adPayment_Advoce.vbsGet hashmaliciousBrowse
                                                                                • 172.217.168.68
                                                                                iSkySoftSetup.exeGet hashmaliciousBrowse
                                                                                • 172.217.168.68
                                                                                ZSVC7T2jzr.exeGet hashmaliciousBrowse
                                                                                • 172.217.168.68
                                                                                CHECKLIST INQ 1119.vbsGet hashmaliciousBrowse
                                                                                • 172.217.168.68
                                                                                ZRnB9xi2O3.exeGet hashmaliciousBrowse
                                                                                • 172.217.168.68
                                                                                Bxs1wBHcNS.exeGet hashmaliciousBrowse
                                                                                • 172.217.168.68
                                                                                q77i7qlQcu.exeGet hashmaliciousBrowse
                                                                                • 172.217.168.68
                                                                                Quote_request.exeGet hashmaliciousBrowse
                                                                                • 172.217.168.68
                                                                                7ErW9gaqY2.exeGet hashmaliciousBrowse
                                                                                • 172.217.168.68
                                                                                2uWbujWn59.exeGet hashmaliciousBrowse
                                                                                • 172.217.168.68
                                                                                qPiIazM20w.exeGet hashmaliciousBrowse
                                                                                • 172.217.168.68
                                                                                ElA9ccmzco.exeGet hashmaliciousBrowse
                                                                                • 172.217.168.68
                                                                                MSDS.exeGet hashmaliciousBrowse
                                                                                • 172.217.168.68
                                                                                cbh6HChe1B.exeGet hashmaliciousBrowse
                                                                                • 172.217.168.68
                                                                                tJm8pct2Wy.exeGet hashmaliciousBrowse
                                                                                • 172.217.168.68
                                                                                E3yRg4ob8v.exeGet hashmaliciousBrowse
                                                                                • 172.217.168.68
                                                                                BQBvSqW6KI.dllGet hashmaliciousBrowse
                                                                                • 172.217.168.68
                                                                                atlgpRm6mrwNEbY.exeGet hashmaliciousBrowse
                                                                                • 172.217.168.68
                                                                                Purchase order.exeGet hashmaliciousBrowse
                                                                                • 172.217.168.68
                                                                                #RFQ SAMPLE PRODUCTS09062021.exeGet hashmaliciousBrowse
                                                                                • 172.217.168.68

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_gimmer_bot_.exe_39c3d9a688272c2a133116ddf3a6d569b61cbea_8dcca129_1848d167\Report.wer
                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):15444
                                                                                Entropy (8bit):3.764364851981655
                                                                                Encrypted:false
                                                                                SSDEEP:192:kqEICLC9tVPSHBUZMXSaPfGUKiJ/u7sYS274Itya:YIHHiBUZMXSanPJ/u7sYX4Itya
                                                                                MD5:8E3902E2DE07793DC99570C1F2AA1F58
                                                                                SHA1:33FA743F535759F2799078D488ADEFF1D3664E0F
                                                                                SHA-256:A10174E778DD5C2A68F1971FF948E01D636E971311994E4AEB2E481A8BEF306C
                                                                                SHA-512:A4DA381504B441DC295B0C3040EAB8D644F00FE5EE241E4741D00FB0B9DF5678A67C859CFBBDA5C679DB22A99686342E576AC185C0DCA26D9786AA2FFCF16AD3
                                                                                Malicious:true
                                                                                Reputation:low
                                                                                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.5.5.1.0.8.9.5.2.8.6.4.3.9.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.5.5.1.0.9.0.6.0.3.6.3.9.1.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.c.b.c.1.4.c.2.-.8.4.e.9.-.4.8.f.6.-.9.b.5.e.-.d.6.6.0.4.9.1.8.7.3.7.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.5.8.3.f.6.c.8.-.1.7.8.3.-.4.f.3.2.-.8.1.d.9.-.f.3.1.8.b.5.8.d.0.e.8.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.g.i.m.m.e.r._.b.o.t._...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.G.U.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.f.0.-.0.0.0.1.-.0.0.1.7.-.4.e.5.3.-.c.1.6.b.1.1.a.4.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.3.3.a.2.a.8.9.d.1.9.d.d.c.3.3.b.d.9.e.9.0.8.4.f.b.c.8.c.4.6.8.0.0.0.0.0.0.0.0.!.0.0.0.0.9.0.a.d.1.6.0.d.7.7.3.b.3.a.2.7.e.9.6.e.7.4.1.f.4.b.3.2.5.1.4.f.9.c.e.5.f.
                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FD8.tmp.dmp
                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                File Type:Mini DuMP crash report, 15 streams, Tue Sep 7 17:54:59 2021, 0x1205a4 type
                                                                                Category:dropped
                                                                                Size (bytes):349186
                                                                                Entropy (8bit):3.3516836126347247
                                                                                Encrypted:false
                                                                                SSDEEP:3072:wOY4xWg+RIoeQJi0Pjd+py0btUCgU3Do+89gIOgF5xp9HuWC:wOvqPJi0IpyeTjTx89RpDxTa
                                                                                MD5:A089C39F7E66BDA8D50E16EA7A638F61
                                                                                SHA1:CA35CA1931F39F99E23A53D3F151D8DEC04C2CF1
                                                                                SHA-256:68F6C71505A07FF86C8DB121ADFACD9DA578D75DF09BE7CB556175AA3EF1D48F
                                                                                SHA-512:475BF00B240CB594D89B155D136D24042F0F97E823F29B51BA2DC67EBA1D436FE21959824CB1263E7C257A7261D2A4E074A3A7405F5CFE7F695E851D9D00E863
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview: MDMP....... .......s.7a...................U...........B.......*......GenuineIntelW...........T...........[.7a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB322.tmp.WERInternalMetadata.xml
                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):8364
                                                                                Entropy (8bit):3.6882503822313595
                                                                                Encrypted:false
                                                                                SSDEEP:192:Rrl7r3GLNiCE6bV9mhY6Y0Y6VgmfZ2SMCprk89bDVsfu8hm:RrlsNi56bOhY6Yj6Vgmf0S1Duf8
                                                                                MD5:9F4BB350EE1AC8E0CDF812307A8C402C
                                                                                SHA1:BB3305208143AC6CACA8A4DFC9FB69F7A99F8EC5
                                                                                SHA-256:32ED4CCA9C8F31D6A52A23EA42C87B935EC3E2BF9D7D1464AD2359290C1668E8
                                                                                SHA-512:5BEABCEBAA60E1A9F3E36296E6E13793AE3116ED3675FCD74A8B0803AA24E3F72CA7643FBBBC2EA915888933DD44CD2009A89D27EF21EB95D7C2A9ACD1456FFE
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.9.6.<./.P.i.d.>.........
                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6AD.tmp.xml
                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):4754
                                                                                Entropy (8bit):4.455689605715041
                                                                                Encrypted:false
                                                                                SSDEEP:48:cvIwSD8zslJgtWI9oOQcOCVWSC8Bw8fm8M4JaVorqKnFe+q8voorqK1W0J0wd:uITf/RVccSNfJEdKiUvSwd
                                                                                MD5:421EC7677476CF16EC6C20C4825B46E8
                                                                                SHA1:CFD23BF2CCB1ED6BEC6AE6BF351E84B70D7CE303
                                                                                SHA-256:4E7C8CE08F6F17710FD7093DFD81BC796590D56865C9062FCB07D7129D517358
                                                                                SHA-512:16FD1D43DF41D10A8E34664D6CCD4FDE6C3EF953B75FE778ECCD4D5E70E2B2473B77E2A88F961B1453FDC51D383BC33ADB716334A7F922A3DE09AE68CB117117
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1156505" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                C:\Users\user\AppData\Local\ASUNCB-bLFefWYgiffPPc
                                                                                Process:C:\Users\user\Desktop\gimmer_bot_.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):21
                                                                                Entropy (8bit):4.070656113151928
                                                                                Encrypted:false
                                                                                SSDEEP:3:B6f:B6f
                                                                                MD5:480890D7273FC2A18BE492B2E5B1B0E0
                                                                                SHA1:05FF0E30913BFF2E62DCAF35AA8D7DDAA44EF882
                                                                                SHA-256:EFBC5FA5D368F96E3F4EB6D9AEFE402FA63CA86726DE46B69356795CE91B25D6
                                                                                SHA-512:462D910A4CC621929F1C1FC3B56C8DB65D9A86976D8D9877B6100009789EBF6AE176553F493E64A561AA868D805197D23340403FC59DA260A1EC0946C393C50E
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview: ASUNCB-bLFefWYgiffPPc
                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gimmer_bot_.exe.log
                                                                                Process:C:\Users\user\Desktop\gimmer_bot_.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):1216
                                                                                Entropy (8bit):5.355304211458859
                                                                                Encrypted:false
                                                                                SSDEEP:24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzr
                                                                                MD5:B666A4404B132B2BF6C04FBF848EB948
                                                                                SHA1:D2EFB3D43F8B8806544D3A47F7DAEE8534981739
                                                                                SHA-256:7870616D981C8C0DE9A54E7383CD035470DB20CBF75ACDF729C32889D4B6ED96
                                                                                SHA-512:00E955EE9F14CEAE07E571A8EF2E103200CF421BAE83A66ED9F9E1AA6A9F449B653EDF1BFDB662A364D58ECF9B5FE4BB69D590DB2653F2F46A09F4D47719A862
                                                                                Malicious:true
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                C:\Users\user\Desktop\Macrural.txt
                                                                                Process:C:\Users\user\Desktop\gimmer_bot_.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):8
                                                                                Entropy (8bit):1.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:rr:/
                                                                                MD5:90BF63FA7217A4E5A60F421B64AB30EB
                                                                                SHA1:1614DF9F3CB1B5E1DC040B2D7DD942F355994509
                                                                                SHA-256:E6C767AAABB678ED4D3FB4F5C9193C55ABF9739F641095705E94F198F08010F9
                                                                                SHA-512:B88E6D9BCCDF292EF62A18F9D080B7BFBBC893F5A3B892634F855558ADC6B332E158A629365E0BF319C3D949215F0B878837C2F813B087769671FCED831A7955
                                                                                Malicious:false
                                                                                Preview: ........

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Entropy (8bit):7.312546726647148
                                                                                TrID:
                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                                                • Win32 Executable (generic) a (10002005/4) 49.93%
                                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                File name:gimmer_bot_.exe
                                                                                File size:1088232
                                                                                MD5:e41a75968f8870dafde82be208250165
                                                                                SHA1:90ad160d773b3a27e96e741f4b32514f9ce5f0b3
                                                                                SHA256:dfe58673321d387512d2604be0b7219ee758f2e717c13b64f6cfd7f7a846339f
                                                                                SHA512:3f4b842204e4799cc7024fe5a25d20eaa55cdae4b921dba9d1bab300ab65fb5cd2cee7bc7b24d2dfc73447e83a17c73e9f784aafc20c028bbb7f8dc862b85fbe
                                                                                SSDEEP:24576:5ikCYlpQnnD0vlFznQ4jLYMaGl4EcmZHAFaxmVmie9bngP47iAjwd:5ZCaSnD0vlFznPj+Gl4EcmZHAFaxmVmm
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...En................... ...........>... ...@....@.. .......................`......~!....@................................

                                                                                File Icon

                                                                                Icon Hash:1271e8f8dcd47192

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x4a3e1e
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:true
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                Time Stamp:0xECCE6E45 [Thu Nov 24 05:40:21 2095 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:v4.0.30319
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                Authenticode Signature

                                                                                Signature Valid:false
                                                                                Signature Issuer:CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US
                                                                                Signature Validation Error:The digital signature of the object did not verify
                                                                                Error Number:-2146869232
                                                                                Not Before, Not After
                                                                                • 7/2/2019 5:00:00 PM 8/20/2021 5:00:00 AM
                                                                                Subject Chain
                                                                                • CN=Malwarebytes Inc, O=Malwarebytes Inc, L=Santa Clara, S=California, C=US
                                                                                Version:3
                                                                                Thumbprint MD5:D51B8AEBED6D1E6C35F2F6FB092C0224
                                                                                Thumbprint SHA-1:816BE9397F66D1A26EFA04035BCA3BB9E3779740
                                                                                Thumbprint SHA-256:642577228C33F97B53278CE40767DE78C84A663F269DB23FFB5538A31CD0FED5
                                                                                Serial:08A2EC4E78A09E174B192E5535984B59
                                                                                Instruction
                                                                                jmp dword ptr [00402000h]
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa3dd00x4b.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xa60000x5dafc.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x101ca00x7e48
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1040000xc.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x20000xa1e240xa2000False0.877925166377data7.82079440488IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                .sdata0xa40000x1e80x200False0.859375data6.59915009273IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0xa60000x5dafc0x5dc00False0.54921875data5.9472951809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0x1040000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                NameRVASizeTypeLanguageCountry
                                                                                RT_ICON0xa64000x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                                                RT_ICON0xaa6280x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                                                RT_ICON0xacbd00x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                                                RT_ICON0xadc780x468GLS_BINARY_LSB_FIRST
                                                                                RT_ICON0xae0e00x468GLS_BINARY_LSB_FIRST
                                                                                RT_ICON0xae5480x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                                                RT_ICON0xaf5f00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                                                RT_ICON0xb1b980x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                                                RT_ICON0xb5dc00x10828dBase III DBT, version number 0, next free block index 40
                                                                                RT_ICON0xc65e80x2540PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                RT_ICON0xc8b280x468GLS_BINARY_LSB_FIRST
                                                                                RT_ICON0xc8f900x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                                                RT_ICON0xca0380x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                                                RT_ICON0xcc5e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                                                RT_ICON0xd08080x10828dBase III DBT, version number 0, next free block index 40
                                                                                RT_ICON0xe10300x224b8PNG image data, 256 x 256, 16-bit/color RGBA, non-interlaced
                                                                                RT_GROUP_ICON0x1034e80xe6data
                                                                                RT_VERSION0x1035d00x340data
                                                                                RT_MANIFEST0x1039100x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                DLLImport
                                                                                mscoree.dll_CorExeMain
                                                                                DescriptionData
                                                                                Translation0x0000 0x04b0
                                                                                LegalCopyrightCopyright 2019
                                                                                Assembly Version0.0.4.9
                                                                                InternalNameGUy.exe
                                                                                FileVersion0.0.5.1
                                                                                CompanyNameFamous NZ Production
                                                                                LegalTrademarksNZ
                                                                                Comments
                                                                                ProductNameRotativa Mini
                                                                                ProductVersion0.0.5.1
                                                                                FileDescriptionRotativa Mini
                                                                                OriginalFilenameGUy.exe

                                                                                Network Behavior

                                                                                Download Network PCAP: filteredfull

                                                                                Network Port Distribution

                                                                                • Total Packets: 67
                                                                                • 443 (HTTPS)
                                                                                • 80 (HTTP)
                                                                                • 53 (DNS)
                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Sep 7, 2021 10:54:40.899884939 CEST4970880192.168.2.7216.146.43.70
                                                                                Sep 7, 2021 10:54:40.944890022 CEST8049708216.146.43.70192.168.2.7
                                                                                Sep 7, 2021 10:54:40.945051908 CEST4970880192.168.2.7216.146.43.70
                                                                                Sep 7, 2021 10:54:40.946580887 CEST4970880192.168.2.7216.146.43.70
                                                                                Sep 7, 2021 10:54:40.991134882 CEST8049708216.146.43.70192.168.2.7
                                                                                Sep 7, 2021 10:54:40.991175890 CEST8049708216.146.43.70192.168.2.7
                                                                                Sep 7, 2021 10:54:40.991192102 CEST8049708216.146.43.70192.168.2.7
                                                                                Sep 7, 2021 10:54:40.991254091 CEST4970880192.168.2.7216.146.43.70
                                                                                Sep 7, 2021 10:54:40.992810011 CEST4970880192.168.2.7216.146.43.70
                                                                                Sep 7, 2021 10:54:41.037169933 CEST8049708216.146.43.70192.168.2.7
                                                                                Sep 7, 2021 10:54:41.099878073 CEST4970980192.168.2.7208.95.112.1
                                                                                Sep 7, 2021 10:54:41.133809090 CEST8049709208.95.112.1192.168.2.7
                                                                                Sep 7, 2021 10:54:41.134282112 CEST4970980192.168.2.7208.95.112.1
                                                                                Sep 7, 2021 10:54:41.136008024 CEST4970980192.168.2.7208.95.112.1
                                                                                Sep 7, 2021 10:54:41.168225050 CEST8049709208.95.112.1192.168.2.7
                                                                                Sep 7, 2021 10:54:41.213112116 CEST4970980192.168.2.7208.95.112.1
                                                                                Sep 7, 2021 10:54:41.268065929 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.295169115 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.295311928 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.348721027 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.375046015 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.390593052 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.390674114 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.390707970 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.390728951 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.390821934 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.390862942 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.404982090 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.432677984 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.478720903 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.580514908 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.613081932 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.748526096 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.748573065 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.748610973 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.748636961 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.748645067 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.748675108 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.748701096 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.748718023 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.748779058 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.750332117 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.750370979 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.750463963 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.752348900 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.752393961 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.752465010 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.754218102 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.754271030 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.754453897 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.756057024 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.756083012 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.756206989 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.757997036 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.776032925 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.776134968 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.776185989 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.776231050 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.776237965 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.776290894 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.777772903 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.777796030 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.777905941 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.779728889 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.779759884 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.779814959 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.781604052 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.781645060 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.781681061 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.783473015 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.783508062 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.783554077 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.785379887 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.785413980 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.785480976 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.787307978 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.787347078 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.787400007 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.788948059 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.788997889 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.789072037 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.790710926 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.790751934 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.790807009 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.792469025 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.792510986 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.792586088 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:54:41.794063091 CEST44349710172.217.168.68192.168.2.7
                                                                                Sep 7, 2021 10:54:41.794301033 CEST49710443192.168.2.7172.217.168.68
                                                                                Sep 7, 2021 10:55:12.693958044 CEST4970980192.168.2.7208.95.112.1
                                                                                Sep 7, 2021 10:55:12.694026947 CEST49710443192.168.2.7172.217.168.68
                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Sep 7, 2021 10:54:09.422661066 CEST5377553192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:54:09.432678938 CEST5183753192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:54:09.455872059 CEST53537758.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:54:09.480870962 CEST53518378.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:54:09.530951023 CEST5541153192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:54:09.575967073 CEST53554118.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:54:09.635200977 CEST6366853192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:54:09.671756983 CEST53636688.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:54:12.149243116 CEST5464053192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:54:12.184990883 CEST53546408.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:54:25.976946115 CEST5873953192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:54:26.016171932 CEST53587398.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:54:40.793246984 CEST6033853192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:54:40.821600914 CEST53603388.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:54:40.845637083 CEST5871753192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:54:40.870289087 CEST53587178.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:54:41.072016001 CEST5976253192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:54:41.097208023 CEST53597628.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:54:41.231939077 CEST5432953192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:54:41.266031981 CEST53543298.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:54:43.919209957 CEST5805253192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:54:43.970928907 CEST53580528.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:54:44.519871950 CEST5400853192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:54:44.557343006 CEST53540088.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:55:04.905651093 CEST5945153192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:55:04.939409018 CEST53594518.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:55:07.076679945 CEST5291453192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:55:07.109029055 CEST53529148.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:55:07.590876102 CEST6456953192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:55:07.626621962 CEST53645698.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:55:16.086980104 CEST5281653192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:55:16.167026043 CEST53528168.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:55:16.695245028 CEST5078153192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:55:16.765175104 CEST53507818.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:55:16.908787012 CEST5423053192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:55:16.958051920 CEST53542308.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:55:17.396229982 CEST5491153192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:55:17.430259943 CEST53549118.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:55:17.893253088 CEST4995853192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:55:17.926143885 CEST53499588.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:55:18.585376024 CEST5086053192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:55:18.618248940 CEST53508608.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:55:19.122483015 CEST5045253192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:55:19.157798052 CEST53504528.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:55:19.749758005 CEST5973053192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:55:19.785454035 CEST53597308.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:55:21.333549023 CEST5931053192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:55:21.365886927 CEST53593108.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:55:21.601234913 CEST5191953192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:55:21.636367083 CEST53519198.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:55:22.261267900 CEST6429653192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:55:22.302632093 CEST53642968.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:55:22.919414043 CEST5668053192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:55:22.955503941 CEST53566808.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:56:03.076189995 CEST5882053192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:56:03.109143019 CEST53588208.8.8.8192.168.2.7
                                                                                Sep 7, 2021 10:56:05.810619116 CEST6098353192.168.2.78.8.8.8
                                                                                Sep 7, 2021 10:56:05.853559971 CEST53609838.8.8.8192.168.2.7

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                Sep 7, 2021 10:54:40.793246984 CEST192.168.2.78.8.8.80x6d0Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                                                Sep 7, 2021 10:54:40.845637083 CEST192.168.2.78.8.8.80x3111Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                                                Sep 7, 2021 10:54:41.072016001 CEST192.168.2.78.8.8.80xef9Standard query (0)ip-api.comA (IP address)IN (0x0001)
                                                                                Sep 7, 2021 10:54:41.231939077 CEST192.168.2.78.8.8.80x3074Standard query (0)www.google.comA (IP address)IN (0x0001)
                                                                                Sep 7, 2021 10:54:43.919209957 CEST192.168.2.78.8.8.80xebStandard query (0)2fxv5e.makeiralone.ruA (IP address)IN (0x0001)

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                Sep 7, 2021 10:54:40.821600914 CEST8.8.8.8192.168.2.70x6d0No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                                                Sep 7, 2021 10:54:40.821600914 CEST8.8.8.8192.168.2.70x6d0No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                                                Sep 7, 2021 10:54:40.821600914 CEST8.8.8.8192.168.2.70x6d0No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)
                                                                                Sep 7, 2021 10:54:40.821600914 CEST8.8.8.8192.168.2.70x6d0No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)
                                                                                Sep 7, 2021 10:54:40.821600914 CEST8.8.8.8192.168.2.70x6d0No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)
                                                                                Sep 7, 2021 10:54:40.821600914 CEST8.8.8.8192.168.2.70x6d0No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)
                                                                                Sep 7, 2021 10:54:40.821600914 CEST8.8.8.8192.168.2.70x6d0No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)
                                                                                Sep 7, 2021 10:54:40.821600914 CEST8.8.8.8192.168.2.70x6d0No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                                                Sep 7, 2021 10:54:40.870289087 CEST8.8.8.8192.168.2.70x3111No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                                                Sep 7, 2021 10:54:40.870289087 CEST8.8.8.8192.168.2.70x3111No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                                                Sep 7, 2021 10:54:40.870289087 CEST8.8.8.8192.168.2.70x3111No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)
                                                                                Sep 7, 2021 10:54:40.870289087 CEST8.8.8.8192.168.2.70x3111No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)
                                                                                Sep 7, 2021 10:54:40.870289087 CEST8.8.8.8192.168.2.70x3111No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)
                                                                                Sep 7, 2021 10:54:40.870289087 CEST8.8.8.8192.168.2.70x3111No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)
                                                                                Sep 7, 2021 10:54:40.870289087 CEST8.8.8.8192.168.2.70x3111No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)
                                                                                Sep 7, 2021 10:54:40.870289087 CEST8.8.8.8192.168.2.70x3111No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                                                Sep 7, 2021 10:54:41.097208023 CEST8.8.8.8192.168.2.70xef9No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)
                                                                                Sep 7, 2021 10:54:41.266031981 CEST8.8.8.8192.168.2.70x3074No error (0)www.google.com172.217.168.68A (IP address)IN (0x0001)
                                                                                Sep 7, 2021 10:54:43.970928907 CEST8.8.8.8192.168.2.70xebName error (3)2fxv5e.makeiralone.runonenoneA (IP address)IN (0x0001)
                                                                                Sep 7, 2021 10:55:07.109029055 CEST8.8.8.8192.168.2.70x5146No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)

                                                                                HTTP Request Dependency Graph

                                                                                • checkip.dyndns.org
                                                                                • ip-api.com

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                0192.168.2.749708216.146.43.7080C:\Users\user\Desktop\gimmer_bot_.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Sep 7, 2021 10:54:40.946580887 CEST1377OUTGET / HTTP/1.1
                                                                                Host: checkip.dyndns.org
                                                                                Connection: Keep-Alive
                                                                                Sep 7, 2021 10:54:40.991175890 CEST1378INHTTP/1.1 200 OK
                                                                                Content-Type: text/html
                                                                                Server: DynDNS-CheckIP/1.0.1
                                                                                Connection: close
                                                                                Cache-Control: no-cache
                                                                                Pragma: no-cache
                                                                                Content-Length: 103
                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 34 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.41</body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                1192.168.2.749709208.95.112.180C:\Users\user\Desktop\gimmer_bot_.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Sep 7, 2021 10:54:41.136008024 CEST1378OUTGET /json/ HTTP/1.1
                                                                                Host: ip-api.com
                                                                                Connection: Keep-Alive
                                                                                Sep 7, 2021 10:54:41.168225050 CEST1379INHTTP/1.1 200 OK
                                                                                Date: Tue, 07 Sep 2021 08:54:40 GMT
                                                                                Content-Type: application/json; charset=utf-8
                                                                                Content-Length: 281
                                                                                Access-Control-Allow-Origin: *
                                                                                X-Ttl: 60
                                                                                X-Rl: 44
                                                                                Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 48 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 22 38 31 35 32 22 2c 22 6c 61 74 22 3a 34 37 2e 34 33 2c 22 6c 6f 6e 22 3a 38 2e 35 37 31 38 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 43 64 6e 37 37 20 5a 55 52 20 49 54 58 22 2c 22 61 73 22 3a 22 41 53 36 30 30 36 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 38 34 2e 31 37 2e 35 32 2e 34 31 22 7d
                                                                                Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8152","lat":47.43,"lon":8.5718,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"Cdn77 ZUR ITX","as":"AS60068 Datacamp Limited","query":"84.17.52.41"}


                                                                                HTTPS Packets

                                                                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                Sep 7, 2021 10:54:41.390728951 CEST172.217.168.68443192.168.2.749710CN=www.google.com CN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=USCN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=US CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BEMon Aug 16 05:56:32 CEST 2021 Thu Aug 13 02:00:42 CEST 2020 Fri Jun 19 02:00:42 CEST 2020Mon Nov 08 04:56:31 CET 2021 Thu Sep 30 02:00:42 CEST 2027 Fri Jan 28 01:00:42 CET 2028769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                                CN=GTS CA 1C3, O=Google Trust Services LLC, C=USCN=GTS Root R1, O=Google Trust Services LLC, C=USThu Aug 13 02:00:42 CEST 2020Thu Sep 30 02:00:42 CEST 2027
                                                                                CN=GTS Root R1, O=Google Trust Services LLC, C=USCN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BEFri Jun 19 02:00:42 CEST 2020Fri Jan 28 01:00:42 CET 2028

                                                                                Code Manipulations

                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                • File
                                                                                • Registry
                                                                                • Network

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                Analysis Process: gimmer_bot_.exe PID: 3764 Parent PID: 2868

                                                                                Function Logs

                                                                                General

                                                                                Start time:10:54:16
                                                                                Start date:07/09/2021
                                                                                Path:C:\Users\user\Desktop\gimmer_bot_.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Users\user\Desktop\gimmer_bot_.exe'
                                                                                Imagebase:0xbc0000
                                                                                File size:1088232 bytes
                                                                                MD5 hash:E41A75968F8870DAFDE82BE208250165
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Reputation:low
                                                                                Show Windows behavior

                                                                                File Activities

                                                                                Show Windows behavior

                                                                                Section Activities

                                                                                Show Windows behavior

                                                                                Registry Activities

                                                                                Show Windows behavior

                                                                                Mutex Activities

                                                                                Show Windows behavior

                                                                                Process Activities

                                                                                Show Windows behavior

                                                                                Thread Activities

                                                                                Show Windows behavior

                                                                                Memory Activities

                                                                                Show Windows behavior

                                                                                System Activities

                                                                                Show Windows behavior

                                                                                Windows UI Activities

                                                                                Show Windows behavior

                                                                                Process Token Activities

                                                                                Show Windows behavior

                                                                                LPC Port Activities

                                                                                Analysis Process: gimmer_bot_.exe PID: 1384 Parent PID: 3764

                                                                                Function Logs

                                                                                General

                                                                                Start time:10:54:35
                                                                                Start date:07/09/2021
                                                                                Path:C:\Users\user\Desktop\gimmer_bot_.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:{path}
                                                                                Imagebase:0x330000
                                                                                File size:1088232 bytes
                                                                                MD5 hash:E41A75968F8870DAFDE82BE208250165
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:low
                                                                                Show Windows behavior

                                                                                Memory Activities

                                                                                Analysis Process: gimmer_bot_.exe PID: 496 Parent PID: 3764

                                                                                Function Logs

                                                                                General

                                                                                Start time:10:54:36
                                                                                Start date:07/09/2021
                                                                                Path:C:\Users\user\Desktop\gimmer_bot_.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:{path}
                                                                                Imagebase:0x900000
                                                                                File size:1088232 bytes
                                                                                MD5 hash:E41A75968F8870DAFDE82BE208250165
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Reputation:low
                                                                                Show Windows behavior

                                                                                File Activities

                                                                                Show Windows behavior

                                                                                Section Activities

                                                                                Show Windows behavior

                                                                                Registry Activities

                                                                                Show Windows behavior

                                                                                Mutex Activities

                                                                                Show Windows behavior

                                                                                Process Activities

                                                                                Show Windows behavior

                                                                                Thread Activities

                                                                                Show Windows behavior

                                                                                Memory Activities

                                                                                Show Windows behavior

                                                                                System Activities

                                                                                Show Windows behavior

                                                                                Timing Activities

                                                                                Show Windows behavior

                                                                                Network Activities

                                                                                Show Windows behavior

                                                                                Process Token Activities

                                                                                Show Windows behavior

                                                                                LPC Port Activities

                                                                                Analysis Process: efsui.exe PID: 6424 Parent PID: 584

                                                                                Function Logs

                                                                                General

                                                                                Start time:10:54:44
                                                                                Start date:07/09/2021
                                                                                Path:C:\Windows\System32\efsui.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:efsui.exe /efs /keybackup
                                                                                Imagebase:0x7ff6a14f0000
                                                                                File size:14336 bytes
                                                                                MD5 hash:DC2961C58C8E0395105285C342C65BE8
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:low
                                                                                Show Windows behavior

                                                                                File Activities

                                                                                Show Windows behavior

                                                                                Section Activities

                                                                                Show Windows behavior

                                                                                Registry Activities

                                                                                Show Windows behavior

                                                                                Mutex Activities

                                                                                Show Windows behavior

                                                                                Process Activities

                                                                                Show Windows behavior

                                                                                Thread Activities

                                                                                Show Windows behavior

                                                                                Memory Activities

                                                                                Show Windows behavior

                                                                                System Activities

                                                                                Show Windows behavior

                                                                                Timing Activities

                                                                                Show Windows behavior

                                                                                Windows UI Activities

                                                                                Show Windows behavior

                                                                                LPC Port Activities

                                                                                Analysis Process: WerFault.exe PID: 6628 Parent PID: 496

                                                                                Function Logs

                                                                                General

                                                                                Start time:10:54:52
                                                                                Start date:07/09/2021
                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 1944
                                                                                Imagebase:0xa80000
                                                                                File size:434592 bytes
                                                                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Reputation:high
                                                                                Show Windows behavior

                                                                                File Activities

                                                                                Show Windows behavior

                                                                                Section Activities

                                                                                Show Windows behavior

                                                                                Registry Activities

                                                                                Show Windows behavior

                                                                                Mutex Activities

                                                                                Show Windows behavior

                                                                                Process Activities

                                                                                Show Windows behavior

                                                                                Thread Activities

                                                                                Show Windows behavior

                                                                                Memory Activities

                                                                                Show Windows behavior

                                                                                System Activities

                                                                                Show Windows behavior

                                                                                Timing Activities

                                                                                Show Windows behavior

                                                                                Windows UI Activities

                                                                                Show Windows behavior

                                                                                Process Token Activities

                                                                                Show Windows behavior

                                                                                Object Security Activities

                                                                                Show Windows behavior

                                                                                LPC Port Activities

                                                                                Disassembly

                                                                                Code Analysis

                                                                                Analysis Process: gimmer_bot_.exe PID: 3764 Parent PID: 2868 gimmer_bot_.exeCOMMON

                                                                                Executed Functions

                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNELBASE(?), ref: 02DDDA19
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.290435945.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: eeb1952c296a4ad681af23df1913c7f2306f75895a1ab352aa5ada72aca8640f
                                                                                • Instruction ID: 5230fc2c632e6306c457c3e7f5818cbb653ee06f34da891de74148692d7ad570
                                                                                • Opcode Fuzzy Hash: eeb1952c296a4ad681af23df1913c7f2306f75895a1ab352aa5ada72aca8640f
                                                                                • Instruction Fuzzy Hash: DB410FB1D04658DFDF10CFA9D884B9EBBF2BB59304F10912AE814AB385D774A885CF81
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02DDD6DF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.290435945.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 544645111-0
                                                                                • Opcode ID: 0ffd71af64e9c390249397266d8f8b44746acf00a70799df74b0354599240cb9
                                                                                • Instruction ID: f083cac45c3d3813b30099e98f8e88347bbb162f57ae6d6ae89d32a0135eb149
                                                                                • Opcode Fuzzy Hash: 0ffd71af64e9c390249397266d8f8b44746acf00a70799df74b0354599240cb9
                                                                                • Instruction Fuzzy Hash: 793196B9D002489FCF10CFA9E880ADEFBB1BB19310F14902AE818B7310D774A945CFA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 02DDEAD9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.290435945.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 4e45c498c2a29b1e97afe8eca5d6b0c05ab61512c2023edb5d1ea93200842e73
                                                                                • Instruction ID: 6a67d1544b333db94fb2be6b2e6f1ee8fc811e83e9f401f125c3cf09a79c03dc
                                                                                • Opcode Fuzzy Hash: 4e45c498c2a29b1e97afe8eca5d6b0c05ab61512c2023edb5d1ea93200842e73
                                                                                • Instruction Fuzzy Hash: 423174B8D042589FCF10DFA9D984A9EFBB4BB09324F10902AE815BB310D775A946CF65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289961643.000000000129D000.00000040.00000001.sdmp, Offset: 0129D000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e94411ced64857f7b442bab60566d5e87ca39c9cca182538b0db08602b813e4d
                                                                                • Instruction ID: 356153d2ca1638d119673b7082a4c3ceb731b225c4954b2e3cff5b576df9894f
                                                                                • Opcode Fuzzy Hash: e94411ced64857f7b442bab60566d5e87ca39c9cca182538b0db08602b813e4d
                                                                                • Instruction Fuzzy Hash: 6E2137B1514248DFCF15DF5CD9C4B26BBA5FB84364F248569E9094B206C33AD807D7B2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289961643.000000000129D000.00000040.00000001.sdmp, Offset: 0129D000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 32dd3ce24b0693b7aacf5469d365a567b784bf386a30e297950beef7c42a512d
                                                                                • Instruction ID: ceb92234f385a4458636bdd0674b94814e2d433b40bc0c833a116da722f5cbcc
                                                                                • Opcode Fuzzy Hash: 32dd3ce24b0693b7aacf5469d365a567b784bf386a30e297950beef7c42a512d
                                                                                • Instruction Fuzzy Hash: 662134B1514208DFDF01DFA8D9C0B26BBA5FB84324F24C9ADE9094B246C37AD846DB61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289961643.000000000129D000.00000040.00000001.sdmp, Offset: 0129D000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ade4b7ddf5562334a35e0007ea893cc0690f72ac7f362b2a160c4d7f19519320
                                                                                • Instruction ID: 1b42c32162f46d4c4c0fd3882b3ef76fefbc3aa779c984752d61f81d254ee629
                                                                                • Opcode Fuzzy Hash: ade4b7ddf5562334a35e0007ea893cc0690f72ac7f362b2a160c4d7f19519320
                                                                                • Instruction Fuzzy Hash: 892137F2614248DFDF05DF98D9C0B26BBA5FB84314F20C96DE9094B246C37AD846DB61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289961643.000000000129D000.00000040.00000001.sdmp, Offset: 0129D000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 098c843f1ffb083d830a919171d78be83589444a99b6aae4f42cddf7e6dadc70
                                                                                • Instruction ID: 81ee67f1a7385cff9b7290048e6ee240e1435d59d5887c91eba573a8fe503d3e
                                                                                • Opcode Fuzzy Hash: 098c843f1ffb083d830a919171d78be83589444a99b6aae4f42cddf7e6dadc70
                                                                                • Instruction Fuzzy Hash: 7011BE76504284CFCF12CF18D5C4B16BFB1FB84324F28C6AAD9080B606C33AD45ADBA2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289961643.000000000129D000.00000040.00000001.sdmp, Offset: 0129D000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8cd6652bbec5b900f61a88fbd802327aaa7d4c9034767cde49dc0924c5323a84
                                                                                • Instruction ID: 67a39a8426fde6cf34c91271527e45d6aaac56ef410cb22c79f62f10bae35e4f
                                                                                • Opcode Fuzzy Hash: 8cd6652bbec5b900f61a88fbd802327aaa7d4c9034767cde49dc0924c5323a84
                                                                                • Instruction Fuzzy Hash: 7811BBB6504284CFDB06CF18D9C4B15BBA1FB84224F28C6AED9494B656C33AD45ACB61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289961643.000000000129D000.00000040.00000001.sdmp, Offset: 0129D000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8cd6652bbec5b900f61a88fbd802327aaa7d4c9034767cde49dc0924c5323a84
                                                                                • Instruction ID: 480295334723e28ea8a40ded5d82cc7c67a466246f6b86329368730c50d956e8
                                                                                • Opcode Fuzzy Hash: 8cd6652bbec5b900f61a88fbd802327aaa7d4c9034767cde49dc0924c5323a84
                                                                                • Instruction Fuzzy Hash: 4D11BB75504684CFCB02CF68D5C0B15BBA1FB84224F28C6AAD9494B656C33AD45ACFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.290564322.0000000002FA0000.00000040.00000001.sdmp, Offset: 02FA0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 220d26fd9dc83227de06611fc9911da238a2cb56ecfb20f69fb2646f109135cc
                                                                                • Instruction ID: 4c22bd3c17686bf1fdf2d777d7fd9e2c23e2006b17e5187f25754ef55b5e902b
                                                                                • Opcode Fuzzy Hash: 220d26fd9dc83227de06611fc9911da238a2cb56ecfb20f69fb2646f109135cc
                                                                                • Instruction Fuzzy Hash: 38F0F0B1A0428A8FDB14CFB4D4127AEBFF0EF49350F1486AAE511DB251DB359002CB80
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.290564322.0000000002FA0000.00000040.00000001.sdmp, Offset: 02FA0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 97be44447d359fe7181a792fca19644cd7e0621b7e3c62b577c5180188faad56
                                                                                • Instruction ID: f72e380e0ac563b9a8bdf69bacc231c44a789483d2c0e8e759f4ff9c1fdffabf
                                                                                • Opcode Fuzzy Hash: 97be44447d359fe7181a792fca19644cd7e0621b7e3c62b577c5180188faad56
                                                                                • Instruction Fuzzy Hash: B3F0DAB1E0420EDFDB54DFA9D851BAEBFF4AB48200F1049A9D919E7201EB719500CF91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.290564322.0000000002FA0000.00000040.00000001.sdmp, Offset: 02FA0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fb7d92a9e7d1bcae6f665df029dfda3b52082e5f2639666d3ff01f40e33bc86d
                                                                                • Instruction ID: 5521e0ce11398bdfd6e570f17ee631c2dfbc2bd399e0e82651a4f0c692588fd9
                                                                                • Opcode Fuzzy Hash: fb7d92a9e7d1bcae6f665df029dfda3b52082e5f2639666d3ff01f40e33bc86d
                                                                                • Instruction Fuzzy Hash: 71E092B5D40209DFD740EFA9D915B9EBBF0AB08640F1185A9D119E7211EBB496048F91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.290564322.0000000002FA0000.00000040.00000001.sdmp, Offset: 02FA0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1a8179eb604f7eab81e59c7d24b8d068230c024d4ee69b0ade50ba66a42d75da
                                                                                • Instruction ID: e3829d0553ba4208e41a40b0b67b10116e15e1f490c59140d33401f346cbbf8e
                                                                                • Opcode Fuzzy Hash: 1a8179eb604f7eab81e59c7d24b8d068230c024d4ee69b0ade50ba66a42d75da
                                                                                • Instruction Fuzzy Hash: D7D012335501089E4B40EE95E800D52BBDCBB147407008026F648CB521EB22E434EB51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.290435945.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: <l$<l
                                                                                • API String ID: 0-242599693
                                                                                • Opcode ID: bc32a9806a33f0a4f2a645a2b1b172719b5e7284ae259b5fc408e9e18c07e27d
                                                                                • Instruction ID: c877fba0d8e950aa528b6ec24f0cc0b0413c3dac81265328125a3315b9989c9f
                                                                                • Opcode Fuzzy Hash: bc32a9806a33f0a4f2a645a2b1b172719b5e7284ae259b5fc408e9e18c07e27d
                                                                                • Instruction Fuzzy Hash: EE2291B4E016298FDB64DF28DD98AD9BBB1BB49301F1081EAD90DA7354DB309E85CF44
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289306739.0000000000BC2000.00000002.00020000.sdmp, Offset: 00BC0000, based on PE: true
                                                                                • Associated: 00000000.00000002.289297985.0000000000BC0000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.289575682.0000000000C66000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.289599344.0000000000C77000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.289619446.0000000000C86000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.289643686.0000000000C92000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.289664705.0000000000CA0000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c55f6f1b1919295b2ef022f6461e36e209256e095b939a64861ccb913af63948
                                                                                • Instruction ID: d353e044ecbcb2b45a7b85d24137be6f5f37193e5fb6f18e1bd5b68ed38785cc
                                                                                • Opcode Fuzzy Hash: c55f6f1b1919295b2ef022f6461e36e209256e095b939a64861ccb913af63948
                                                                                • Instruction Fuzzy Hash: DBF1746244E3C0AFC3138BB44C7AA917FB59E17218B5E48DFD4C08F4B3D15A199ADB62
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.290435945.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a2e4f73b06fa2649b8f0fffb19b001bc072283d1aa40dde4312faa46af1805ae
                                                                                • Instruction ID: 26ef6a4d8f16dde8e93a1cb9cb319a2c3e82eb0da488a07f6c6e9080e56cddb6
                                                                                • Opcode Fuzzy Hash: a2e4f73b06fa2649b8f0fffb19b001bc072283d1aa40dde4312faa46af1805ae
                                                                                • Instruction Fuzzy Hash: B6914675D416288BEB68CF1BCD406DAFAF3AFC8305F14C1EAD90CA6254EB305A918F40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.290435945.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: faed6fe3760f8d7624142a9fcd6e99f1c4c8b13a000081ac975b89eabbc8b720
                                                                                • Instruction ID: 4a2320b46795d77baaf428687cb1ba500f49fe666d8ab8a4b5ad87e03d228402
                                                                                • Opcode Fuzzy Hash: faed6fe3760f8d7624142a9fcd6e99f1c4c8b13a000081ac975b89eabbc8b720
                                                                                • Instruction Fuzzy Hash: 2E517C70E142498FDB15FFB9F5A969E7BB2AB88304F04C82AD104DB368DB709806DB51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.290435945.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2bb19ce61576d368765a479e6b90e555b50f6720d28e62b136d8801bec7c45b7
                                                                                • Instruction ID: a4cf32943b848254583f42a2a15f05caa236e8067e0ae074f5a7d02f74f3a37c
                                                                                • Opcode Fuzzy Hash: 2bb19ce61576d368765a479e6b90e555b50f6720d28e62b136d8801bec7c45b7
                                                                                • Instruction Fuzzy Hash: 57514B70E142498FDB55FFB9F56969E7BB2AB98304F00C82AD108DB368DB7098069B51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.290435945.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8be012d635dc221fc06caf2a42cd8c38f37e5331343f02de8b2356f1d76cddc9
                                                                                • Instruction ID: deb0d4d5427b721f797555d799651d7851399ed502217a0f24bb29e61ebadbad
                                                                                • Opcode Fuzzy Hash: 8be012d635dc221fc06caf2a42cd8c38f37e5331343f02de8b2356f1d76cddc9
                                                                                • Instruction Fuzzy Hash: CA41ECB1D04648DFDF10CFA9D984BAEBBF2BB49318F209429E414AB350D7749885CF85
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Analysis Process: gimmer_bot_.exe PID: 496 Parent PID: 3764 gimmer_bot_.exeCOMMON

                                                                                Executed Functions

                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNELBASE(00000000,00000000), ref: 052F9DD1
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.364013934.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: FileFindFirst
                                                                                • String ID:
                                                                                • API String ID: 1974802433-0
                                                                                • Opcode ID: a2aa455fac62a8fa92eedb3c4af124b5bf80f989d376179962dac1603710a022
                                                                                • Instruction ID: 8276443db57c189a420ee87fe80ac041aff4a2e47c44e673543efd4faaf23bf9
                                                                                • Opcode Fuzzy Hash: a2aa455fac62a8fa92eedb3c4af124b5bf80f989d376179962dac1603710a022
                                                                                • Instruction Fuzzy Hash: D251E0B0D14219DFDB24DFA9E988B9EFBF1BF48304F24842AE509AB350D7749885CB51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNELBASE(00000000,00000000), ref: 052F9DD1
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.364013934.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: FileFindFirst
                                                                                • String ID:
                                                                                • API String ID: 1974802433-0
                                                                                • Opcode ID: ac56a580239927f29f4c71fb768bcd51d3915d07137a783cfe5725bdf0337b10
                                                                                • Instruction ID: 7cd1ae63c8fd64e2eca2db56a635b3ba6f88180793904f6357563a3d9cc2d7ae
                                                                                • Opcode Fuzzy Hash: ac56a580239927f29f4c71fb768bcd51d3915d07137a783cfe5725bdf0337b10
                                                                                • Instruction Fuzzy Hash: 7A51E070D14218DFDB24DFA9D988B9EFBF2BF48304F24802AE509AB350D7749885CB51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindNextFileW.KERNELBASE(00000000,00000000), ref: 052FA06A
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.364013934.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: FileFindNext
                                                                                • String ID:
                                                                                • API String ID: 2029273394-0
                                                                                • Opcode ID: d49988c6132262c40630c23acfd072d87a1502cfa425db9fb1d34ae4792e894f
                                                                                • Instruction ID: 04a8f9d1ef649390ce1f3077f936d183f4daac5a5af1d9d531c5a106f1681e39
                                                                                • Opcode Fuzzy Hash: d49988c6132262c40630c23acfd072d87a1502cfa425db9fb1d34ae4792e894f
                                                                                • Instruction Fuzzy Hash: DD51D270D142589FDB14DFAAE984BDDFBF5BF48304F24802AE509AB290DB74A885CF51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindNextFileW.KERNELBASE(00000000,00000000), ref: 052FA06A
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.364013934.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: FileFindNext
                                                                                • String ID:
                                                                                • API String ID: 2029273394-0
                                                                                • Opcode ID: cdb10617a00e2f8f7e0d4ae5fbf5e2f6e556e967bdb81a73a47cada98311fd72
                                                                                • Instruction ID: 1918b2b11260b7b705ff8d767244001501daed3e1f3f796abe841218d8f724bd
                                                                                • Opcode Fuzzy Hash: cdb10617a00e2f8f7e0d4ae5fbf5e2f6e556e967bdb81a73a47cada98311fd72
                                                                                • Instruction Fuzzy Hash: C151E070D142589FDB14DFA9E988BDDFBF1BF48304F24802AE509AB290DB74A885CF51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNELBASE(?), ref: 02DB82DF
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.362967135.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 363e4a7259071da71739aed467d89f11181735a609ab342b57d8c444152fba73
                                                                                • Instruction ID: f53a16cb78cc6656ae78d73638e3a062df359774c295f3d25e87f62150023b3a
                                                                                • Opcode Fuzzy Hash: 363e4a7259071da71739aed467d89f11181735a609ab342b57d8c444152fba73
                                                                                • Instruction Fuzzy Hash: 2D410FB0E00618DFDB11DFA9C8957DEBBF5AF48314F148129E856EB380DB749846CB92
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02DB854C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.362967135.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 544645111-0
                                                                                • Opcode ID: 2b98dc11688b7ebf89b795e656ab2c54fb42ff973a45f64f6da8428b179cd21c
                                                                                • Instruction ID: 7bec7858f903643cc70b174e5d71d276c4f1644f33aa8e166f68df2846aebdfc
                                                                                • Opcode Fuzzy Hash: 2b98dc11688b7ebf89b795e656ab2c54fb42ff973a45f64f6da8428b179cd21c
                                                                                • Instruction Fuzzy Hash: 0A11F4719042099FCB10DFAAC884ADFFBF9FF48224F15842AE519A7200C774A944CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindClose.KERNELBASE(?,?,?,?,?,?,?,?,?,?,052F9ECB), ref: 052FA1A7
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.364013934.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: CloseFind
                                                                                • String ID:
                                                                                • API String ID: 1863332320-0
                                                                                • Opcode ID: d499457c37b5fcdda34d07bb906e59bf860b8a90f2d739df378654604ebe7566
                                                                                • Instruction ID: fecb922c9bb33904d02dbb0d6ea384d11c2eb9e79d4daae837b3077976981313
                                                                                • Opcode Fuzzy Hash: d499457c37b5fcdda34d07bb906e59bf860b8a90f2d739df378654604ebe7566
                                                                                • Instruction Fuzzy Hash: DF1128719146098FDB10DF9AD8447DEFBF4EF48324F158429E519A3640D378A944CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindClose.KERNELBASE(?,?,?,?,?,?,?,?,?,?,052F9ECB), ref: 052FA1A7
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.364013934.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: CloseFind
                                                                                • String ID:
                                                                                • API String ID: 1863332320-0
                                                                                • Opcode ID: b572cf6762bff71973762ea93bbcfd8b717a71f3c9eeffc40140741375f1594c
                                                                                • Instruction ID: aeda9e3c8c7473df4c17046aa192b0377398e38289f0152d823bb6f6ed330d9f
                                                                                • Opcode Fuzzy Hash: b572cf6762bff71973762ea93bbcfd8b717a71f3c9eeffc40140741375f1594c
                                                                                • Instruction Fuzzy Hash: 9E1113B18006098FDB20DF9AD845BDEFBF8EF48324F15842AE519A3641D778A945CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 02DB8FE3
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.362967135.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 4f08dc695d24b4c9665d1145776f4cb115a89899cb402cee3c3483eaba80f210
                                                                                • Instruction ID: bf4151e8f7daf06f739fd841d9783ce24d83ea8faef2e56c785284c073da7dd2
                                                                                • Opcode Fuzzy Hash: 4f08dc695d24b4c9665d1145776f4cb115a89899cb402cee3c3483eaba80f210
                                                                                • Instruction Fuzzy Hash: E61134719042098BCB10DFAAC844BDFFBF9EF88324F158819E525A7340CB75A954CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.359633849.00000000011BD000.00000040.00000001.sdmp, Offset: 011BD000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7cfe755d248ab6bdcfffc829880647bda97b349dbcb89171523b8bc86b0d1554
                                                                                • Instruction ID: 8cecc287c12dc9a5e3ab48470280f5e73d4d5bc81fcfd98fe99380f311b8e29d
                                                                                • Opcode Fuzzy Hash: 7cfe755d248ab6bdcfffc829880647bda97b349dbcb89171523b8bc86b0d1554
                                                                                • Instruction Fuzzy Hash: 2021F5B1504240DFDF1DDF98E9C0BA6BB75FB8832CF248569E9094B246C336D856C7A2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.359633849.00000000011BD000.00000040.00000001.sdmp, Offset: 011BD000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3713e04f40ee633b8d5b25e919fa22188943513560a38e4387c4eafe2a0005a8
                                                                                • Instruction ID: 3b15acbe1fa12345272021f67a43d56a604fed2e5d181536008e310c54682cc4
                                                                                • Opcode Fuzzy Hash: 3713e04f40ee633b8d5b25e919fa22188943513560a38e4387c4eafe2a0005a8
                                                                                • Instruction Fuzzy Hash: CF210671504240DFDF0DDF94E9C0B96BB65FB84328F248569E9094B607C33AD856C7A2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.359667298.00000000011CD000.00000040.00000001.sdmp, Offset: 011CD000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0319d3f4b97be57460f56f1b7fa7f8e33cdf78e58156046cac3ff9b366e60283
                                                                                • Instruction ID: c6957bb73480e4d6faa74368512d802dda23d951230ecda99b9be6ed5b41680e
                                                                                • Opcode Fuzzy Hash: 0319d3f4b97be57460f56f1b7fa7f8e33cdf78e58156046cac3ff9b366e60283
                                                                                • Instruction Fuzzy Hash: 782121B1104240DFCF19DF98E9C0B26BBA5FB84B64F20857DE9090B202C336D826C7A3
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.359667298.00000000011CD000.00000040.00000001.sdmp, Offset: 011CD000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 26f8417e35484c85c5744740b07cfd9fad3dfdc9f3ae78790923855164602bdf
                                                                                • Instruction ID: b39f8869ff1af20df720f3a67aeb5e03a8e2ee5270a2e3faa70697b093755641
                                                                                • Opcode Fuzzy Hash: 26f8417e35484c85c5744740b07cfd9fad3dfdc9f3ae78790923855164602bdf
                                                                                • Instruction Fuzzy Hash: 1B21B3714083809FCB07CF18E994B15BF71EB86710F2985EAD8444B657C33AD81ACBA2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.359633849.00000000011BD000.00000040.00000001.sdmp, Offset: 011BD000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4eb738e5d623c71b0f092ac5447f6cf4a7c5514d59896417311b313eff137825
                                                                                • Instruction ID: 78b96d62a969ed64d589fab16e284f1e06adb366fc9b782eb7354fec45fd2525
                                                                                • Opcode Fuzzy Hash: 4eb738e5d623c71b0f092ac5447f6cf4a7c5514d59896417311b313eff137825
                                                                                • Instruction Fuzzy Hash: 8511D376504280CFCF1ACF58E5C4B56BF71FB84328F2486A9D8094B65BC336D45ACBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.359633849.00000000011BD000.00000040.00000001.sdmp, Offset: 011BD000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4eb738e5d623c71b0f092ac5447f6cf4a7c5514d59896417311b313eff137825
                                                                                • Instruction ID: 1e1818b27910e85f63dd24ee337ee6270103a9780aad8237a39a08a7b3e9d207
                                                                                • Opcode Fuzzy Hash: 4eb738e5d623c71b0f092ac5447f6cf4a7c5514d59896417311b313eff137825
                                                                                • Instruction Fuzzy Hash: 4C11B176504280CFCF1ACF54E9C4B56BF72FB84328F2486A9D8050B617C336D45ACBA2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.359633849.00000000011BD000.00000040.00000001.sdmp, Offset: 011BD000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9790009085a5f056ddbef3a907086b2f229d8ac1bf5f7cd4b0613f904e137b29
                                                                                • Instruction ID: 395d6c61cfd917ca2eb50097b26c981d98e6842f7691e727635f76bcb3575a30
                                                                                • Opcode Fuzzy Hash: 9790009085a5f056ddbef3a907086b2f229d8ac1bf5f7cd4b0613f904e137b29
                                                                                • Instruction Fuzzy Hash: 9D01FC715083449EEB2D5B65ECC57A2BB98EF41229F088419FD0C5B243C3799844C772
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.359633849.00000000011BD000.00000040.00000001.sdmp, Offset: 011BD000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 15bd0a370fcdc7920673973278a64e2311a8b280e60062626eff87dc93494602
                                                                                • Instruction ID: ffdb855f1496bfe17eca00b11626977c15d15098c8e9824a81429df0810cfa7e
                                                                                • Opcode Fuzzy Hash: 15bd0a370fcdc7920673973278a64e2311a8b280e60062626eff87dc93494602
                                                                                • Instruction Fuzzy Hash: AFF06271505354AAEB259A19DCC4BA2FFA8EB41638F18C45AED085B287C3799844CBB1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions